Malware Analysis Report

2025-08-10 23:21

Sample ID 241117-kxkdwavrbv
Target 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15
SHA256 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15
Tags
amadey lumma 9c9aa5 discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15

Threat Level: Known bad

The file 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15 was found to be: Known bad.

Malicious Activity Summary

amadey lumma 9c9aa5 discovery evasion persistence stealer trojan

Modifies Windows Defender Real-time Protection settings

Amadey family

Amadey

Lumma family

Lumma Stealer, LummaC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Windows security modification

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:58

Reported

2024-11-17 09:01

Platform

win7-20241010-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6ad565fc08.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006862001\\6ad565fc08.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\a887e762bc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006859001\\a887e762bc.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\f06e409da0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006860001\\f06e409da0.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6d60a05815.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006861001\\6d60a05815.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2832 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe
PID 2832 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe
PID 2832 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe
PID 2832 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe
PID 2832 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe
PID 2832 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe
PID 2832 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe
PID 2832 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe
PID 2832 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe
PID 2832 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe
PID 2832 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe
PID 2832 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe
PID 2356 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Windows\SysWOW64\taskkill.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 1576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 2472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 2472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 2472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1576 wrote to memory of 3016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe

"C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe

"C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe"

C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe

"C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe"

C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe

"C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.0.1108230453\1659720602" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4932d9d6-71b8-409d-924a-7e1f4c31aca6} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1292 129d5e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.1.483383055\1741810868" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {771269cd-b1a9-4c7b-85bc-00b9fc858948} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1508 e73f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.2.585104784\1418956290" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {497bbb86-2679-458d-97e7-af7bd96846fc} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2128 1ada5a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.3.956079716\2000287388" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b820ace-6610-477f-b598-d7858b204ac1} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2916 e2ff58 tab

C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe

"C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.4.1870376561\1832764426" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3668 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06d8e657-1cab-4da5-bc24-753591ee88d3} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3688 1df48e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.5.188275203\355633664" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77eaea0-3158-4717-b66c-ed519738edab} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3780 20fac658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.6.414557578\2081987089" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3896 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {369e32d9-6dc1-43ae-992c-ba24bc536b34} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3968 20fad858 tab

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 cook-rain.sbs udp
US 172.67.155.248:443 cook-rain.sbs tcp
US 8.8.8.8:53 processhol.sbs udp
US 104.21.81.249:443 processhol.sbs tcp
US 8.8.8.8:53 librari-night.sbs udp
US 172.67.206.172:443 librari-night.sbs tcp
US 8.8.8.8:53 befall-sm0ker.sbs udp
US 104.21.93.99:443 befall-sm0ker.sbs tcp
US 8.8.8.8:53 p10tgrace.sbs udp
US 104.21.0.92:443 p10tgrace.sbs tcp
US 8.8.8.8:53 peepburry828.sbs udp
US 172.67.214.72:443 peepburry828.sbs tcp
US 8.8.8.8:53 owner-vacat10n.sbs udp
US 172.67.191.18:443 owner-vacat10n.sbs tcp
US 8.8.8.8:53 3xp3cts1aim.sbs udp
US 104.21.90.83:443 3xp3cts1aim.sbs tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 p3ar11fter.sbs udp
US 172.67.188.199:443 p3ar11fter.sbs tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
N/A 127.0.0.1:49332 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.179.238:443 youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 172.217.169.78:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 172.217.169.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.204.78:443 consent.youtube.com tcp
N/A 127.0.0.1:49340 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.204.78:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com udp
GB 216.58.204.78:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/2420-0-0x00000000010C0000-0x00000000013D9000-memory.dmp

memory/2420-1-0x0000000077010000-0x0000000077012000-memory.dmp

memory/2420-3-0x00000000010C0000-0x00000000013D9000-memory.dmp

memory/2420-2-0x00000000010C1000-0x0000000001129000-memory.dmp

memory/2420-4-0x00000000010C0000-0x00000000013D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 e9d77ca53bf0845644dd8b2a6a24f133
SHA1 58700e47b86cf22ca0e0b96ffa10f64fb11f26c9
SHA256 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15
SHA512 1bbc659dcb319fcc71f2953a637e55fed2c7249e83bfd3f3ecf963a34482680906b1add3a422594d4912d9aa57d1748bac51ac64dfaa0d5638ef6fcc2d41435e

memory/2420-15-0x0000000006AC0000-0x0000000006DD9000-memory.dmp

memory/2832-18-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2420-14-0x00000000010C0000-0x00000000013D9000-memory.dmp

memory/2420-17-0x00000000010C1000-0x0000000001129000-memory.dmp

memory/2832-19-0x0000000001321000-0x0000000001389000-memory.dmp

memory/2832-20-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-22-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-23-0x0000000001320000-0x0000000001639000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe

