ammyyadmin | hxxps://www[.]skyvpn[.]net/vpn-download

Resubmissions

13-11-2024 17:35

241113-v51e6szkar 8

13-11-2024 17:21

241113-vw6wlavqgx 10

Analysis

max time kernel
204s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.skyvpn.net/vpn-download

Score

10^/10

ammyyadmin defense_evasion discovery rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 562913.crdownload	family_ammyyadmin

Ammyyadmin family
ammyyadmin
Downloads MZ/PE file
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\SkyVPNSetup-official.exe:Zone.Identifier firefox.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File created	C:\Users\Admin\Downloads\SkyVPNSetup-official.exe:Zone.Identifier	firefox.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

Processes:

msedge.exefirefox.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 503195.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\SkyVPNSetup-official.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 562913.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
628	msedge.exe
628	msedge.exe
4032	msedge.exe
4032	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	5380	firefox.exe
Token: SeDebugPrivilege	5380	firefox.exe
Token: SeDebugPrivilege	5380	firefox.exe
Token: SeDebugPrivilege	5380	firefox.exe
Token: SeDebugPrivilege	5380	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exefirefox.exe

pid	process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

msedge.exefirefox.exe

pid	process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

5380 firefox.exe
5380 firefox.exe
5380 firefox.exe
5380 firefox.exe

pid	process
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe
5380	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4032 wrote to memory of 2264	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 2264	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3816	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 628	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 628	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1800	4032	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.skyvpn.net/vpn-download
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5f3146f8,0x7ffc5f314708,0x7ffc5f314718
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:7052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:6156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:7104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,2104434355811995851,3381012462099241732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5292
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {075e9ade-78ab-4513-ad08-854b31dc04e8} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" gpu
    3⤵
    PID:5564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20c755d4-908f-478d-a589-05ba46a6e0ce} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" socket
    3⤵
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3036 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74dee756-6133-4b8a-adcb-2282ef2129c4} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:5936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4212 -childID 2 -isForBrowser -prefsHandle 4204 -prefMapHandle 4180 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {625736b0-8108-49d1-b312-9df1130afe39} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:3024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4824 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d106d9d-86a0-49cf-bfb0-0c8dd6c1ceb4} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" utility
    3⤵
    - Checks processor information in registry
    PID:6388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5240 -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dee1e1f-c96e-4829-959a-ead9689a1d82} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:6976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c89df94-f3af-447b-b03c-d7fb75d01c16} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:7004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea02997-7f08-4db4-b5d7-f801cd188329} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:7016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 6 -isForBrowser -prefsHandle 6012 -prefMapHandle 6008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57bbe15-d99d-41cc-8b6e-4a23d5ac3f7b} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:6464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -childID 7 -isForBrowser -prefsHandle 5164 -prefMapHandle 4712 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db7f972b-c903-4f6e-ac72-8d11cf8a6f1e} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:4480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4604 -childID 8 -isForBrowser -prefsHandle 5164 -prefMapHandle 7164 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c8ca311-51bb-4d90-ba98-5f9844626a7c} 5380 "\\.\pipe\gecko-crash-server-pipe.5380" tab
    3⤵
    PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
a75ed3bf15d61d0a7a79b8d8cf51d7bd

SHA1
a8e42721d32b94930f9f956849c0315002d9a42e

SHA256
00e6eb6a483f98284726cab488478c60e3a15eb73bd579758f317144eb29b5d7

SHA512
56852ec20d9f437a445c1a48b229d659e993800c0699668732ecc5380dcd08c3e85b4fc16c3952d2b9900be05188ebb2fe397eaaebee9d3214ab8a2bdf26ce26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_5D8828807BA71973E733E2404D2D7E81

Filesize
471B

MD5
d19721d64a87f97f4f2b4344b276f419

SHA1
cdcaa3671f718fa29bfed56f21144d68800e01da

SHA256
75a987771c8c2ec8431b9d76a64a4de676b5c805a42ba50064c38388bc4a2a23

SHA512
f8410501506af315198855760a7554a0769a796d0d2829c309dff7ee7baa48d47e7cbc3f648b426b21e9951ed277de98de57a3a9d03f6867a5844a59ca519b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
453e578d0fda7ffeff7c759995ca1d67

