Malware Analysis Report

2025-01-22 15:02

Sample ID 241206-ns5qssvrhv
Target 66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe
SHA256 66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d
Tags
amadey cryptbot lumma orcus stealc 9c9aa5 drum discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d

Threat Level: Known bad

The file 66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe was found to be: Known bad.

Malicious Activity Summary

amadey cryptbot lumma orcus stealc 9c9aa5 drum discovery evasion persistence rat spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma family

Lumma Stealer, LummaC

Orcus

Orcus family

Modifies Windows Defender Real-time Protection settings

Amadey family

Stealc

Cryptbot family

Stealc family

Amadey

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Enumerates VirtualBox registry keys

Orcurs Rat Executable

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Windows security modification

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Enumerates processes with tasklist

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 11:40

Reported

2024-12-06 11:42

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2260 created 1100 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\40a385b3e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012684001\\40a385b3e5.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\d7474a0f48.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012685001\\d7474a0f48.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec89941014.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012686001\\ec89941014.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\676571cc27.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012687001\\676571cc27.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2792 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2792 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2792 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2980 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3044 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3044 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 3044 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 3044 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 3044 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 3044 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3044 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3044 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3044 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2260 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 2260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 2260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 2260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2572 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe
PID 2572 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe
PID 2572 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe
PID 2572 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe
PID 2572 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe
PID 2572 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe
PID 2572 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe
PID 2572 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe

"C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe

"C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe"

C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe

"C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe"

C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe

"C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe"

C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe

"C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.0.1242558417\263045114" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1140 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a3ebdca-2f47-43e1-a764-f1ef7ba99f40} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 1348 fff1058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.1.1664309770\401834893" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {445b37c5-a1a7-4865-8650-26b16fe6593c} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 1544 41edc58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.2.713198149\540857047" -childID 1 -isForBrowser -prefsHandle 2012 -prefMapHandle 2008 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7da1877e-2239-44d3-a5c8-66449ccfe393} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 2040 18869458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.3.2076820655\1722593699" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2648 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c20b73c5-2e08-44a3-a163-5db9e4440591} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 2664 1b425758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.4.1980508715\1594367893" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3504 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e515801-e656-4bdb-883e-1a30010e20db} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 3744 1e79f558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.5.1470358745\2041389355" -childID 4 -isForBrowser -prefsHandle 3820 -prefMapHandle 3824 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cdfca4c-4ca8-4c37-bb94-f6dcd6292167} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 3808 1e79f858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.6.569325701\509037528" -childID 5 -isForBrowser -prefsHandle 3996 -prefMapHandle 4000 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52946d9d-4b2c-4b12-b040-99fe1b3d11b8} 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 3984 1e7a1c58 tab

C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe

"C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe"

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
US 8.8.8.8:53 httpbin.org udp
US 44.196.3.45:443 httpbin.org tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
IT 34.17.28.197:80 home.fvtekx5vs.top tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 atten-supporse.biz udp
US 104.21.16.9:443 atten-supporse.biz tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
IT 34.17.28.197:80 home.fvtekx5vs.top tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
US 8.8.8.8:53 se-blurry.biz udp
IT 34.17.28.197:80 home.fvtekx5vs.top tcp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
RU 185.215.113.206:80 185.215.113.206 tcp
N/A 127.0.0.1:49693 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 216.58.213.14:443 youtube.com tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:49701 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 2.22.61.56:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6ns7.gvt1.com udp
DE 173.194.182.73:443 r4---sn-4g5e6ns7.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6ns7.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6ns7.gvt1.com udp
DE 173.194.182.73:443 r4.sn-4g5e6ns7.gvt1.com tcp
DE 173.194.182.73:443 r4.sn-4g5e6ns7.gvt1.com udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 45.74.38.211:4782 tcp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com tcp