MD5 c3384cbcfd7f594f40fe489f5f67a36f
SHA1 37f8f298e7ef281a821e38cc08abb72d679c9b2d
SHA256 dbaa65c338340985131358f76f903a03045da28aaaa6297f37bf8f5123defcf2
SHA512 e68fc70a6bd04045e13712f95bee04070eeb2fc99cd02703eb15a583dfa49e0ee1e70a08b294072e0a6676cdaeb9e4dbd10fc06e6f3d8d7cf6ded951afc215ea

memory/2832-39-0x0000000001320000-0x0000000001639000-memory.dmp

memory/1616-45-0x00000000012E0000-0x00000000017B2000-memory.dmp

memory/2832-43-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-42-0x0000000001321000-0x0000000001389000-memory.dmp

memory/2832-41-0x0000000006880000-0x0000000006D52000-memory.dmp

memory/2832-40-0x0000000006880000-0x0000000006D52000-memory.dmp

memory/2832-47-0x0000000001320000-0x0000000001639000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe

MD5 a088750a78a264d0204488fe6bec85d6
SHA1 d7cc85364e6481188de1912ee35692f09a126f44
SHA256 d165a92f40ed9c2ec60c492ab46e9632e740d1af310215a6b464f82dd8418e21
SHA512 d00d35fff97f54d304a8f70b6916902987795124e7aeff103c248c2f7663bd61f8d9ed4985ceae8556cff308494c2063235aff7285f0892bea12850e802ca4ea

memory/1904-62-0x0000000001330000-0x00000000019C5000-memory.dmp

memory/2832-61-0x0000000006880000-0x0000000006F15000-memory.dmp

memory/1904-63-0x0000000001330000-0x00000000019C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab203F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2071.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1616-99-0x00000000012E0000-0x00000000017B2000-memory.dmp

memory/2832-100-0x0000000006880000-0x0000000006D52000-memory.dmp

memory/2832-101-0x0000000006880000-0x0000000006D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe

MD5 95821147e42ab35fdaf3ed0147f6e84c
SHA1 4e8b988e3d461eb5878d6a59b89a079570cec9ef
SHA256 eea6ddef3eb7b22725ef536cd859593e65ede2edf38955533b85bf0e1f1667f5
SHA512 5f4203170cab652dc91bdd39f35ca8ad88aa867a3edd089009ecd0ae441709766724e6e20307fe8e77d2a333ceece4db517e9d6e421ff8e129904b4ee7fb54fe

memory/2832-122-0x0000000001320000-0x0000000001639000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\db\data.safe.bin

MD5 e137264c3528f68f764b2305eb5a43b7
SHA1 e8cb45aa719e18f5ff65bcbcea3caf18d8cdc2d9
SHA256 ece03049cc869d88844ab4296ccf71bc2f5e27272da6e9ab4f580ce82deccf3e
SHA512 19994c9cf8a8212083360229f8935ca544617e5ee99659fdf4791bd8ac2838faf522344236882333b7ddbdd2ce26d578c55bb145e51f2154f380c397c3c7e96a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\baa42ce2-31dc-428e-a69c-b02db6d6a681

MD5 279d6d83b659b0d39ceb647f80711a44
SHA1 6e4c68f01c619034635ef6c403f92e0317fcc18b
SHA256 9ad2d5c52c69150be0e4c6b8e06a9caa78644ff3940691beb16b8bc8a9cbd9d0
SHA512 e2ef3f7984db276c1d5a0d2747b42d2e46522ef8cd8608fb388ec2f801295d4165bd96c5bba3b85f6293a379b78cd130932b52142649aacade6d862b241ab0a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\a5f04ea5-b74a-44ab-8f02-8e0e01266f9a