SHA1
2840dce777f593382b61545cdc59850ace2d51b6

SHA256
33cb0b2befed0bce37e1b984a18ec2b93b2a3524f088e31505227fb7ebe1bd71

SHA512
026e87156e8e8765c4f241d24a6eb8d849c0e9afd9da651913154b3e99bc7771c95bb074b5f8978e4d5edf96f21b3c3affe602e1b2961007953b941bf09903dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_5D8828807BA71973E733E2404D2D7E81

Filesize
404B

MD5
d489d6ce1a87b86073d2e04fd7b046cc

SHA1
65401f75439e23f2fae5bb5b0ed5d60d7ab96718

SHA256
6f7b4f56c72347b89dcb2b1beb08d80fbdf557bcd9eb0ce1a4e557f9b845fc0c

SHA512
206feafc6664fdf3c53c091d32fa62483f80163f76bd16aec681a03bc9994a10e2c8590b63c0fe9dd1b08e991d7d29efb519a1c2dea07f35b78a18fcaa4df6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09264023-2c3d-47af-9f7a-0581f10fa524.tmp

Filesize
5KB

MD5
2b61acc68bae1c9431ee3eb9df244551

SHA1
38191ca0b709b18f7611c059e7e6b63bbf67a128

SHA256
d2039eea36a272cd6a7359f4babe57fcb6c1284e5d4611166b3bc4a681e42ca0

SHA512
1132518eb2f8bcf3b4cbceed17af6ae3611cdfbcdde3b0c7a698155b9101601d917100328f9b441be7682ec79902a631e8c0d387ea10b7b2d1853e12edea4fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
20KB

MD5
05197e9427acea2ac4dc812f97a8f078

SHA1
3d2a38b79da52e57783360f195ac3e7c85edefd8

SHA256
7bdfd36b4f017340dbc84a310014381bfd3028416ff21c54f7ce0a35cfd38191

SHA512
084d4febc28358d3ba6b0bef400f637b7f350381b8b592b1e412dd860d5aaf034c03ecfa87a064cb19dd8a42faade23c260e35a8660791011b7e51b726418ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
706f116dc40a5ea1115599d28ecc43a8

SHA1
d684a1c2dfddfddc6c38b5217f4fffb22d490861

SHA256
bb8771ab34e5cb5d83f28e26fe6f61c647d09d5a8640d2285de5b0d43d26d529

SHA512
e8c0493e51093993b21c6a14a0091b40b437f7423c7faae9e262bdb4e9b60f3b474e4f96eccbeb4cd485537b574bfcc0f956bea311ee4a919326f162f5812fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
e88c65462d688fb2f1acfdc57a8ef4d1

SHA1
377b1d20e3a667cd1532032a99b6ed5a793024bf

SHA256
c859f440a6227fcdcbfe731bcc347d6213e2fe5598734a80f0960deda8eb0e49

SHA512
3cb045e1842ebf5c831f2eb4e60bebd983b72a1a82db5becaf659b72db855e6f7288ab1b18bb1c993bb48217d8c9196d9672ef3ae01f3700fa1f2344e307bf83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
16ac9f9132e086aee3f8faf4e605119b

SHA1
e7b9a415259ed975baa57b3adc55a81bc8720959

SHA256
83e606b75b8db338ae644c5f2ab96091aef11c84f884f8d2df66a4ffa9f7d402

SHA512
29815b49f56d668151ba3672f6366fa17f2c2bcdb0199216cf1b5bfc4b439c33f52ea95a0eda39f0955e3ba1a5db39b7dc7fed51d6db2281999099a8fd6c9419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
aa3e0187c113350adb4722e9795df829

SHA1
e5ff7dea289f655b170f81d73cebae01f76de3e5

SHA256
962d92447fab32605e989b1c49a46e7bf9959934f7c009fed81deca3061fdb55

SHA512
84437e86c3f7119072f1aeb66f37d6f89055b8defe3d301c7eea77e32cff60e74c4c87dd53e87ba0a6f15f7e85e0940c1012843bf674cb72a01aed12510721c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
40dc0bbde4800a808973d164c2a8181f

