Malware Analysis Report

2025-08-05 11:21

Sample ID 241112-rxxsjavcph
Target f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193
SHA256 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193
Tags
amadey 9c9aa5 discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193

Threat Level: Known bad

The file f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193 was found to be: Known bad.

Malicious Activity Summary

amadey 9c9aa5 discovery evasion persistence trojan

Amadey

Modifies Windows Defender Real-time Protection settings

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Windows security modification

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 14:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 14:34

Reported

2024-11-12 14:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b081d73a44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005758001\\b081d73a44.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49b4578783.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005760001\\49b4578783.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe
PID 2940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe
PID 2940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe
PID 3356 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe
PID 3356 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe
PID 3356 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe
PID 1000 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1000 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1000 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3356 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe
PID 3356 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe
PID 3356 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe
PID 2940 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe
PID 2940 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe
PID 2940 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe
PID 4832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 2224 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe
PID 2224 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe
PID 2224 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe
PID 4832 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Windows\SysWOW64\taskkill.exe
PID 4832 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4040 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 3052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe

"C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe

"C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1968 -prefMapHandle 1960 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {728e019d-3ce6-4daf-9d7c-612b7c04283c} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2476 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8528049-8b96-4dde-b4e3-30161a127e86} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" socket

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3228 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {220c2c4a-6a8e-4973-937c-264ed73e7aa9} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -childID 2 -isForBrowser -prefsHandle 4048 -prefMapHandle 4044 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbcf7e77-1b05-4dd0-9e5d-cec1c27a634a} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b4faa9-536e-4564-8da1-301b4a0645d7} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 3492 -prefMapHandle 5296 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe62adfd-d7f0-4eac-bae3-1448e453f4ce} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7faedfa-6cff-4458-874f-ef378c3c3311} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f302c2-22ff-4860-9dbe-77a5ff281062} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab

C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe

"C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.187.238:443 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.234.200.54.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 127.0.0.1:51666 tcp
N/A 127.0.0.1:51678 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 23.55.161.185:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.213.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 185.161.55.23.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
GB 216.58.213.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-aigzrn7l.gvt1.com udp
GB 173.194.5.234:443 r5---sn-aigzrn7l.gvt1.com tcp
US 8.8.8.8:53 r5.sn-aigzrn7l.gvt1.com udp
US 8.8.8.8:53 r5.sn-aigzrn7l.gvt1.com udp
GB 173.194.5.234:443 r5.sn-aigzrn7l.gvt1.com udp
US 8.8.8.8:53 234.5.194.173.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe

MD5 76d9fc062de907c3d29dc14f567e4df2
SHA1 d3ad3d3058741e1e05b4b5674f2bbc085167f1a4
SHA256 ec5a0c54044b3ef1dbf521199d8a07895e247292eb8772c8b8473a86e84e4e6e
SHA512 297fb67add259ed1aa51dea76e3805628979f3eeb2937c0f51cb1974d7031273e9fa185d3aff4bbbb5f787d7c33045e7ae60178980f71c979dbe6969acaa4cef

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe

MD5 5d92c01d9d2a15e0f55433b1cf43cdd0
SHA1 4e97c35531f8008db3acdccc81cdc1421cc6a278
SHA256 7877786569d0683af4f6e8e95dd58d92e36cb0e8c164c11dbd7c9ca652380978
SHA512 4c02ad5befea2d11ca07750f8bb91e2cd32783a7ebea8c61f81de6abb9b72af74b2aa42ca3f5681f0b7d8ba7b6ae97aaa91009ca88573d79b3178da472129c70

memory/1000-14-0x0000000000D20000-0x0000000001045000-memory.dmp

memory/1000-15-0x0000000077154000-0x0000000077156000-memory.dmp

memory/1000-16-0x0000000000D21000-0x0000000000D89000-memory.dmp

memory/1000-17-0x0000000000D20000-0x0000000001045000-memory.dmp

memory/1000-18-0x0000000000D20000-0x0000000001045000-memory.dmp

memory/2224-33-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/1000-32-0x0000000000D21000-0x0000000000D89000-memory.dmp

memory/1000-31-0x0000000000D20000-0x0000000001045000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe

MD5 25b574f2239f60ad04f625eee5216745
SHA1 2cdb1245e4149fc829e1b4250ff8331daa61179f
SHA256 535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972
SHA512 13747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82

memory/1476-37-0x0000000000570000-0x0000000000C0B000-memory.dmp

memory/1476-39-0x0000000000570000-0x0000000000C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe

MD5 756a672ac6ca84b30e9f92b33c11465b
SHA1 a4b8718de1b78b5fcb24710c39381336b8b6f096
SHA256 53db5ebd1efa5fd8df45c1b208c5ba176e38a3c2f039621d305b446e7a296b57
SHA512 fe77a7458729a360d810d6dfe0f51f70395649800e02d879cd5f3f175be29c2242ee034b37cf010a5d2c8af6c9c987d2238551ea9b88343b997341a68a989f16

C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe

MD5 bc37773bb9ab9c72ded7535b8cac8b6f
SHA1 7a0dc5b4ff0be8a6b3b6c013a910a929ab7c85a6
SHA256 7cd61a43406df841be2ebd093e192ad43eee6dbe9b4fb1cbe5197f3e0adda7a6
SHA512 aed6c32a6ef47b623baeb6809b620ed278411c6bb86eb2679f964bf2ec2705349f10e115cfc499b8ef68f14e424daceb85fa38ef4502dce0ba802b5f821c0131

memory/2648-58-0x0000000000B80000-0x0000000001226000-memory.dmp

memory/2648-60-0x0000000000B80000-0x0000000001226000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\811ef9af-d0db-4df9-8316-2f7dbdfceb86

MD5 51a9732d2f8ef6f666f87a328245067a
SHA1 8233c928bb2880a9ef9376176b3668a10c0d57c5
SHA256 14098f4b8d6b0ae32bb0c9c6f04333416913bdac59ed6f78b1d45860ac4a7792
SHA512 f9b067761ab59df9b636c010d805c873038208c54b9a13c4826eb9909b890d0e61f6d562d21c7200b67005b84c24ace205a56b24d5b1cc986dcde2f6f9790b40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

MD5 308444cc8a61c5fcb9da3749bcbbf733
SHA1 48ecffa75e375afd1f3699d9f03d1f571b876c59
SHA256 2313885568895cbd736b7b6e8c416648a2d62afab3adb6e2f0d84433b919b167
SHA512 39ffba94821539435a6e39c039aa73351e3dac0db69465c01470d7983c190159c82565c261613c85407df083e545d23881d60513aa3c3816c4e6d41476625c44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 f1624ce7d878a0dd73b6d69819fd013e
SHA1 7b1cb0073a2629977328665e3d1fc2f231adca55
SHA256 11ebe6aeaba447e829244a90455729967d76006d10dad2d232b1bb0164de965a
SHA512 94e212846c9ebdc86714c166e2b262010c6b9d6cbb8bbeece7df2ba27aabb24c64831cbbf5efb55e48c9dd4bd95a040f12af75d865faa7faedd4d2a497ba646c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\f1e51d6d-0365-41fb-b3eb-eee7839e9415

MD5 033dbe1b4da4988af656745de122319b
SHA1 457748592672d82a5eb33af10d9859f2c664d39c
SHA256 3da314d106064362020029deb19c259e6e38c49beb8e25711aa8a6b41b09b0e6
SHA512 1ee1438c13ef40d56d5689ac538c61ddfea64f2fd70b3727b9b503a41254ba787f9542b427e90c31ffcdb832f884c4bbc649038ca9fb2f5b037e38c3a7305858

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

MD5 1ff910eeee8f7f18aa39f24b250f7e9d
SHA1 fb2177e25e68617bd3e96b230413b0cff5a4557f
SHA256 09cf98120107944a9a1ed92e7ff98314f25850ad3634328d920417856f9cc140
SHA512 87ca6d63995d4fde0e1537005cd2e036f26feba7184298541d24ca18b37c61961d77abf1b9ef2db08c149605f2258c302b46979448f33b3889d612320e5d3d22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 64220f07978e54d5eb72873129af0743
SHA1 ddcc26ace4768263fd8feea99d35731de3ce793e
SHA256 48375c944fbfe1c711b87935111bc62d12ec0d2b2c596fea6b80b7b9d02c0dda
SHA512 b64cde48010bf928ed574396889124b2261b94e2d79e7397813fb7b041a353dad2a8190b74e80cb4588d9db212c1c04b5953c18ad9d080d3bd8fd3fa73f1eaaa

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

MD5 11eec9e95d88dc1e91c023326d58f8ad
SHA1 ead233d57470c758df156c1ce527eedac1a1a6bf
SHA256 2366f289ed2cf90c69dad36a13ecbef1666c5033f335f2ab87f5386df67d2c56
SHA512 97f98f477251efd73508bb68145a306c6b4fcd0e0d8eba91d756a06600ab5afbfa270628c31f4273884e589330dad7ebd7ee0a51de317a6864720bc2e857c4bc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