MD5 6e088b872bb1455de01dcbe045210acd
SHA1 b9db0825bd7825db965416b37a95c37fc3c48b27
SHA256 e8a15296fc61ced0f71fcb8bfc86c247550fd5c13dfddbf368cd6f3127ae3fd5
SHA512 e63dfb9597a18c209c7b3b17eec80ff278cc42d5dd9143491aed482c9ea490078fd30aec05763b211d26db66d61df70b6e4d669139e4a5d644addca3500cab23

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\activity-stream.discovery_stream.json.tmp

MD5 4301dbb36d842ed162960ad99fb9e1f3
SHA1 855611d68c8f885b47a1c68451ae839a4c53e867
SHA256 dd8398132bee86e41a5dfbc534f40f4ff277391a81668026ea3d34b1224da909
SHA512 b85f410bd1495884ae4a2e4bc61a4180065d1669ab7a6eb1223dd6cd176fc5d9b203514f5127cb3e0314b515a4f73be119fb6bf0b0d56ef056714771873d246d

memory/2832-212-0x0000000006880000-0x0000000006F15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe

MD5 20d45eddc965d7714b3412a9bf7ebe7e
SHA1 888e3f63a63cef84f8b4deb3ef570967725766af
SHA256 fcc5177127503eb837af31d6d1c483ad753da3c863c415224cc0c3b31911b331
SHA512 441911b9d3dbdac8a530420b40e7f4ebe7e9a3b68daab44156aa8a0c230267d7c8df9cc3aaf97c485d4969d6d63f33eeff88315dc0026bce68740cd4e977baff

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 f99b4984bd93547ff4ab09d35b9ed6d5
SHA1 73bf4d313cb094bb6ead04460da9547106794007
SHA256 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512 cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

memory/2832-242-0x0000000006170000-0x0000000006420000-memory.dmp

memory/2284-245-0x0000000000980000-0x0000000000C30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs.js

MD5 f95dc42c66c5d3331dcba775cb2e15fd
SHA1 54135408991e756554931655da78e001a0ca2f2d
SHA256 90a7e2ae45e2c56f8d91f70ca8753806c343127b09d003bd4b55e313a35ff15f
SHA512 7b944ba94b8db6291e1d02098acae00139eeebffc2cf99acd7e3c27a1700736052ac21c1e60afaade34bfccf50d0e316923474a70f47f48719e86bae365ea7ae

memory/2284-274-0x0000000000980000-0x0000000000C30000-memory.dmp

memory/2284-276-0x0000000000980000-0x0000000000C30000-memory.dmp

memory/2832-296-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-297-0x0000000006170000-0x0000000006420000-memory.dmp

memory/2284-305-0x0000000000980000-0x0000000000C30000-memory.dmp

memory/2284-307-0x0000000000980000-0x0000000000C30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a64eb7d569431a053994892338f3d12d
SHA1 19ebc0e7fe3f67490b195d6680a93c055cc0b488
SHA256 65a21dbf86f95e87d00f7fcd1283d3365827289c85eeeb4c016445256a4d7eef
SHA512 ea4ae0b3a5112b92adc186e3cf806cb2b6b09bb3d18863cf015bf2582fc6d7c747b107774ecce68c69ac454c7e969d25ce57cb6945f8055bd18cb5398abf3943

memory/2832-316-0x0000000001320000-0x0000000001639000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs.js

MD5 81ea13301d40ba02b99e61ec0ef6cd42
SHA1 4fa995957afda48013c988945c90c0cc0c93cc29
SHA256 1577ea0ec48a6e368f53198c79c35e86a7220373cbc7888b296c03af43c74cb7
SHA512 9a36e266ab9db0bcd21fb96d2687c35e14ad3f5eaa97d261c0d5135dba269abd273f2430c5db7edfab16b69e5310d56962755a70361c877415c6280afc9b06db

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs-1.js

MD5 a84d3785020471392b65ca8433944098
SHA1 9b090ac23397dfcf0bcec80a3564a3654d5f9851
SHA256 b205d6eca9c63e5997d5014e0ed56d11ed3c739595bec39be02ad0d7f74756e8
SHA512 e7cb8d9132248baf9207ae8f7095a12799332dfcabe3a428984357474f03b7baff851e56be085cb8b3acd992b91c632b17d2fdd59c20117988667f4f8c7b4705

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2832-391-0x0000000001320000-0x0000000001639000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs-1.js

