Malware Analysis Report

2024-12-07 17:30

Sample ID 241112-ggd1davpfw
Target b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe
SHA256 b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc
Tags
amadey lumma stealc 9c9aa5 tale credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc

Threat Level: Known bad

The file b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe was found to be: Known bad.

Malicious Activity Summary

amadey lumma stealc 9c9aa5 tale credential_access discovery evasion persistence spyware stealer trojan

Amadey

Stealc family

Modifies Windows Defender Real-time Protection settings

Lumma Stealer, LummaC

Lumma family

Stealc

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Unsecured Credentials: Credentials In Files

Checks computer location settings

Reads data files stored by FTP clients

Windows security modification

Identifies Wine through registry keys

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Kills process with taskkill

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 05:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 05:46

Reported

2024-11-12 05:48

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A

Reads data files stored by FTP clients

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05d09ea27a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005698001\\05d09ea27a.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\500b1af5d8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005700001\\500b1af5d8.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe
PID 2424 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe
PID 2424 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe
PID 1128 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe
PID 1128 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe
PID 1128 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe
PID 1680 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe
PID 1680 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe
PID 1680 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe
PID 368 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 368 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 368 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1680 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe
PID 1680 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe
PID 1680 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe
PID 1128 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe
PID 1128 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe
PID 1128 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe
PID 4404 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe
PID 2424 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe
PID 2424 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe
PID 1224 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1224 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1224 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1364 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 4644 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe
PID 4644 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe
PID 4644 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe
PID 1364 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 1364 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Windows\SysWOW64\taskkill.exe
PID 4644 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4644 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4644 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1364 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3668 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3668 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3668 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe

"C:\Users\Admin\AppData\Local\Temp\b957913e2bc4bfc20f86c29c5f81afbab6c8d8e5709d8192880e8184dd34a4bc.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe

"C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37cce098-f424-466c-8e64-e86a7242ed24} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae295044-a0f4-416d-8330-e28f2ce825f1} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43534859-921a-4e1b-b4ba-ca5f936ad44e} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 2 -isForBrowser -prefsHandle 3888 -prefMapHandle 3884 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71f95174-05e1-4536-9a63-c410a44327db} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4652 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a469a0d-4133-4cf1-b4bb-2797cd209a11} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5396 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3e23dc-4bd5-42c7-8e9a-c18a39e0111b} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9de4008-bf5b-46d8-b715-67dae6fb4b0b} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5808 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dfa98aa-dc19-4977-8a84-263b109d296f} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" tab

C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe

"C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 presticitpo.store udp
US 8.8.8.8:53 crisiwarny.store udp
US 8.8.8.8:53 fadehairucw.store udp
US 8.8.8.8:53 thumbystriw.store udp
US 8.8.8.8:53 necklacedmny.store udp
US 8.8.8.8:53 founpiuer.store udp
US 8.8.8.8:53 navygenerayk.store udp
US 8.8.8.8:53 scriptyprefej.store udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
N/A 127.0.0.1:57370 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.179.238:443 youtube.com tcp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.234.200.54.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:57378 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 99.117.19.2.in-addr.arpa udp
DE 23.55.161.211:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-aigzrn7l.gvt1.com udp
GB 173.194.5.234:443 r5---sn-aigzrn7l.gvt1.com tcp
US 8.8.8.8:53 r5.sn-aigzrn7l.gvt1.com udp
US 8.8.8.8:53 r5.sn-aigzrn7l.gvt1.com udp
GB 173.194.5.234:443 r5.sn-aigzrn7l.gvt1.com udp
US 8.8.8.8:53 211.161.55.23.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.5.194.173.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1N62.exe

MD5 acb24b7635e497172a4ce83ab8bfbfae
SHA1 0a633d413960cbdd06b9c63f31b0637dd43dac9e
SHA256 41468da8b1df9567997eac4e3c829210322c9f74753ca0954e8404a9c7abd7f9
SHA512 1d4314cc6f7946a96824ed76b88cff1f4c57de8efdac57a71f6139f4caa8ff299dd20bcd4b88c9a9afc6bee1c763eaf8a5178ccff43e192dc66d739d49593c3a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M1z06.exe

MD5 62fd9ddec512a5c8ad8bcc5ece88e659
SHA1 79fd0a7d2e7638dc3d3ff308284218e9cf86f108
SHA256 7bf931b5378e81f86ac62fa84a77583aec32af40599e6e3275357842b1f63177
SHA512 ab05b20a17ac7648769ab00d5fb51b0b011cee68d5535a3144bba94ddf70d33622243acb4643e963bd1a633882b00063f5b112496f61b56430113cd599d78dd0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q37m4.exe