MD5 6671b71d8256aef644f6ce193f2be7f7
SHA1 5a538e7c8755f6ac7908a3142766bbf593e578ad
SHA256 6f1e37983cf4a911c0ddff8ccefec39d27bdc1e62a2661ed7bf27c76724ad8c5
SHA512 559cea3f842f6e82228eca1314eb30b1278037ee901db0642d0c3fbd25f6aeff462b7956f6c03daf2b29e35d6704441a8fbb46aeb5e34e9eed61539c0951fa90

memory/2224-686-0x00000000007C0000-0x0000000000AE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 5917dc5f7c7c40f53f779680ffdb4458
SHA1 cb0f6a41c0adb7d372c738adc6443e6f56bd4573
SHA256 663d91a2c0600ac8fc756f036ed320d9415fe2cf832bf5c6dcc4f07d79fac2e3
SHA512 9a06271e49dc365b129f737bf08446fdb762e8bcbdbe2be61f3057bff978e191040fbdd36fb0fd595180bbf1f3facf2a43953b0ed5dd293b819f04500bf2aeff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

MD5 3200fe5954ebf66b6514415645e09039
SHA1 9ba751da87cd6dd990842c245127a9ad4bc9bff9
SHA256 c98c8ca09375a55efb2158d4cd925e80ea1449f9cc3e8ed3fa88d4360cbd5ede
SHA512 8484a78347644b8b934a9d620bbc563ef0901f53d4301894d0543160017c44d57797d3fad3c575d31b0d7df5db9640bbbca758c412f637074f0118abcba3c56f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

MD5 bc1e9fdf51bf00d3f54198cee9c8bd94
SHA1 85a17ae7a7bc595fcadc695b9a6a020380718e53
SHA256 dd0813722db703a2414521f000405d417c76d1af5b002bd3b2cd74055e1c198b
SHA512 e0e037761f9210154a654799e81d646308fffee5094ba58b27a30947392d65f193d0bb9ad0e5380fe90e92f6c7349bda25d5d0e63e80edc10df1bebb19e4d07f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

MD5 a3917dc2d446dab031f626494439e7d1
SHA1 bdd9d62824d9047d879c51c6d04015059f0c6bae
SHA256 b1607b0187d1038003e5f8d5fe31d5c0ed884ae6e35501dd277e66a57df912f9
SHA512 07f58c0735ae99c17f180ca443317d2fdea9957fc7e620ae7f75399d11488e25dd523423c5e8d96c35077873230ade2366faa50a46afc12f8f5b1083bf73bd53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 489ce8b40cb8eac9dd53e3b037d7d697
SHA1 a705cc5729419191f365bbd46602327126431687
SHA256 6283a53566d15c48438ecbe41fec5e3b4b4d845b049910d3d610d286abbb8460
SHA512 80c2b047b79bb5a4bcc26075b6bc218959fd49a02882d66195510ea480fb984ba75bd7f8f1a7fcf2940c4ee184e2a4bb70a23ab8b6184b5fe1bac02958961a29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

MD5 3be932db962d2e0993e126bfc8fdf22a
SHA1 3da820b363592327de69c24d9246fd630c68201c
SHA256 ebee39618e16a89387a493405cadd3387ccc57541b115b95c8ef46a55bd2a6c1
SHA512 ce2931f240e8962b8195ff74591760a6105ef9c0d592f2e5b9f752905cecf9c46449a08aba8b848ad64f2c800109d4f8723bef0fbfeebd630af110fca85e9309

memory/2224-811-0x00000000007C0000-0x0000000000AE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe

MD5 3e79282c154c08fdf6ec285b44608428
SHA1 1c846aaaa19f9fc4405a5da3a2d1f2082e81d752
SHA256 cb81001d25b1066fb0b56e74f3ddb9ffe435f4d024252f4297c8ba9a362e04ff
SHA512 3a08239ae4810090aa17121647619486a77a7382aa2a3e6425873b36829aa4d62f497cd311b7a26710d914de157719d5bec270bbbf33a75028f4b959d2bf747b

memory/5496-830-0x0000000000160000-0x000000000040A000-memory.dmp

memory/5496-831-0x0000000000160000-0x000000000040A000-memory.dmp

memory/5496-832-0x0000000000160000-0x000000000040A000-memory.dmp

memory/2224-851-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/5496-853-0x0000000000160000-0x000000000040A000-memory.dmp

memory/5496-856-0x0000000000160000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 05a0b47a5908457458b3e8e267529b05
SHA1 12eddac90c53f334c0cc4bf80517c14ccbc01fa3
SHA256 0c7e24edbd09216899bbc038405e542aba21be9da6e1fe6e50a55cfa9933c0e2
SHA512 6c1d2da821292db7689624d47229baa4d77371969aa4434bc258585211a52d2888c52794bb927f84d3e8bf646e0453a10d4c5d5a196c708c9099eb52edd77abf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