MD5 b7d3154d1aa40e6a4273776b97eb1875
SHA1 c0affd72c1877eb2ff4164c80b836d2603f357cf
SHA256 937bb17a25bfa3d81ee30ba8d86f1771d9c55ca018ad858198dd95fa1252fa52
SHA512 da27a6b01933d724e875cf453906ef6d95eb4cc004eb2c8290260864cab05cc1ad4214894cf6af7d4232922585f95d6a8c57e5b31a5c323e4fd05070e3a137a8

memory/2832-401-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-402-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-408-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-415-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-416-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-417-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-418-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-419-0x0000000001320000-0x0000000001639000-memory.dmp

memory/2832-420-0x0000000001320000-0x0000000001639000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:58

Reported

2024-11-17 09:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddae024620.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006860001\\ddae024620.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b92717cf25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006861001\\b92717cf25.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14620c93ed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006862001\\14620c93ed.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b3e1ca893.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006859001\\4b3e1ca893.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1116 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1116 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1352 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe
PID 1352 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe
PID 1352 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe
PID 1352 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe
PID 1352 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe
PID 1352 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe
PID 1352 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe
PID 1352 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe
PID 1352 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe
PID 1352 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe
PID 1352 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe
PID 1352 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe
PID 2188 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Windows\SysWOW64\taskkill.exe
PID 2188 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3240 wrote to memory of 3116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3116 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe

"C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe

"C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe

"C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe"

C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe

"C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe"

C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe

"C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3573c814-92f9-43b0-bd32-9d20f23fc090} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" gpu

C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe

"C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bd9e72e-ef19-48b3-889d-e34a6995969f} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3220 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45c5645-2894-4264-a6eb-647e6479d995} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 3788 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78b67b6f-f63d-4085-8155-351598c00951} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4524 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44732a27-fc66-4c5f-8519-bde9eaea8cb9} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -childID 3 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e5e9f60-b891-4010-9508-be4bc4e226eb} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 4 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baa3ec6d-cc48-4738-be43-1119ff0221a3} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 5 -isForBrowser -prefsHandle 5972 -prefMapHandle 5980 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b12a43da-0bd9-4247-8c39-a7b9c12f4dc3} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 home.fvtejs5sr.top udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 cook-rain.sbs udp
US 172.67.155.248:443 cook-rain.sbs tcp
US 8.8.8.8:53 processhol.sbs udp
US 104.21.81.249:443 processhol.sbs tcp
US 8.8.8.8:53 librari-night.sbs udp
US 8.8.8.8:53 248.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 249.81.21.104.in-addr.arpa udp
US 104.21.85.146:443 librari-night.sbs tcp
US 8.8.8.8:53 befall-sm0ker.sbs udp
US 172.67.208.166:443 befall-sm0ker.sbs tcp
US 8.8.8.8:53 p10tgrace.sbs udp
US 104.21.0.92:443 p10tgrace.sbs tcp
US 8.8.8.8:53 146.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 166.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 peepburry828.sbs udp
US 172.67.214.72:443 peepburry828.sbs tcp
US 8.8.8.8:53 owner-vacat10n.sbs udp
US 104.21.81.208:443 owner-vacat10n.sbs tcp
US 8.8.8.8:53 92.0.21.104.in-addr.arpa udp
US 8.8.8.8:53 72.214.67.172.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 3xp3cts1aim.sbs udp
US 104.21.90.83:443 3xp3cts1aim.sbs tcp
US 8.8.8.8:53 p3ar11fter.sbs udp
US 104.21.49.21:443 p3ar11fter.sbs tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 208.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 83.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 21.49.21.104.in-addr.arpa udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
N/A 127.0.0.1:65183 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.179.238:443 youtube.com tcp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 216.58.204.78:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.204.78:443 consent.youtube.com udp
US 8.8.8.8:53 135.213.112.50.in-addr.arpa udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:65211 tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 216.58.204.78:443 consent.youtube.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/1116-0-0x0000000000E70000-0x0000000001189000-memory.dmp