MD5 ee6dde45274acf1087e550b85bfbcfa4
SHA1 60f52da4bbbe47580843f59eea06fa351a5fafb6
SHA256 244d356a3ffed73213e37f3a73fb47029367258737f896d8125ebac3c36b50be
SHA512 000571ae0c9cce561c66e92b9869fa34726c674543a4b8069f72e7bb7bce7b9ba42644d947b7226dd6244ce312cde25f50b27c9ac53f70864e32d31559bea412

memory/368-21-0x0000000000A20000-0x0000000000D4D000-memory.dmp

memory/368-35-0x0000000000A20000-0x0000000000D4D000-memory.dmp

memory/4644-34-0x0000000000310000-0x000000000063D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V8618.exe

MD5 c2ebdaf90192aa57b795ec9093086024
SHA1 3069aea4ce372b976d074496021db24da36764bc
SHA256 92a42623a9ee5130017c9408eabfb288f85184b9544aa8cdebf7e6e2482a50db
SHA512 57e96b2838198961639c0fa984baad762fe5dba76c4080b5e64e369824c15596fb464ea33930f9b95d5cc5f7c143c5a38913e98992f949eb2c508c8bca670dde

memory/4988-39-0x0000000000980000-0x0000000000C86000-memory.dmp

memory/4988-40-0x0000000000980000-0x0000000000C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r29i.exe

MD5 1493f45533a0c14a6dcf059001d3f25b
SHA1 956511982ebdfeffc6344ea5e67351d7eabca03c
SHA256 50f63490ab3bc1756781b88ad152d85fc748bb7a241e57ab1f93e3a9c16e6b88
SHA512 380e8521d7a381af448ff2c2d49ea14e5a341e8f570cca11ec11a794f9e9d976c9d1887cfce1f24eb0821a6d88c8c133061cc76c482b9e7b751e781b9d5ad449

memory/4404-43-0x0000000000B50000-0x000000000129B000-memory.dmp

C:\ProgramData\chrome.dll

MD5 eda18948a989176f4eebb175ce806255
SHA1 ff22a3d5f5fb705137f233c36622c79eab995897
SHA256 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

memory/4404-53-0x0000000000B50000-0x000000000129B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J525t.exe

MD5 c63ac8306406068a73f2d1353b3112c0
SHA1 a02e30dd2eee5cfef53c6a71e14143a62ed12f4e
SHA256 a86d0c52ebdcd34f598a267a8a203f559339b0a1a0d799b86b273d5b5715ee6b
SHA512 2c32f6921db4afaf7e7e461cd33fb51c7b2cb71a1650593860c6304b1315cd5b0861ab12ce229db523021d15fb0524a4d4e6491dcc64b05e2c3ea21eed3bbb42

C:\Users\Admin\AppData\Local\Temp\1005698001\05d09ea27a.exe

MD5 2878cc9a985c0fb2e09a37a43f3d99ae
SHA1 41fe91f926c0f82e16454d9871c72776bfc5f104
SHA256 67fadf8ac3d2ead9432d3872c87715b12dbe6974bf28a20622a9e75c555dfa61
SHA512 d74fb363e5c544d643f2e1e73fb837ad1c74b829fa98d056e8cb4d22f4aaf34d5f06099d2ba52bf20453766ff5ba87d14cca5367f087330a4a8542827810e1da

memory/3612-71-0x0000000000DC0000-0x000000000145B000-memory.dmp

memory/3612-74-0x0000000000DC0000-0x000000000145B000-memory.dmp

memory/4644-76-0x0000000000310000-0x000000000063D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 8e5043beb9c80c8edfa4de5c1ff75e5c
SHA1 bc3c9c07d0a1e606ee446551d58f0376c4ebd7ca
SHA256 e736f6ac2d33a5a3fbc01130c40742b03749702d37fd3d7f2299299ceada145b
SHA512 1b976415f386676ecb5e4e4125536212f71aa56c04c45a6779c8ed985dce4fa3a3687081123b735ebb6d3a1f6e784accbcb5f32c123e6eada302f5c64661b1a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 7429270eb1957a173f45f053ce8faded
SHA1 5b7108c9f3c78e32c8457e96bf505cf61fd06773
SHA256 2da8cbbe9d5b24459e17e719f45373bda03179725f7e1f6951dcbb986f43ca16
SHA512 8a9d727f7e43168ea8061f2b9f8d0a9cfbdc382e66640e7960659f3c39171935d7dd79fcd1d590804f36643669de386223a6844344661e34c74a5e4959c18538

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\51de7912-f745-4ef6-80bb-e2099fc26945