SHA1
5b169c84cc43762343f634aa2335c58099550a57

SHA256
ce30944498bcd1bc55e2fa0d72f59d02650f66169bb50829be56f3086eef242f

SHA512
d28c2f16d90d3dcffed768310af78715ef063054ce306be55e3781a60c854e4187d27d9b90fc4795bb646ee614970de1cb5462d0eb060b2e1ff964144b39ffdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
aa19831c3974e7b4b9d2c301f0f7c6e7

SHA1
cad0eac086999c0feb896729152cecc9d7cf400a

SHA256
af23fefa063dc359520db66732629c860556c521518bbcc5b416cf3ae3f3b6d8

SHA512
fa2e0fa28b98a61c4f25a68fe50dc74dd8d4c5f36a4f9a053f5af0813ceb7419ff2f211e8ddb351022f4d006a142c5d1ed39c5a4e7c77b70af93ecc76ee506c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
ca2ec44e76c1eb1a6897aaff9727fbfa

SHA1
8cd11cf53a4c3ea44043e0420546c176acfb9a99

SHA256
97fdf8328da37b940f3755b7e33de23f9498e53201860e8fa7308d7c0ebe3c57

SHA512
0c19d61bcb1c05912a2930f165c45c4dd00d14fa8d805149d80ec0b180d8710e4768c52d4fdd0049f38be8dfa9410d30ae459a571ad347b7cdf55f58f8f0d931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fd48b63452590106c44757a4149fd5b0

SHA1
10a9845505bb5c72d2ce88aeb99ae4526b64e4a9

SHA256
8c4c8c8e195db692eac2df8290504282915cbdbec6da3ad09bff7c8222a383a7

SHA512
e846a000710caaba81184c51e5064c00b8e90b4561720dac145b1419124bc756a060491e7c6a6f7b593df107452cbdb06543d1435b874da82de6a6f6d2a0805d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8bdb744dd30430ac94b68ffc9247be2f

SHA1
7ab4555ae33d7ecff4486d02101eae43c896facc

SHA256
640ea92f175421310521e98b7d9df3950c8d2a9520df86832295a01b4a4f94b3

SHA512
c14d1998a663e6c3da592fc7587f42201dd91104702720b1ca7d0914b91d49744965defae1543774b90d3151e53829cf3aa9d0a9dd82fb75d9b9ce82eb745934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b9356a7dc6d69312e6564f36389e23b

SHA1
da7059409cf93725323c53cdb87f70a541566b00

SHA256
cbae6dde6ed7b046b2ba5bcef4cbfe7def70d59a5d4391885e4db2ea6149534d

SHA512
aba68fe2c8b39266f5eab2f36010d2186c0aabce04a125cc2cbf42989cf2c5e5c7ae986af29b9dda05a41bfe1d38f26bca0e64ff24cf4b15c0dc78af44258d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
04e355bb711e4e20a35208bcf001bb89

SHA1
689209859b79b95bb8624ad0f9490805ddd8f4c5

SHA256
87b0e665c4ca3723f029e7931e9d4d941c6f61fe7eafaeb53f34343a4c057ec5

SHA512
adab362e37b1fc1f2aed4c19d9a9335eb654dc2bc685ba5e609f2fb82833fb544b7d58944abd5a6e5bca6ffbb1da4a217ce0474e87318a3147e16718606778a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a20a9.TMP

Filesize
538B

MD5
b7bb24fa977fb74cd90b15ee999ba4c0

SHA1
4377b2955f7467e81f3c591bcf8b9aa2a721694e

SHA256
087710b05ba864baaeb436041c4b58bfea26e0dd08c21f7ebdb5555f573d314d

SHA512
9de5a8733413b4177993f2c6a1b82994689b8097126d785cf7b91a1d3599d3987a47af6820eb165990cbd17a05e908dae8062f797203c6c1fe769e9a469152e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fee53b5ecde61f778287485a10819b47

SHA1
178f91822163e7e0f2d593d2c25b2b2a4e733b51

SHA256
c7ee916a5c4e8dcf5350b50e10655aaf2f5bf7a6b1f49da2db5180797325b5fb

SHA512
5332574a7bb609af191673efd81ca2aabc9bbbdf3ef7b861b4936685399dfb35ddb4b50d1947e12bd0fe494d7c7af358e4d7c6b16a80a8c76d7057422c8e6d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
372c898ad8b69a1bb31bee1bf04a5b58