memory/1116-1-0x0000000077584000-0x0000000077586000-memory.dmp

memory/1116-2-0x0000000000E71000-0x0000000000ED9000-memory.dmp

memory/1116-3-0x0000000000E70000-0x0000000001189000-memory.dmp

memory/1116-4-0x0000000000E70000-0x0000000001189000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 e9d77ca53bf0845644dd8b2a6a24f133
SHA1 58700e47b86cf22ca0e0b96ffa10f64fb11f26c9
SHA256 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15
SHA512 1bbc659dcb319fcc71f2953a637e55fed2c7249e83bfd3f3ecf963a34482680906b1add3a422594d4912d9aa57d1748bac51ac64dfaa0d5638ef6fcc2d41435e

memory/1116-18-0x0000000000E71000-0x0000000000ED9000-memory.dmp

memory/1352-19-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1116-17-0x0000000000E70000-0x0000000001189000-memory.dmp

memory/1352-20-0x0000000000AB1000-0x0000000000B19000-memory.dmp

memory/1352-21-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-22-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-23-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006666001\03a6b80412.exe

MD5 b1b4153d97719d001aa7c8b9a3f54f1e
SHA1 3e4cec45fd6cde0e48bc9bae946dc7b165547679
SHA256 48afa83eea80b88de1f93b429af9992582dccbc3d89181dc352cefceac7629bb
SHA512 f0688c04cf40f5c1b2e19b2407e48908d4205db62e9283dd433ea3bb65cc4f8a26218b286391391e8881e85ee01765ffea941bc9d65ee3b80ee7a5db7aa4e900

memory/1352-40-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-38-0x0000000000AB1000-0x0000000000B19000-memory.dmp

memory/4748-41-0x00000000000C0000-0x0000000000C6C000-memory.dmp

memory/4748-42-0x00000000000C0000-0x0000000000C6C000-memory.dmp

memory/1352-43-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/4748-44-0x00000000000C0000-0x0000000000C6C000-memory.dmp

memory/4748-45-0x00000000000C0000-0x0000000000C6C000-memory.dmp

memory/3588-47-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/3588-48-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006859001\4b3e1ca893.exe

MD5 c3384cbcfd7f594f40fe489f5f67a36f
SHA1 37f8f298e7ef281a821e38cc08abb72d679c9b2d
SHA256 dbaa65c338340985131358f76f903a03045da28aaaa6297f37bf8f5123defcf2
SHA512 e68fc70a6bd04045e13712f95bee04070eeb2fc99cd02703eb15a583dfa49e0ee1e70a08b294072e0a6676cdaeb9e4dbd10fc06e6f3d8d7cf6ded951afc215ea

memory/3064-65-0x00000000002B0000-0x0000000000782000-memory.dmp

memory/1352-63-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006860001\ddae024620.exe

MD5 a088750a78a264d0204488fe6bec85d6
SHA1 d7cc85364e6481188de1912ee35692f09a126f44
SHA256 d165a92f40ed9c2ec60c492ab46e9632e740d1af310215a6b464f82dd8418e21
SHA512 d00d35fff97f54d304a8f70b6916902987795124e7aeff103c248c2f7663bd61f8d9ed4985ceae8556cff308494c2063235aff7285f0892bea12850e802ca4ea

memory/3108-81-0x0000000000A70000-0x0000000001105000-memory.dmp

memory/3108-82-0x0000000000A70000-0x0000000001105000-memory.dmp

memory/3064-83-0x00000000002B0000-0x0000000000782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006861001\b92717cf25.exe

MD5 95821147e42ab35fdaf3ed0147f6e84c
SHA1 4e8b988e3d461eb5878d6a59b89a079570cec9ef
SHA256 eea6ddef3eb7b22725ef536cd859593e65ede2edf38955533b85bf0e1f1667f5
SHA512 5f4203170cab652dc91bdd39f35ca8ad88aa867a3edd089009ecd0ae441709766724e6e20307fe8e77d2a333ceece4db517e9d6e421ff8e129904b4ee7fb54fe

C:\Users\Admin\AppData\Local\Temp\1006862001\14620c93ed.exe

MD5 20d45eddc965d7714b3412a9bf7ebe7e
SHA1 888e3f63a63cef84f8b4deb3ef570967725766af
SHA256 fcc5177127503eb837af31d6d1c483ad753da3c863c415224cc0c3b31911b331
SHA512 441911b9d3dbdac8a530420b40e7f4ebe7e9a3b68daab44156aa8a0c230267d7c8df9cc3aaf97c485d4969d6d63f33eeff88315dc0026bce68740cd4e977baff

memory/3460-126-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/1352-125-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/3460-327-0x0000000000A30000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\10e288f9-eb80-440b-b944-86fb56b4132d