MD5 aa118f97eaedf9d382c7df3a5237f498
SHA1 caf1119928b367005019b6e3dc91f2d6624f0c61
SHA256 8d3dc87b631c8c3dfc0294c28945bba09ffc580e4083a740a729e47f4e59735f
SHA512 82c88d602bf3c3184cdf7732b0fa135d1b17d8a817f7472833d6d4c349f62cf3bbcf8a7529f27e0e42691ea39a29a30f6db717f3bed30081ffa236d69fd25776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\74bfbbd8-aa44-49e4-8058-133955035e2c

MD5 8fe2303baddee8da56670d80fcd67810
SHA1 067f1a0db060eba0ad8860f4d02f36dc8e50455c
SHA256 0d199451c50ef3e35930af7c0a4b8e8846fe0e818bb1e88d4f4dfb7796be34d2
SHA512 9b8f534a2681ffea10675c109e14e08515e24258f0b454340456d971aa7783a1bb84873fe148feb62ab7f988bfc5772f4d4f3ea50eb64aaf2b2cacee98e24cce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\01ad31e7-ce31-4e82-abb0-a6250232af6e

MD5 c1fd31f308c76299128e6db02de2d68e
SHA1 5115091e64cbf20edd102a7bbd5aaaf316f8746f
SHA256 a764b2ec33165facae82ed09905621ee952189e2daed031bbcd90c537ddb451b
SHA512 5a2fe364b25169f91d8d1aaa3ff72e485e26690a3ab98c3b43543bec0050e105e0df962806ae76ad4b114628c881a12ad6808e50de4872f05c5a6eb0086179b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 1a8bc0527531bdf0ed8a15cecc3ad9ce
SHA1 17237e6cd97e353f025fb8c4bab3cebbbda23b7c
SHA256 8f6b54c8e04e2e9a72464dca0a115c087943758f470784ee18d41365aa5a4cfe
SHA512 4128420bc5c5a31c65a4a040a73e2df839249f2f38c1c9b22603080fcf86587f5a9a3268f25541a6d2d04f9617e8fceb836f0d50ccc840d77ae4f49341e2a40b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 b6139a674a7a9ea60bf3c529d2d610b7
SHA1 f8d1bf10f851077ea112025f5a3c758386028338
SHA256 9bbaa43b588549ab7b86273a57d011ac830ce960becf07c0ad7bb63d356c293f
SHA512 7a0b2101a7ccbcf0fbff49998849eed7696b52fe51cf685b3f5c5ffe5f010aa0929046c91db017c9833b2c02b9bb88f98ac07a7478eeb999b875a82adfaf2c99

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

MD5 473f116b5e817032b795a8721883d3f3
SHA1 50ce3415cae04d2b77520ff88a696070fb7af308
SHA256 3ee9237267bb39e619984a8e1807aab936f065f208134d77c439c8141c2b2901
SHA512 39936069e0fb32ebcedc81a199c3a141ed11608ac4b9daf34408b9dbea04b7faa386f698a74e3bc6f43b29bbe14b63764e700d97d3e0b7a81a630973af6c101c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

MD5 899eb55d720c72482810b5938e3ace20
SHA1 456cd0656b60da051459971d73139af8f54bc34a
SHA256 c763591c28fbd26d6f94e3a301bdab1beb3b11fe85227f80e4fe11455fbeb3bd
SHA512 f88cfb16c11374e24bfd64f02d6c05bb21b265494f12a486575c5ed16db675b6ce2614c8801c736d40652a5040159d6ae4bab7b08b3e007a76821bb8b3cbb408

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 2780a1c6ad0d0ff2da3509f4b7548bd9
SHA1 8660823c637efd5dbcf55a3a5a70910342df97d2
SHA256 260e4bb7147ce24ddce9fda4376ff5fc9fd9d273a08f97696609452cb6137a52
SHA512 b81144ad6355788ffd105719bb507620461d76ae038dfb113bdae0e747bada7ae16c1919955f272a1dae8820881bd15fc5c78746985e177747ac85626823f83b

memory/4644-725-0x0000000000310000-0x000000000063D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005700001\500b1af5d8.exe

MD5 b9e7f5643e8ed276a27f154c12f9d029
SHA1 66269d92921ee899446220899628336f6daf7e63
SHA256 dbbfe2ba0868f38a3eab5ffa3543170f22b8f044789f6e8026d46aae3e83dc33
SHA512 34fbe09c36b690a3d63ba128f56d1bc14f0a02ad37c31e01e0a6c38bf87e7a5f6967683de919553867d7bc705f287be05555735770572068387b7dfa82d597cf