MD5 d14ef3993d61f10304729f4660a6b3fc
SHA1 8b5899255b1c5517cdb01c59b1a644aa658a1847
SHA256 c31c3c121b2ce9eda30cbe0737df6830e9ef027c154350f2f57660eeb495197c
SHA512 844cf034f526437f153a215f6d1f9fdf23c950bc2420b3800ccd3cd671497e12da908e5b58aee89ef250c8dfc6976e764743baf47e4d0d0c2e3b9fb88bf8afcb

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

MD5 2c1edc0a54628b10609489d220da091b
SHA1 86d1cc435e64b9875306215912c4ba24e66209e2
SHA256 0e61c09dfc4f4186918d4637ef120b75e477ca98bf776d827e08c0cd94a69226
SHA512 bad2c185d0b6f9939ab3bfd1153123b6373fa4eb3b281b9e5f46ee9808f1ffe0cf1973d398826721b9f2206866293aa086d0a590831677540e6d7aeaf4b540b6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

MD5 cd41ffb45298018b6c94ec4979974d59
SHA1 9da014917df2b5e70a82fbac59b4f61168504230
SHA256 39a953b07ca00228da16705db7d1f42a2fd7585f00a7cc8c624ee428221031cf
SHA512 58188378ad6f20e2600409d3eec9b9e1ae868972bbd726a24b5de55f18fba27a8b8bb35955e15dbb794b2207d06970af605aa5d23928d3d5d61427f9aa242d72

memory/2224-991-0x00000000007C0000-0x0000000000AE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 8a9f09e61cc5596a7d83761e65f1404f
SHA1 0151ce73d673b6e6d4ddb415f896e0b0fd050a4a
SHA256 1d71df305b85a1f6830128c7c9d6c8c31c2c2c8b1180df0b1b8b958abe66b673
SHA512 e4538516bb5c7147bd221c32232d3fc4dad0a856247534d2e556839506d4343b204c908b8de7580debc195ed90a36a87660656edc153033bbc3200cf02d3dc67

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

MD5 4b08f14956a6ca8779ce6c64097a62f2
SHA1 958ea002442b83e48856f4bd279dd0c0957da437
SHA256 d13a45949d21b0d4306049154a0c1e52191f0e35d4c9741c8599b01c9913eb46
SHA512 186db935df40cff7ce01ffc45936851974deb6de4f86bf4e7dca4d3284d81700bccb133e13aa303ffb259fedcc55953c6d9044bb28f54f281462e3184386941b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

MD5 f2e21355cfa43fc41572de16614be9f4
SHA1 ebe7cc81d7d40bf9f98bf5f3d7e7f0d6427ec675
SHA256 5a6bb4f7b2869a76672d993b87c688027b2ae38da2f62b1e8c00e6bb67cb14ab
SHA512 62a8133b4341d52bbd27080d7b180913affe11835100f043d3a603880159dc7e186e9cfffb54a3dec4ee9da7cd4e78f6075a13a1046dca94cc49c2532374e911

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 3b7826ea4f807c16ce444b308e5876b0
SHA1 1c7dd0e207abe2b7d3fc23008ddbc817a9ec959c
SHA256 1a264c26ff30f4f3a86faaabfa9b5256bbcffdd9ff4a6336a28f90b9d4b9c302
SHA512 e1a791d7232cedc5ac38f635a14672d4b70cdcd5ba75330d837fd78701b579bece8264c8e5a88e859ca980ae847c910a2591921c9c0b100f0d07b4fda5ff0f3e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

MD5 98a88be5d4234145da59ad362d140603
SHA1 e227c27c8abcf2bffefdf434cf7bd1f53ae31a86
SHA256 999c7cdc4b40070b8822a71d7bfe6d32f0445cfa1ba755edf68a784374971b54
SHA512 4227b36627335e7b036a61363f8074508a5064cfb8843c42b18bceb97edca800301b3c6c63860ec4aabee14bd56a3d74c4cb6ca8c81f2f04904651808e1f0173

memory/2224-1824-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/5580-1941-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/5580-1996-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3218-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3249-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3255-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3257-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3258-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3259-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/1512-3261-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3262-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3263-0x00000000007C0000-0x0000000000AE5000-memory.dmp

memory/2224-3264-0x00000000007C0000-0x0000000000AE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

MD5 9555adc9d06d014e57dc0b3925333c7d
SHA1 a737c61c9965e8514c07be66a42bcd5b81967b3a
SHA256 5125ae698017ddab5841a1bf507d3a161f743446753fb5ca3bdc020dcb707b6d
SHA512 9d140026c9d578574b77d50bd31ec1f38a3905d7ef0d5f7ee1d1b43fc14b65391461ca6ccf146e98945a3a42737c0fd6b6da0dba075d5e2e98b67380b2289252

memory/2224-3274-0x00000000007C0000-0x0000000000AE5000-memory.dmp