MD5 1f0ef687de67b955aa17f108b4248deb
SHA1 a02452afc279be5e43d4f74498b41529a913630d
SHA256 c93985b3533d9378ff0a475d38b44bd4cca2072b080af314f61efe1a1b32b9ef
SHA512 5a0e5c0fe38f4273bb1ec2987e88be6303fe77c29c8fa208829b71fc3dcf724a702201e7a202af8a0cddc32a5a912b02e91de50516c522148bb4bd46a3a4462e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\3f727ead-5caf-4f3a-a0d6-31a60348ea43

MD5 dd7d37835245a6b36c9c4a61084804cf
SHA1 a4d872495f05d78405206080e4becc2243458f36
SHA256 51945cb2524f1bfc67186bb8dc91b81befe8baff16803d7c2e5a73d98c1ee786
SHA512 069b7a600ca90856df4c8544e6a663ab7f8609cf9e4bcd4bbfdf3c979be337e8bb665450c147a3776ecc8fa5e212e2016898efa6b740914e14a99c6d63ca53f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\e5828543-7ca3-48a8-a590-92c416b01542

MD5 1a9a3c912322464ff8306b4cd87b1ecb
SHA1 0d78e4fd9ad9d7aaaa19ac4edc3dddd892d1e581
SHA256 579e180f6feb40d8c73c3bdbbb1eae8416668c831b108671465d6d69a9c8d129
SHA512 0711f9d46063d1f99d8d4ffe1ab78c3f90d4e8df96dbd40e41f72129fd8a68c300439d8c53c91c65a3ddcd71da4cd3dad737964ed191025f79d7ce7bc16bd0a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

MD5 f7dfc4e10ab9cef043c5e39f0f0b3a42
SHA1 4ac827b76bbeaa70b1c662792be00f7328042c8e
SHA256 89f6d354ccea94ced6d8f79e9c5a10513501822e42a7aded859535c5e9995db0
SHA512 d52dc22f1374be8b461d256e474601d4c51e4bf9691c70b99614e82cf4eb6a9da13b899306b631fbe97f7b30c5f7215f8d2c46fb5fb6230408e298b678140625

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 5672599235e08dbd300826223b03362f
SHA1 b617088f8113af7eedf3ea2975c0395b5bed6a81
SHA256 d0791da8a1e885d260349c55eda2c62f7f626b74ab515fb9519ac64c657d36a5
SHA512 9e405b2b7eee364e9d6ef93ab51c3bffacb9c5002270a4b525cc215206d94d86c05172295d835785b9172188ee0172553de9d7ea7563f3f1507c44a3a915f243

memory/3460-139-0x0000000000A30000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

MD5 d5b053ac04285be153a2acfc11d57a28
SHA1 55936ad85df8fdffd3b05d4e6ace4769cb25ff5e
SHA256 c8a977573a70613996be8b9a713bc6c9fdf5c6d44de19a9724d5fe28e9bf3a47
SHA512 4b9652ffb8c6385b9f51f3e31f57a24439a6946f5aa6ed486bd62eb1f821a4f8350fffd1ab14e64db658e3d3130361c88cb6ede68f9e22269a165648dad759b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 db4be9d784cfc1a73421c009d198976b
SHA1 f0a25e236d1edbb90c52f14e4283c4712bb1bbca
SHA256 000d79b107ad2d8d45c846edfa6a8882356a1693425b471838a6c1f2f23892af
SHA512 b7fb93c7ee0317a17df44f65d7775dd871af2f222e23bf7cc7ff35fc0e48c06fce97ef4daddee243b9ba08ebc17bb1d637dc35c8565593c13b37fd357c95b623

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

MD5 df4d5b80c32745fbc9e7080f5606d57a
SHA1 ac61cf94b88627a5c22a8e43509003c724698e95
SHA256 e53a77732ed8bc4c58af28959b58b6566788273b1807ca76577f30721ac29254
SHA512 1549dfd468fb78ee087b081ec2f20e599bce189e7a36e5cb906f78e2e35ef4e6ccd92c551a3dd1ba11e75ae5e53545870ca9f432cda159f804eb6f9f2e091831

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

MD5 61f2fbf7f90e52ce617766db11941700
SHA1 ab0df6fac65b0ede03f3281514495758744d56d2
SHA256 b077945e07f395378d1b9c5958aaa86fcc8a631a66f27c6a9b73dc87c8d92a1f
SHA512 c2d8b150ee6a7e153a84f6aeab85fc4548b8c62bfd5cccad5b92b948531ebf7ace8ac6c5dc73f72358dc5c8cb0e2a77d27ac4fde7556a52e99c7d1cdd7e4a3f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

MD5 7bfda0b26c6e1ab593c4cf2b04ca8dc2
SHA1 412b7ae3edf855c7e8871a83d92cc1da3ce0021d
SHA256 1ee892886fa46319b77c8e6de4f45343f1e849ca6148d104773d7774bf5e52e8
SHA512 2ce2ec1d85dea153c39ec68b390a18c4a98c6c514ed1a39e55820683425284862d6646a564a551c468a6a974e2f31ddf11b3c84c5701541cc7ea12b567947223

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

MD5 b21f3426e26a62b0363fb49a18889f09
SHA1 27aea5d75311468452a784a5b450786b5bf2c8fc
SHA256 54d490d596f56f34f7ae6b19e3e7f0bf827defd7a5246ed911b0e84ccc293ecb
SHA512 65971ceca2aaa233aa5a20e00c5a7341e1ed5f4fb82d48e2a2da7de644667639c66d2c67654cce8f994e789fc79e193d0fad962d00318767df888ae2d41c8a42

memory/1352-486-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/3460-488-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/3460-497-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/1352-502-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 6a266b9a6bbbea79cc83adf1b2433f0e
SHA1 e0f2dc207f414f1a34a2213464f3f7942e63e06b
SHA256 ccf9ded6cb407cf5d7293406a2d2b1b9ab2956284fffcf83044dbd6a48c036cf
SHA512 d6065cf40005a4ddb2885ca192e0d1afdb41088cc303aa3096527eaeb78c027c543dd5e84147798df6f29421778219efd7371707dd2b6560737f3fb210e4a8f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

MD5 116e1510f43f6947f6ef55d8c0d29c4d
SHA1 d58e83529ec8c2eac5b980870e3f7836154909fb
SHA256 488cde103b478f2d5a3ee6df55d06f652de524f91fd3d6bb352e7bc0b31a9f05
SHA512 30b76632bdd98d8b3dee37a4662594e21391710958c47bd0964973670b6380df899d0faf153796ff1706ba65d73e65e868e79ec058493463635ff5384ed386d5

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

MD5 c356c3d0df65384b6f53f5b736a06c67
SHA1 5cba374b63290889031f48df7021d1583aef62c9
SHA256 da8fbcf8b75f1db5f1af34e373ea5e5d087beffad5ba14f9d2a75dfad8c1712f
SHA512 53aa67fcd28784d39e48e8abea4fd96851d90c299ab9e155c82129bdec701b380a1a3af1f6eed1ab0128f45db5a82e7014eb90418d01eaf7c6857ea59fe82691

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

MD5 51f532c97b312ceccf72f107c69c0b51
SHA1 f1a503088bc7037fa99626637b0b9d43087a6a73
SHA256 c5bb77f8a23483fbb3e596d43b05a2e8fb74119e44c5182ee58f5aee96adc2bf
SHA512 2871c22d50a0b4ae495c20952e180cc1f7cfb778dfc59a902f842d0e827c2aa47a12d99c5849b14ab243bdf1e28a1c89abefc262a746f2157117de89f900a984

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1352-1225-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

MD5 9f0d545d143d7bd66121a0222caf0e29
SHA1 93814a4c0536b56fbd450a179116d545af8d9e5c
SHA256 db7152141a2766d6cce37f4f917445cab435b684cbffb42e5a1fd84db476dd2f
SHA512 6d35639cafecb807eebc1db0ed63fb79ed316b4a83936f991293e4b3f43dd84f6533ff99d8912d7910263c7c5b29523145ad45d37ab37914df4825a8be8dbbc1

memory/1352-2841-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/3332-3084-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/3332-3085-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3086-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3092-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3094-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3095-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3096-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3097-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/5352-3099-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3100-0x0000000000AB0000-0x0000000000DC9000-memory.dmp

memory/1352-3101-0x0000000000AB0000-0x0000000000DC9000-memory.dmp