Files

memory/2792-0-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/2792-1-0x00000000776A0000-0x00000000776A2000-memory.dmp

memory/2792-2-0x00000000008C1000-0x00000000008EF000-memory.dmp

memory/2792-3-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/2792-5-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/2792-10-0x00000000008C0000-0x0000000000D87000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 17d94dc8f579018a4491a19cfca59866
SHA1 f8e210e08da2f53ffce5be2839a296b33ace72d8
SHA256 66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d
SHA512 0e4aa55d08bf2d1ee780a0730105a23e4479abe3eb5c147d639bf28fdb698e34f24ead91db1d5ce410979a45a83a9ffecdd4e88b1ed94041763fe7fc60665d3c

memory/2792-21-0x0000000007240000-0x0000000007707000-memory.dmp

memory/2572-22-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2792-19-0x0000000007240000-0x0000000007707000-memory.dmp

memory/2792-18-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/2572-24-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-23-0x00000000009A1000-0x00000000009CF000-memory.dmp

memory/2572-26-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-27-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-28-0x00000000009A0000-0x0000000000E67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

C:\Users\Admin\AppData\Local\Temp\Audit.cmd

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

memory/2572-405-0x00000000009A0000-0x0000000000E67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012683001\ea9b9118e2.exe

MD5 cdee2aadc9a1d83264d60129891ca8c7
SHA1 2ffc082892de4d483f53791ef35d5bc45dc96dcd
SHA256 74211c92533f725825f0d2c05815b44d8b89c370a202007b46d3b09c5ef19ec9
SHA512 a6280b9759fb1764ea8b755c9f2beb0cad450a273e2d7bfc38b374a4ca7da3bc7ccb84b74e2fdf39d23dd4f5713a84364386f8e8877b44b9de625543812cf35f

memory/2572-422-0x0000000006B90000-0x000000000785B000-memory.dmp

memory/2552-423-0x0000000000870000-0x000000000153B000-memory.dmp

memory/2572-424-0x0000000006B90000-0x000000000785B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012684001\40a385b3e5.exe

MD5 3f51a440b6d3829b76804b42f88241c7
SHA1 89accaafc2b826c91540a93a995cba2583082964
SHA256 d24a735b78ff246515f1fe6637e665b421206cebbae39cc6d51b331c57a836fc
SHA512 0c2bbfcefda0e9fa80e33d651c99d910e92883b166274851239f27cc60fae4533c42938aa1021f1c487d34efab0febbf2783a00b4eb41773be605ea7965328ff

memory/2572-438-0x0000000006B90000-0x0000000007041000-memory.dmp

memory/1140-439-0x0000000000090000-0x0000000000541000-memory.dmp

memory/2572-448-0x0000000006B90000-0x000000000785B000-memory.dmp

memory/2552-450-0x0000000000870000-0x000000000153B000-memory.dmp

memory/2572-451-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-452-0x0000000006B90000-0x000000000785B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012685001\d7474a0f48.exe

MD5 dd1e9c04fa5779a6ec694c9cb79fa76d
SHA1 2b1f19dfeba983bb53ed719874d9ccd12825696b
SHA256 b153e60adeeb0491a8c8104c95164b24908bee959554ba4390d5f419b6103ee6
SHA512 c3c710197b4a271236bd62445af7c4853c316a541edf6b1c23ba6602e7af5f49a655806aedb5b97b0d672f94650dd651b449d2567ff874f4a3d83741e8ac615d

memory/2572-469-0x0000000006B90000-0x0000000007082000-memory.dmp

memory/2572-468-0x0000000006B90000-0x0000000007082000-memory.dmp

memory/2632-471-0x0000000000050000-0x0000000000542000-memory.dmp

memory/2632-473-0x0000000000050000-0x0000000000542000-memory.dmp

memory/2572-474-0x0000000006B90000-0x0000000007041000-memory.dmp

memory/1140-476-0x0000000000090000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012686001\ec89941014.exe

MD5 1d6b1dbe393632f2b5b163ff84e765ff
SHA1 25bb3138f98b7835fbffd92dfcf47ed7a1eb02fe
SHA256 7fab527f9c268507f0b7bf5402b14d1a15804fd0e8f85bc740d6d99819ca08b8
SHA512 f1e711682db1fb36e3eea60742fa864ca43bf64bc298754c50018424ceb3cb933338d426d7446de71ce08970d0e141786d7ce0ee527f274ebc4f091d59f1fd48

memory/2572-496-0x0000000006B90000-0x0000000007082000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin

MD5 229ba0a64a2e766d2225f093e4d8d08f
SHA1 33cdc4b09c7b9077382c97cebe44bf875b6ccd55
SHA256 930b40d272db31d3350b42695fda92d3b25c9a419db7f5d02e94f10161df4e31
SHA512 3166445daee1efeae60487aa5c540b70b327b7db4c17024b0a2f6a45ec4d31a5f128917f40169ef86af50a34fcee1d307c57f04a3a68fb9b756b321c3321442d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\dde93c04-6283-4735-80e5-afdf3ef9068e

MD5 54ddc3f0387428918dc8e4eb08c6d19b
SHA1 57c30a2f72363a90146fc8f3b8731c57748df0b0
SHA256 bc2ba6aaaafc960b2643c5716549376f2c48740148f51b1a280f4f54d4282522
SHA512 642e72f7f34948c3096c8e87d94bac33e7b0c9d7f4e8a0332e9b01df1e8c2850f32faecc7983be645101c0d9ba9efa34fbd581065df4b917a08e5a3cc13f24dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\13bad684-b955-4057-9355-8c1485cb340f

MD5 0beafde562f0b4cc4d7ddf1d7789acc6
SHA1 a30da9f27eabcdc6bede62de2752571c48cd3036
SHA256 192e4a27aa486c5ac63bca97eca6f1d95d5a807bc3d97d98e4fa91d9b0b025b0
SHA512 627bad1ca174f1a8e06cc631ab7465532fb1955f6ff4b00b14a87d1a50cf12972b2294f5d7219c70ee324ca12bb6444fe6d98c361e914f314eee6b906c016ad0

memory/2572-567-0x00000000009A0000-0x0000000000E67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012687001\676571cc27.exe

MD5 ba94c3f899308afd6791dea129cafbb0
SHA1 ea3f5c745cf068566f86eecf2263c5b4cab1d368
SHA256 01b54741882619d98188cc903a4770f8e72a06c8dd2e11f758176deab7fd94ac
SHA512 11e5f779ace64899e93b3659d57660a89f57e7930afdd57e32baee70b929e9bbb184bdf6ad87bd9074f90156039191de6f54fe593e3c9d4c9960d718b469b3fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

MD5 4510fac9eca0b320a67a9b0bd28e62a7
SHA1 2a9f8ea51fd99976e51e009c6910d0f0241227f8
SHA256 4b8cc28d65a12711468bb3001adae1403957a30a8a3c8cb1842d7d5a18e45e3e
SHA512 7f81b964955c97f691347df4768ad3be964529365e13d9678aafc61014867d0a52a227b7385aed46bcf34f7b5ef2eee384c27062f2853f62ad609dbd190fbeb9

memory/2572-586-0x0000000006B90000-0x0000000006E40000-memory.dmp

memory/2180-588-0x0000000000DC0000-0x0000000001070000-memory.dmp

memory/2572-585-0x0000000006B90000-0x0000000007082000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

MD5 d47e33e6c0c93946070880632fb2041a
SHA1 9beb1c11659625fc9ca4650329b57caf02ef9b98
SHA256 59acf5769c9c1c89e5d1f8ff5516aba2277e229a505cd70defb17af53740ebcf
SHA512 3e57df85c76a4bcc43621ce74a2b21482980382ebb23eec78dcc7dd8831d784b69943c2d5ea763ef712e58fafa52ff94294975235f4ae7e3a7e78925af3b6849

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp

MD5 f4371d047a1842f70473f3e98ce92cbb
SHA1 602febf6469f0d73316fddcec80bb7dcc6cfd08b
SHA256 ef8ca116f148eb832e01f8331d4cef87dac1c3f9995fc8e94db1795a248e1f58
SHA512 b704d6c37f8d9ab2da903e522597e43857916f014d1a4467dcb2403e3d9712ccc47a0ca4c68a6b21b73937abb99bc3c4e5dcd631bec5f2364588730352bb35c2

memory/2180-631-0x0000000000DC0000-0x0000000001070000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

memory/2180-632-0x0000000000DC0000-0x0000000001070000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

MD5 e0565eab0b0a60c3b4e27863ac127f6d
SHA1 e93970ff8f0072b433eb20f884b325052de5af20
SHA256 32ed82fe2acf0802577e65e1ed651d297efe2ecdb610a4c4f6afea32e737685e
SHA512 6f6d801350a84eb8873ff1eb847f0253757c7c71236be452b3cccd37c53c6d68796433105643ad947a1a0acd594f759e263ad215279f413ac92ad74a3bcd6ab5

\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2572-689-0x0000000006B90000-0x0000000006E40000-memory.dmp

memory/2180-692-0x0000000000DC0000-0x0000000001070000-memory.dmp

memory/2572-690-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2180-694-0x0000000000DC0000-0x0000000001070000-memory.dmp

memory/3536-698-0x0000000000250000-0x0000000000654000-memory.dmp

memory/3536-700-0x0000000000250000-0x0000000000654000-memory.dmp

memory/3536-701-0x0000000000250000-0x0000000000654000-memory.dmp

memory/3536-704-0x0000000000C40000-0x0000000000C4E000-memory.dmp

memory/3536-705-0x00000000010C0000-0x000000000111C000-memory.dmp

memory/3536-706-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

memory/3536-709-0x0000000000F40000-0x0000000000F48000-memory.dmp

memory/3536-710-0x0000000001120000-0x0000000001138000-memory.dmp

memory/3536-708-0x0000000000F30000-0x0000000000F38000-memory.dmp

memory/3536-707-0x0000000000F20000-0x0000000000F28000-memory.dmp

memory/3536-711-0x0000000002820000-0x0000000002830000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f9a66d368532dd5cb2634e45b1d164ef
SHA1 22e2f6075c98590df5046a655cc9ce54b898c474
SHA256 c3bb3ddcdb89ee162c283c81477638dab071bcbf4c72cb6eda2be119d1799d5c
SHA512 5dfd265749e3917ca3c8d95bbbd3bda2c59813705ccf97250dad18e7f8acf06833d36002585bebd63a527deaa45f1e743cff766dacc2b7eec3fdbcd99b732d79

memory/2572-718-0x00000000009A0000-0x0000000000E67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

MD5 e74fa664f6e7329a01a6f9d624243e9a
SHA1 4a135d6784ed4a82fda24035726aa2a11e709f70
SHA256 41ebd90fe2afa3edf358c0076e3073c8ff393fd37b4f26ca783642709f767cbe
SHA512 e32e4bdb668b3594b03999574bacb47f2bea91426131f50905cb8f4ed2875f6ec8c2904198a53175ea042a1c95ecb9898f464f786a4726b5fb4321b97d3e2729

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

MD5 3ad86d5a83bfb3999990cbf276fc1728
SHA1 dbc511489f0f87ac2ecb5c1c5396e2b74d37bdc9
SHA256 73c260946826db76f4317fc43c10b5eea577f417a02f16091a90962e59820e7b
SHA512 24f6529596de84bcc3fe9cd6e34b080c4651a02dcc366b3db0b5fe71a39d229b91941b42dcd0ed8366b8cf2ae3b4b1b0b81d8056bffd2f5403adf13781164343

memory/2572-800-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-802-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-803-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-814-0x00000000009A0000-0x0000000000E67000-memory.dmp

memory/2572-815-0x00000000009A0000-0x0000000000E67000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 11:40

Reported

2024-12-06 11:42

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3866d3ff1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012684001\\b3866d3ff1.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe2240327b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012685001\\fe2240327b.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8f161fa81.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012686001\\f8f161fa81.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e962158860.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012687001\\e962158860.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4936 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4936 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4036 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe
PID 4036 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe
PID 4036 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe
PID 4036 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe
PID 4036 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe
PID 4036 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe
PID 4036 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe
PID 4036 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe
PID 4036 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe
PID 4036 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe
PID 4036 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe
PID 4036 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe
PID 3616 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 3616 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Windows\SysWOW64\taskkill.exe
PID 4036 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe
PID 4036 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe
PID 4036 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe
PID 3616 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3616 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe

"C:\Users\Admin\AppData\Local\Temp\66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe

"C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe"

C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe

"C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe"

C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe

"C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe"

C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe

"C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2688 -ip 2688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2688 -ip 2688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1496

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe

"C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1716 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b25d4400-b3cf-4035-82af-e2c6378c2366} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb48f764-2b6a-4e57-b6d8-6ceaf6103933} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c32261b-33bc-4aed-8260-5fda063df678} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3592 -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3576 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29c85130-47f2-4593-82c3-84565830b48a} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2820 -prefMapHandle 4536 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31f6cfb-89a0-4924-b4df-443ae3f73b13} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" utility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2688 -ip 2688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1516

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5024 -prefMapHandle 5352 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {025254b2-b346-45b2-94c1-2275d590c122} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecfb2fc3-ef7e-4fec-a736-045e6b29e8ed} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {105b1fcb-722e-4e82-97a2-ebe5da59953a} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 151.133.100.95.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 httpbin.org udp
US 34.224.200.202:443 httpbin.org tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
IT 34.17.28.197:80 home.fvtekx5vs.top tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 202.200.224.34.in-addr.arpa udp
US 8.8.8.8:53 197.28.17.34.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 atten-supporse.biz udp
US 104.21.16.9:443 atten-supporse.biz tcp
US 8.8.8.8:53 9.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 153.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
US 8.8.8.8:53 142.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
IT 34.17.28.197:80 home.fvtekx5vs.top tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
IT 34.17.28.197:80 home.fvtekx5vs.top tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 216.58.213.14:443 youtube.com tcp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 83.106.226.44.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:58027 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:58037 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 2.22.61.56:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 56.61.22.2.in-addr.arpa udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.180.14:443 redirector.gvt1.com tcp
GB 142.250.180.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5lzne6.gvt1.com udp
DE 74.125.160.232:443 r3---sn-4g5lzne6.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5lzne6.gvt1.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 r3.sn-4g5lzne6.gvt1.com udp
DE 74.125.160.232:443 r3.sn-4g5lzne6.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 232.160.125.74.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 142.250.200.46:443 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com tcp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4936-0-0x0000000000490000-0x0000000000957000-memory.dmp

memory/4936-1-0x00000000779A4000-0x00000000779A6000-memory.dmp

memory/4936-2-0x0000000000491000-0x00000000004BF000-memory.dmp

memory/4936-3-0x0000000000490000-0x0000000000957000-memory.dmp

memory/4936-5-0x0000000000490000-0x0000000000957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 17d94dc8f579018a4491a19cfca59866
SHA1 f8e210e08da2f53ffce5be2839a296b33ace72d8
SHA256 66edbe7caadfd044a51e0d9fb309e931723f4a471c9d405fbcce0291b828f06d
SHA512 0e4aa55d08bf2d1ee780a0730105a23e4479abe3eb5c147d639bf28fdb698e34f24ead91db1d5ce410979a45a83a9ffecdd4e88b1ed94041763fe7fc60665d3c

memory/4036-18-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4936-17-0x0000000000490000-0x0000000000957000-memory.dmp

memory/4036-19-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-20-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-21-0x00000000000B0000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012683001\eb533f15ed.exe

MD5 cdee2aadc9a1d83264d60129891ca8c7
SHA1 2ffc082892de4d483f53791ef35d5bc45dc96dcd
SHA256 74211c92533f725825f0d2c05815b44d8b89c370a202007b46d3b09c5ef19ec9
SHA512 a6280b9759fb1764ea8b755c9f2beb0cad450a273e2d7bfc38b374a4ca7da3bc7ccb84b74e2fdf39d23dd4f5713a84364386f8e8877b44b9de625543812cf35f

memory/4036-37-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/1512-38-0x0000000000FB0000-0x0000000001C7B000-memory.dmp

memory/4036-39-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-40-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-41-0x00000000000B0000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012684001\b3866d3ff1.exe

MD5 3f51a440b6d3829b76804b42f88241c7
SHA1 89accaafc2b826c91540a93a995cba2583082964
SHA256 d24a735b78ff246515f1fe6637e665b421206cebbae39cc6d51b331c57a836fc
SHA512 0c2bbfcefda0e9fa80e33d651c99d910e92883b166274851239f27cc60fae4533c42938aa1021f1c487d34efab0febbf2783a00b4eb41773be605ea7965328ff

memory/2688-57-0x0000000000CE0000-0x0000000001191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012685001\fe2240327b.exe

MD5 dd1e9c04fa5779a6ec694c9cb79fa76d
SHA1 2b1f19dfeba983bb53ed719874d9ccd12825696b
SHA256 b153e60adeeb0491a8c8104c95164b24908bee959554ba4390d5f419b6103ee6
SHA512 c3c710197b4a271236bd62445af7c4853c316a541edf6b1c23ba6602e7af5f49a655806aedb5b97b0d672f94650dd651b449d2567ff874f4a3d83741e8ac615d

memory/1404-73-0x00000000009A0000-0x0000000000E92000-memory.dmp

memory/1404-74-0x00000000009A0000-0x0000000000E92000-memory.dmp

memory/1512-75-0x0000000000FB0000-0x0000000001C7B000-memory.dmp

memory/1512-76-0x0000000000FB0000-0x0000000001C7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012686001\f8f161fa81.exe

MD5 1d6b1dbe393632f2b5b163ff84e765ff
SHA1 25bb3138f98b7835fbffd92dfcf47ed7a1eb02fe
SHA256 7fab527f9c268507f0b7bf5402b14d1a15804fd0e8f85bc740d6d99819ca08b8
SHA512 f1e711682db1fb36e3eea60742fa864ca43bf64bc298754c50018424ceb3cb933338d426d7446de71ce08970d0e141786d7ce0ee527f274ebc4f091d59f1fd48

memory/2688-96-0x0000000000CE0000-0x0000000001191000-memory.dmp

memory/4036-95-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/2688-97-0x0000000000CE0000-0x0000000001191000-memory.dmp

memory/4836-99-0x00000000000B0000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012687001\e962158860.exe

MD5 ba94c3f899308afd6791dea129cafbb0
SHA1 ea3f5c745cf068566f86eecf2263c5b4cab1d368
SHA256 01b54741882619d98188cc903a4770f8e72a06c8dd2e11f758176deab7fd94ac
SHA512 11e5f779ace64899e93b3659d57660a89f57e7930afdd57e32baee70b929e9bbb184bdf6ad87bd9074f90156039191de6f54fe593e3c9d4c9960d718b469b3fb

memory/4836-112-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4884-120-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/4884-129-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/4884-130-0x0000000000A30000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\0ea359f0-fa2e-4b9b-893a-49a69b76840a

MD5 29148253c270a009a8a3d2d199de7ff4
SHA1 54f0842d086da063aa516d6fdaf59ae97e9126d7
SHA256 805bf5a70e67c3aa55ab266ba16964d726502f9c9087c01d5ce52300c74a7e4e
SHA512 8b4f5853dd649c45c8a763e1e08b604e51af7f97f8df5509422430ca8c9b5d4378e578027534d778b394b94d4666077f82f33718f19b1ebdebc60d03c7de49a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\4f722995-0fec-44fc-a0b2-b56911423555

MD5 cbff8b32b72c0507e6cae198fb121a5e
SHA1 6a1279d83c1899485f8298d1f48283f422c25ce5
SHA256 43ac0768bd18ae800606a1836aaebb6dd0bf4433ab9a56303e49183843844619
SHA512 24bc5565f642078ab7005abdc7cd6c667204ea4ee78040c3355b60e1407242c9a6650be43dd4200aa9c49169e33936fdd1aa81cf3a462fccfea4a87bfe0a16b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\9507c41f-96b1-4acd-86db-2b9fdf18b8d4