SHA1
8ee630c06b549bf6c22270fe85cd01729521c089

SHA256
11416ab114cb642cd919124b17d66ae38305158c00b36c756046b0b4e14b7c75

SHA512
c20f89089b4d4c3c14dd2bb67e39886ea1a3a495ad363b5bac2646a584108f414a8bdd4f7193d15663f39403b6fbc70df3348cb5baf361999d802386b48c4087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
900ea95a36455f2de4116ced123b3e40

SHA1
244d7ed7fc033d3a1fd63e07edda7dee20b611c7

SHA256
7bbd42bcfb62a20db375c3c572168f79d2f8b7e06f9467fca318c38789a6eea4

SHA512
2ed49ba18d4320c59d2bbc4e3aba74706be281024f7d9384af0be62e9d84a3437fe415040e6af7303e138de0ee7719be7301433a353290465c20a58242a1f475

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
f2c3bd91ab37c689664cd66bb0e3365e

SHA1
5de2f06d22f8bb7587f8701cfc713a4f66e32a8b

SHA256
7b8d74bc0a4d6816dcbbbc15a292eaad4e8cf58db953fc08f2193f633d0b7318

SHA512
3dd29be7dd39cf9ee7e671d8106d9eeab922ded0c65dbed9c985457a3b6a9e26aa1d0d065992dde49a8a3c5320274bcc46d327bb16c1c48834b178650693c497

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\3A8D4EC6A4CF1E7E122F958E390F51D0D7CBCD72

Filesize
49KB

MD5
5f0efadea9db27b0754abbfb21bb00c0

SHA1
37195d69cc4bff43cfcfd4e23201d6f40dbf0dc5

SHA256
51fd4b9cce3d6db9545d6bfd67326b55a5e4f1b16d32bef956b495479c6d3a9e

SHA512
e87aea58a61b7df55feed8b194b8215e223857d5736f7900f2b2bebd2d1d9faad8dd1e718f532af39935fc562f7f96d58ccef4cf0656f781f1e8469865a6b684

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\929C7C677DF6AC2DA49BD3D4826AD628BBCCDC27

Filesize
12KB

MD5
1e4fc9a49c5023741ff3fe49e5b23f51

SHA1
527c3bc67f631ceec5b06ee13470cc2b2b537c58

SHA256
b072adadd905e130d9dbb0933aae99b953c3d589a25dae2439c5854e3345bbf3

SHA512
e9a50caf2b6517d2ae67c5ceb048fe8f8ec178272cf3c53acb89c1957799beeca6f1ca277bcd6be0511c917acb61c6ac4dc458f60ab3820f9c197386c388bfd6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\B4F112113E61DDBB11182B149FE69E4A7559F069

Filesize
51KB

MD5
9be16a2857e00a36f3262b468dd0cfdc

SHA1
c9aad49ceb2d57983960c338c8623ccb64f1ccfd

SHA256
ca77cf4451d5dffd410e42ab7c2e7293ad705b980bd6d82b43e3f2ce94baecb7

SHA512
dafc19844e0bf6d585c856da1ecbd1222813344aaa5c60b3d51cdd3c3c872a767c26f90da677a85f351bdcb505611b70c1fa83a9a4d78be82696824f74112187

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\thumbnails\d3feccb7cccd4bdbb9c1e59c9639ef6d.png

Filesize
18KB

MD5
247ebc3d89f4bc2a4d04719d3f5ebb9f

SHA1
d29f677d7fb9e5f21401f44cd478bb493dffcec0

SHA256
5338d198f7d28e590e20af4baf1a460f2788991e6a1623d98b7a50f8dcf5c8ef

SHA512
850793fb42908370f40fa45bb031d8b9a829acf741dcaf7a1a1b57897a05a051a5fc607687f9bbc7fb990d61a1eba5fe7afa1f5f4f2d4b76a5ebf91a171672e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
1bcb0a3c7e0c1eb34ac095562519d24b

SHA1
16556339d9a99f3d0e6d00b3e201acee797ad166

SHA256
5164afb8dd2843ed63841ab2504f5ee5f5aa9eb718b47a8aa152ec07e99f46c3

SHA512
1da485a18a05dcabb3f2dc868db566a2a75680309af1f879f53a49a4d9a1a8bb93591e77e663351fd62b83eff868ab0a329d21bed6fa66f8e8356091218d1b85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
15KB