memory/5736-796-0x0000000000600000-0x00000000008C8000-memory.dmp

memory/5736-797-0x0000000000600000-0x00000000008C8000-memory.dmp

memory/5736-798-0x0000000000600000-0x00000000008C8000-memory.dmp

memory/4644-816-0x0000000000310000-0x000000000063D000-memory.dmp

memory/5736-818-0x0000000000600000-0x00000000008C8000-memory.dmp

memory/5736-821-0x0000000000600000-0x00000000008C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 fc1867060d94667272c21f30abd12851
SHA1 b6b0f01d9f231748113929dd26a6ff8a5eadf773
SHA256 a3195b4ad503418fc7546b421d07f57ea8624baeea98e04c2157ff706801c5e7
SHA512 ec2193f21b5a9967b3640464c3fc42f5b10d7e9f735b654cc7d9c17ef331eb76e06745394d2c0e44f1fafc94b2af16446b3ea68a27063005fc30ff46e1f52b7d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 e83015ac52341a7fbadd00ab05a97f18
SHA1 cc32b660d77806f0df807946fd4e0548a64671f4
SHA256 b58614eaa3750efcf927408dad5cf027790ce2739dd578f9ef6cf9ebaad422c9
SHA512 95ac8d5e98e1b95620b7b04fcaba4b8868c2f1d240a686435dc1771dbec8df67466e468a49682667f7da98ca77cc43fd3f19f4d028eb43bc7cc08bb5333cccf7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

MD5 3f760ee3ead2e07d9917ebc4c4c3aafb
SHA1 cd9257d83eb1a1ca999a2b8f10ae1a8d3647f20a
SHA256 a2bbc4f45e9bb4ae92f225e9a1816c2993a998cd6eace7ecc8707389483e4ecd
SHA512 45a89457f59c6298a8629b35122649826c9ada65da96b0ee5eb457e277e40ee243068e7fc6744c14fbd1cd5234d77505a25c9890894801d75d941c33a5de15f0

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

MD5 1b8def5b5cb9bd4920430a8192b5d620
SHA1 eb363bb5e3b99da6c36970713e7f909025f001e0
SHA256 a050a04dc7b1d98fd3fae450cf6514a17a1220879d8bd759d31e72de1527f644
SHA512 8ec586ba13965d4a78e54b25fd83dd689ea098f939ef7145ae518973302b0063251eaa58d052704b1b39fbba5b0b5a65f41ac08e6a41e25e4a94f7b2e6a635fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

memory/4644-921-0x0000000000310000-0x000000000063D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

MD5 c99238ad354cb555f2c9801b0294ec0d
SHA1 074e574887d873ee18c98fce39c2e21878166f32
SHA256 83a02a298b71550ed09a29c138eab2f895e96d84c4a719d67b9d30cf1ab1c76e
SHA512 1b75480252912605ea8f186b24e7732ef9efff8f26b3628651c613a0de44a03b88a767b0233365f040c5e71ed531b2e5106fc04b920d147a0e548f86e8bcff33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 3135a3ba60f895b5242fbe2522eefb70
SHA1 3dc7118a9520f6882e607bc25bc86e2645ad765d
SHA256 3ffe356af3362edce48db89a7bfc00d276a57744f819aaf0b88e25c04e303dfb
SHA512 0edda39125627de9faaaafb6cde97c18565197b2fba3c0e04f7a809697a1e8d1e5041e1c2f4f9a56b484b22869e30d021c20f01ad3e6d462623687b98628d71c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 072392d7ad434be384669058b19e220e
SHA1 3e0c28409d2b8e4fb44badacba563a488dd53752
SHA256 2983d338d4d37dfa258a8267ec1eec678dcc9cf796695e886b623bac32fd10d6
SHA512 91657498a197089205d3faf9cd6b880c508274e9796cdf4cf4f9e0d99d71a6d1c072086fd2ab2b114beda73c22f3fce4dcc059648be60338b2963c886a47594b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

MD5 6397ba47201d87aca3c92b8ff37bc54d
SHA1 5656aee3830d2f8d7c53723cf9d20f4dc8f733ca
SHA256 37782389399a8a56fb1b92baa0c9badbde7daa9323557236a95f8f06a7c9ec77
SHA512 9d3ba41ebdcb5a267ca3a0eb749cb4407a1506415e5834f8ff0a0a4e1bc551354c957925872badc32ddda6a21da98e049a6a10a8842e30317d6ee4943c03c52c

memory/4644-2562-0x0000000000310000-0x000000000063D000-memory.dmp

memory/2856-2563-0x0000000000310000-0x000000000063D000-memory.dmp

memory/2856-2653-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4161-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4164-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4165-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4170-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4171-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4173-0x0000000000310000-0x000000000063D000-memory.dmp

memory/6424-4174-0x0000000000310000-0x000000000063D000-memory.dmp

memory/6424-4175-0x0000000000310000-0x000000000063D000-memory.dmp

memory/4644-4176-0x0000000000310000-0x000000000063D000-memory.dmp