MD5 58b12c737d4ef482a47aacd0be3f22d4
SHA1 670634edcd276e66e8f6bbbcd30440f4e67f5d53
SHA256 d1ff1fac55e6cda8f8224176a05f6ad633d3fa2459b3659189fd2b43b1afaba3
SHA512 6945e51f41ce31e943b669243b3f3d809af8dceac918ee8a83c8d011b6e291af1e7bab96ca1aa98c57a5e44d5141e52055dd1048e2690d15fd3f29ac809a2bf3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 ee0ff068a6ffa810d2e3fb7db217f149
SHA1 a7c9685db3308ebdf8f814f7511da46b6a1539be
SHA256 bada3d70a5dfc6b96c2bfcae035ff3cd7756546a544ba4d24dcf7e48fe7aab14
SHA512 24cba302fe0581827339a5755a4ba2f69c2269c0e38d16ec734b32bbd68be572b458b5a0cd938f42e180cc71d0c88b53b2dfc93616dde8c8ed3e7e882e69c767

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 8b319f6b3bb302e8dc88ded704a4632c
SHA1 dd88bf6d59982edcb72a5af684d272eeef7595c3
SHA256 c26b68086f39a0af98a3cedfccded4d109d80f6c6269c6b2e944e230c9a78dc0
SHA512 d6caaa3f948eafab7a778ec589db8fdf2ee0d7f259995a80a7e58cbf5f8ef623eefb0ad2e51184b2c2b0233e9cbf92e530c09f7a8de79f060070d66eb68c8868

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 ff9ef8da28e5fb99b703fe45888e08ad
SHA1 f2a4ec184a6f238d81a26c665f9e752dd23fcb0f
SHA256 de3b89b18d4652cb085f3947d8a7445373a4791c6e70f32776684b88857b45bc
SHA512 023aeb835a8e30f1fd9163a7c7f03f14a0be62e682fadd977d16f402b5522ccc2a75e49f1aca988b21f68ea63415fc765049b9fc512d60939306c969ac04c676

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json

MD5 8b0882cfca465748214654bd12db9b67
SHA1 8204d8478e37f65624cd350752cc5b5b96ef66ff
SHA256 1986420460a0617ab7ac772d0b83e46ffa3cf206738f1d97d7b5ed778fc0bd6d
SHA512 4a7755d80b5bde980c6f6776e4e99288fb7a3106f1e8290345af104bc39cc3038fdd7b5a3a69ae7f9aa52dc281c0c803cadb018fc553c5267eae0f9217c0a028

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

MD5 75a1779c1cb258208b461376b8a91c6c
SHA1 fb4b3e910d03a239a5e9c1405baa4935f1bb5468
SHA256 c07f4599845568bbfd0a256c93058bde5a08be712eb8ad866f4e29d9431e30ab
SHA512 d581534590d79543b00407e8d283f11e0ec8378678ac5caea5f0a3e84580fa6554ef22fe39ef02fe9a63472c9f40aabe1d1b0d14a5a311f80c4ffac622c7e605

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 ef989eb5e996465d31c97c5a19d530b7
SHA1 6baa400347999833794b3db4d0683a0102651314
SHA256 59a49710e43ba8eb0cf6e5a3b7c2f54a27de39512e050f0b353fe20e2c756889
SHA512 09c08d47c32ea539b85257d4a19a061d77e13b44ddf3603263326d873bd5d4840564e492f436f1941245ce0c46fa77cea4a46799ce191dd6d37b3cd7ee178c6c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 490134a6f7af1265446d42ca35e6108e
SHA1 8a7fc410bc09313eee8eb82edec3ab412d763f16
SHA256 66736c7c4aaea46195c87a6d0a0d47e7bb912ccdf71032b8e8c07476c56c61ab
SHA512 c97de7c872917d86191515959f783d66e510dbcc98429c17c4057fc607c1bf3477ab0b8a5afb82ee0d6d5a06d64c764b2599a80a79dafce1880bfa87053fd8ab

memory/2688-483-0x0000000000CE0000-0x0000000001191000-memory.dmp

memory/4036-490-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4884-492-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/4884-495-0x0000000000A30000-0x0000000000CE0000-memory.dmp

memory/4036-504-0x00000000000B0000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 8187225ad49a0148071dacff0382fddf
SHA1 46170333c6ec431c63828ee7e6a2670a1383f59e
SHA256 deb75726ca361fbe4e979db13dcf5dfc792bf41b2580f266ccdd9f5a1482d6cc
SHA512 f6175d41c03eba8fca63369b7acc8f23d6b3c13f5be63560fcd9ee65f56cbde6f342d8f69a816efde99c583c6612c6742d49e738f028cb01dcaffab7abf75b14

memory/4036-528-0x00000000000B0000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 7a8245454eff591f1825a5257dedfeff
SHA1 284aefd93932dc1fef51a6f19c5250d0a306b6e2
SHA256 a7b56ca9176e66e29f91017c5ac914180c3406837834df8ea7b32ff9ce1933d6
SHA512 1d8f5189143151c7b3069a9637db93d15e1a646e7f0cc1b86b2f1698d761a4b184fb234f75e66ea49c8f316615196b3907f6418f4c8421639ba6d8f5c0e7d27e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

MD5 5ef9aad087dce1d4ac84bc2e3c4e4f38
SHA1 50e1897a7cca80087bde4839a3638ecc78ceb1c3
SHA256 8cfe4ccfd96ab92d31fb9b1211f52975c4382ad5a8bf3eadd0ae0b791f5a2633
SHA512 ce1cfac0d662307e3e2be9225d932326da729a1ecdc3f805297d37f652bc54cc95e5fddd00759e43477d851c403a0dd0bf850049382f68129c2bf3e38691a69a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 0923ac12665769edc54e955848ff93c9
SHA1 e5c20a2f4025a73e0f1412be18ac03a876bf9d6f
SHA256 cee3af724986c4be43d4d66c5209dd22e7b109b44b4ce0375fb90a10cec4ccb4
SHA512 01ede9c6827ea6a65c60a5c63525038c16f6cfb3bfb2415cad7f1111339ec92bfd97bfda0a4be11b8f58a445c68ed97651de4c50a81ea48562f60f98de9f284b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2fb6f4094f5a1e8c9c05c9d89c032e82
SHA1 0c7731f44fe54682bed26318d30dba9c7d36e310
SHA256 86e16cb0c31dfce79fc58d5570849d6069452ca8acd3d460b18ce6d4f821aada
SHA512 4beaed3a1a8763732031e16aa396630156ae839dc34074ccf3daccf6aafbd4ad8d4c7ba15cc394ab3c889ac51e1a9d6e1f776fccf2524a00975980f77616dc9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 4860723e73ef2bf50e8c4e37b5cbd3d5
SHA1 105cd854fff630ca2ad2dfef348682bdd24cda7d
SHA256 04eabae6bf20f140a560338ac7643fa37515f4922b185bce956bdb9c03e02ebe
SHA512 2a79de42cfad3b26e0f80e4309c0662838429f9f8fe2457603cfd9dfbaaad9cf854bc07cde3733d4528db6bfbe8770e2d0467200c5a10692500d1738944d4f22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 a5bee14951c7519d724569d5eae44f32
SHA1 ee99d47b82942d548834eb6041b99adeb13e71dc
SHA256 2f7a532496586d6d8096b49e75e43c55b10845e95f5c4d6a9f8f0e0ca595ac28
SHA512 fb1f58d8b58ee5e85059f2bb60d4c56510afe365fed250294ba83f5af409513203fd253d7bbd72d1780b6cd9264c2f9944c74041601585321c276b4aaddcc6cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 b9a8e61c78c597337acbfb8110e389a3
SHA1 c80a65b5646bd926d1d94e4bf9c957b8e089a451
SHA256 1ba307b353803ccbbebde47f3929ec482686383c27a91e1e1c10e9928386e978
SHA512 b0501afc2cacc35ffd9b28bfdf7c028e916e424e07aef999acf72e65d64603a6270c0886522aa9b30d2ce7b873da15c97ddc0a72d81aa9c59b68bc1d15357014

memory/4036-806-0x00000000000B0000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4036-1350-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-1792-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/3940-1831-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/3940-1832-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-2081-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-2145-0x00000000000B0000-0x0000000000577000-memory.dmp

memory/4036-2585-0x00000000000B0000-0x0000000000577000-memory.dmp