MD5
504809f31740b9ae339b12a0abc87ef7

SHA1
1ea6f5815ca2f3a533c71330781ebdf08ffb7323

SHA256
3f27732379653b5b222ffd548fe47471ca6e4f72992f546778765bd61ee2857b

SHA512
3f0a60405f4cd193088a4ab4865eb8560fee6142b761a278b1cd488f22a2e2eba3d866bd254c8d7927ca58f369714545fb54c03d05dd88c56623b7d5359d1b86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bdd7291a2d7c6c3f55af7e66596ed259

SHA1
e25bb2fa70a349bf94140309a3a4d809ed37e498

SHA256
cc830d9b9d4474db51c6f2a489659b47ba2305c93ec3db872b091976051e5350

SHA512
b723a162e0f46f3ee6f0f1c52d6c17513d4c19d8a4be3af34905390f181cc40c1e15f4febae47539ba0a581e453d2c7547978288e409de1b6f6240a81a4d5cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\4f9c056c-630c-4232-b4c1-6e24f4334ede

Filesize
982B

MD5
3ddbae05283fee3ff7a3f3e3b28197b3

SHA1
8b49f202717091fc67dbc65633b567412dd25c12

SHA256
124c996e1e092b93db3386acb15adb0423e471db07315abd583dd98fb003499b

SHA512
eae5ce1187e560472167c90cecc19fbdccbcfdea9fb831d51430089cf9f80067b78e2352cee435cf0abc8070375b8666f1590373bd2998d83c9c5f6237917048

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\61d26231-087d-46d2-816c-24ceadb77ccb

Filesize
671B

MD5
7ae63588bafdb20aeeaf7a48a8bb4c29

SHA1
7b275640d5a22de47a97b2e59bdaa2191b0a354f

SHA256
56eb2188636b655312127c2f1f8fb9002e552df40945a12d9fa54897ebc1ead5

SHA512
4a5888b590be53db871b11ef8debd8e1c744c3474f213ceb5b547b66dc821353a08a4fb682a1df840ca99211e2a40b160c7e2e0ab491ae77f8b483f9278a5a3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\665e960f-0f73-4beb-ada6-c26c2cde31de

Filesize
25KB

MD5
bda2f84ea88824626bcd0efdb6b17781

SHA1
94979090a44b1e0df8e082118c3ef38f37edbd66

SHA256
25340c14615e0c2d0898ab4f27ab3855b34793316779337b3e310d7a39b061ab

SHA512
973cf0b6d6777e94623a5b9e77cfcee4d22e7181babdd6ec8304e711bdab26b86e70ca7ce8e0b2224c2f75690abf49642725596b7a8cf3ab10209b4f3c393204

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
11KB

MD5
978d549c80827cfdd124ec9aec363f9e

SHA1
c1a7715f192770de948fd5e14a003bd2c0fa6643

SHA256
916d8f75a1041775346a542119a8dbb3226d26d60af6dadcf76e1e25786012b5

SHA512
e87f917a8470d5256764ce563da7fd41953b550e689edb83b28bf960d34a9d794489fb57da25ae8950e560b523ae9b344ccabe591fe91e5567b4d63f1fccf739

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
a4b6c8e652b5d09735907c7ca2d88f74

SHA1
065531fe1233d78cd9d62b0fca578b5b3ae5e3e9

SHA256
83c71405c685e84e55bd3e5de1b4220c4f9925dd5d51affe9de9c3f0371a637d

SHA512
89917d0a4ccf07df514fce34101782433c79dd9995ce3683b4442d42f48c0d9f5cff8043ec1fe422038706e5027529b01387189cf9a91f97d63157fda5f6d8a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
887bbeb0ccf73d94d01d7871895616b9

SHA1
1214e056ebb159bf203dcfb5d5dd3a2b13da7efc

SHA256
cac791af5b9b5cf82dc4a410b830fc47d40888b6e198bab898a00613cfa022d4

SHA512
ef39c03c6a2498f75f9ab2f2fee689e676e8a6282e58a1c560785b2f20438c2af22fe0724dbb8df0cb27f8a6c7049ec7eb6ba9ea416b21be401f10a9e6424506

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
b8836ba1a3a88a3ef7f882c849f1cac4

SHA1
bd27d9dd7b42d5213747d523dc92ee90ae382a3d

SHA256
5c819afddf223bc07072b18de48e7d1b8773fdd5e17f64fedbdfb6fd5ad18060

SHA512
c24b03829ecf1c2e743c01b276d76436f40b82e1495d6aa0bdb2af6306dabd9cd0b6c06bf4efcf17c988c48366597929534c4184740ba58dfe01c8b29d4fc696

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
c6bbac12e9c7830c4c103169317f8f5f

SHA1
2888bef9bed744b2210c4b2091ec0cebf9afa253

SHA256
240bf3bbd614da6ab39dd82b88850dd24ca4c0775dbf066668f1b6a8554310d0

SHA512
c7653c713702c262d5cc1fe336783fa2808492950fa7553975e9dc193cc01f9a958985242208cffb223abfc343be986e25a455200efdba0e231ac27b16c3852a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
155f63817629357c48f7b8155e670138

SHA1
c6b064b58a9074496d868df50f247b96cc86ad41

SHA256
b7c01ac00a97615e649f8ccbc95def0a8994a233e6294c4a9d2d71dde850e010

SHA512
e424c8b8a6ea8cc4b0baee1387834b7a806f468ced09dc1b2beba15dfd618ac090a179b4d12a9c604fad969061a9a82506e44959325bae322fa9796d7cd3f69f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
35edf4ecbe774d1584be370b397db1c7

SHA1
aa713af79b5caa6936905ba3eed7f5b0f968e34c

SHA256
46347a405f3a4f7898421262515ea9b8691492335e1091dea2fc548d7c514e2f

SHA512
6623d82888f3d7ed53de9f2e74d280434bf3a7ce862392d4550d976e0a0e43d6df8b8727325beae512fa31d1ff518715908e3212ab31f27a1a6d2914c8b1961a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
ae35642714cd207d4439ac89f26a938e

SHA1
47da0bdd170ab42cf5dcb9126f8f16c0de261a8c

SHA256
ba212d6f3da15ec55986350a3949dce1969244ee63514ea52036073cee4644b9

SHA512
80e526b20f47ea52784cebd1f8db78aecd73b381573853d286b57d0561ecc106afa8aeef5ab9d58c1ebc4b68c1462efb70e00e76ac787fa6150fe9a69f84d282

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
a6f443ad3f84ac37687fe31a033a7f71

SHA1
da7f2c6937dd4a89666019b5b645ff8fbc44bcae

SHA256
2e2e2a463ef9157b30e611eb11a9a7d1b0655ab7c7d9f2ac4ecfdca74d5b3b99

SHA512
ca35177c3958acb1a3b7c30497497cabd0497dd52b2df752d804398e38b4fa9eb06c2ae79d24f9206218a2833be8efbc185ad386648ca31da396b35e9caa7690

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\default\https+++www.skyvpn.net\ls\usage

Filesize
12B

MD5
ac2ebfa741d8ea3e71e711b3e753456a

SHA1
df7e3d5e1406660a7905e107f6496e6082e9d4f3

SHA256
6d2a3ba3bf3c9fa1284beb98631d4cc33e1cbd2d9607ae62fd9cc0d7d7fce31d

SHA512
d73f0a7b88b654127f43773cc3fd1b788d1ec1c29d724077a0b3f454e17e61f634ab301b06a301edb8de4e9c721ed49ee019e28e8f8a700aa8964df189882918

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 503195.crdownload

Filesize
10.1MB

MD5
66056b58020ede859c4a55f353385b56

SHA1
6c736cbeb439a12a75bc966175a2c4375426c231

SHA256
f770862fd4f2ae86d66e9d6768a17bcdf0f85cab09b5f27475f865e5710f2d68

SHA512
9a29418cd07f9c8ab51453a2d98056709998bcbc6aa6dc8f2c7a2022682af70544d44842915c8447b1efb1c47c4715707fba30f5dc4a81910390cda031ed0dbc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 562913.crdownload

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\??\pipe\LOCAL\crashpad_4032_CJTCQUBRVDLJCUOG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit