amadey | 6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009

Analysis

max time kernel
15s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A2NOH_file.exe
Size

1.9MB
MD5

69f7588863e91f123d7cf2fef9452c0c
SHA1

1c60375348fadf76013f96d4a1122a85d7004a5b
SHA256

6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009
SHA512

2421dfa803a4c1754f1ffa7b3ce596150fceadd33b7f67d9e0f8f6c0f09bdd2e0d88523e095af4da8777133daf1de1d5d60afc5aaa2901197cd2a4ae7eeaab78
SSDEEP

49152:8zQ3t4rgxVs5wqQuewfkDBuo16D3eCFhI/BlR1P:8ziteV+qQ1w0BuWo3XFaR1P

Score

10^/10

amadey lumma stealc 9c9aa5 drum credential_access discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3FEtgVY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EbjU3lW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	A2NOH_file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3040	chrome.exe
2596	chrome.exe
2696	chrome.exe
5520	msedge.exe
4868	chrome.exe
5768	msedge.exe
3612	msedge.exe
4720	msedge.exe
6360	msedge.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EbjU3lW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EbjU3lW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A2NOH_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A2NOH_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	A2NOH_file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 3 IoCs

pid	Process
3144	skotes.exe
1624	3FEtgVY.exe
1800	EbjU3lW.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	A2NOH_file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	3FEtgVY.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	EbjU3lW.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023cd8-136.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
824	A2NOH_file.exe
3144	skotes.exe
1624	3FEtgVY.exe
1800	EbjU3lW.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	A2NOH_file.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5864	4956	WerFault.exe	107
5872	4956	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2NOH_file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FEtgVY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EbjU3lW.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3FEtgVY.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4736	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5696	taskkill.exe
5392	taskkill.exe
5512	taskkill.exe
5572	taskkill.exe
5636	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
824	A2NOH_file.exe
824	A2NOH_file.exe
3144	skotes.exe
3144	skotes.exe
1624	3FEtgVY.exe
1624	3FEtgVY.exe
1800	EbjU3lW.exe
1800	EbjU3lW.exe
1624	3FEtgVY.exe
1624	3FEtgVY.exe
1624	3FEtgVY.exe
1624	3FEtgVY.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
824	A2NOH_file.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 3144	824	A2NOH_file.exe	83
PID 824 wrote to memory of 3144	824	A2NOH_file.exe	83
PID 824 wrote to memory of 3144	824	A2NOH_file.exe	83
PID 3144 wrote to memory of 1624	3144	skotes.exe	92
PID 3144 wrote to memory of 1624	3144	skotes.exe	92
PID 3144 wrote to memory of 1624	3144	skotes.exe	92
PID 3144 wrote to memory of 1800	3144	skotes.exe	96
PID 3144 wrote to memory of 1800	3144	skotes.exe	96
PID 3144 wrote to memory of 1800	3144	skotes.exe	96
PID 1624 wrote to memory of 3040	1624	3FEtgVY.exe	100
PID 1624 wrote to memory of 3040	1624	3FEtgVY.exe	100
PID 3040 wrote to memory of 2164	3040	chrome.exe	101
PID 3040 wrote to memory of 2164	3040	chrome.exe	101
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 628	3040	chrome.exe	102
PID 3040 wrote to memory of 2180	3040	chrome.exe	103
PID 3040 wrote to memory of 2180	3040	chrome.exe	103
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104
PID 3040 wrote to memory of 3944	3040	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\A2NOH_file.exe
"C:\Users\Admin\AppData\Local\Temp\A2NOH_file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe
    "C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaabeecc40,0x7ffaabeecc4c,0x7ffaabeecc58
        5⤵
        
        PID:2164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1868 /prefetch:2
        5⤵
        
        PID:628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3
        5⤵
        
        PID:2180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
        5⤵
        
        PID:3944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4320,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4376 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
        5⤵
        
        PID:4256
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,5372835742345978441,12841990032236695600,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
        5⤵
        
        PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffaabef46f8,0x7ffaabef4708,0x7ffaabef4718
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        5⤵
        
        PID:5272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
        5⤵
        
        PID:5256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        5⤵
        
        PID:5304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2056,2627642431739733441,14531806922079076760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKECBFBAEBKJ" & exit
      4⤵
      PID:5824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4736
- - C:\Users\Admin\AppData\Local\Temp\1010607001\EbjU3lW.exe
    "C:\Users\Admin\AppData\Local\Temp\1010607001\EbjU3lW.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\1010609001\1211389848.exe
    "C:\Users\Admin\AppData\Local\Temp\1010609001\1211389848.exe"
    3⤵
    PID:4956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1644
      4⤵
      Program crash
      PID:5864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1612
      4⤵
      Program crash
      PID:5872
- - C:\Users\Admin\AppData\Local\Temp\1010610001\bac6cebc66.exe
    "C:\Users\Admin\AppData\Local\Temp\1010610001\bac6cebc66.exe"
    3⤵
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\1010611001\1291e0919f.exe
    "C:\Users\Admin\AppData\Local\Temp\1010611001\1291e0919f.exe"
    3⤵
    PID:5360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:5512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:5572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5984
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:6104
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1b4182d-1584-4f0d-ab11-564dc7da79f0} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" gpu
        6⤵
        
        PID:5176
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b73efda1-db47-4e37-aba2-1b9c9cfc711f} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" socket
        6⤵
        
        PID:5408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a5dd66f-88f1-4237-8457-eebd7729a077} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" tab
        6⤵
        
        PID:2012
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6becf43b-091d-4a1d-a53b-48d549bc7314} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" tab
        6⤵
        
        PID:5524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4264 -prefMapHandle 4304 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6d050c8-6636-40fd-9608-caf0f39efbec} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" utility
        6⤵
        
        PID:6168
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de64cb85-4901-4125-81f6-7a7682e83926} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" tab
        6⤵
        
        PID:6916
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67520784-1b9f-4dae-8a7d-00921c565ecd} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" tab
        6⤵
        
        PID:6952
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -childID 5 -isForBrowser -prefsHandle 5584 -prefMapHandle 5588 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7059de2-a315-4b5a-b939-20e2fcf2d512} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" tab
        6⤵
        
        PID:6964
- - C:\Users\Admin\AppData\Local\Temp\1010612001\6fd732f38c.exe
    "C:\Users\Admin\AppData\Local\Temp\1010612001\6fd732f38c.exe"
    3⤵
    PID:5836
- - C:\Users\Admin\AppData\Local\Temp\1010613001\9d09b8afaa.exe
    "C:\Users\Admin\AppData\Local\Temp\1010613001\9d09b8afaa.exe"
    3⤵
    PID:6792
- - C:\Users\Admin\AppData\Local\Temp\1010614001\f67cb369d6.exe
    "C:\Users\Admin\AppData\Local\Temp\1010614001\f67cb369d6.exe"
    3⤵
    PID:6180
- - C:\Users\Admin\AppData\Local\Temp\1010615001\3a14c8cf7f.exe
    "C:\Users\Admin\AppData\Local\Temp\1010615001\3a14c8cf7f.exe"
    3⤵
    PID:5268

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:7088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4956 -ip 4956
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4956 -ip 4956
1⤵
PID:6564

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:6208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e845d9a2ce0e0fdb32fa367482487e53

SHA1
66b54af2dbd0513c92a0419db0d2698937514d2d

SHA256
34db97eb87851cecbf71912485ab1cec7f8150374b40520d30dc2ad9515ae94e

SHA512
30dbf35d431195a617cdcbf5b735a4ba223824ca54764418d6e096a74a8873c7018e285abbb3b857fc7d3cd473b796ee420b12ec858ac1b49ebb2b51492df5fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
800149933066196388a99f1ad9fbe43d

SHA1
48331549395cce0164378e8b8e45060d05d5722f

SHA256
9e6d87afd0e78330082b58a774083888a9d53903c41f2c026a106491a3930e24

SHA512
6c43d72c0889f973eb563a6bba68cf50a4b42be64f29b3b99346f064c120654695bbb944a878838389f6cb25a534820d039133947bd43aa23cb693c5325e6bd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
291501116518f225d59dfe8afe53f26b

SHA1
29b2f2163b9ddba01f640b497797a834f524ebd6

SHA256
6e902b7c7a46418fe89544d8da04cffa9867ba107c26ee1cc3e9603aa1134836

SHA512
b9f858b7f6b0e69e0bde49c889b2daf870874cb1ca1f72d988f83de308f33b1875ca34372dbdbb3ee7d02374d1748866b3b82a87c696f019633782aebea1f8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe

Filesize
1.8MB

MD5
a151487b27e539f2f2ec79ac50940872

SHA1
eb655ee0a8762714754c713e5bb3171ff1be3467

SHA256
70a4257b71a11086ab596f6122ee6a8b6ef9335f5538f79e68f48727fa1dc439

SHA512
4eb5de737ad27d4aed33d02ef3b6f58c045252e81b3b733de2d204747519d8f6ff9ea75c2858259467439eb833055bebb8c3449ce8fe68852d3ec51bc7b58c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010609001\1211389848.exe

Filesize
1.8MB

MD5
f39d36f64217e34500b5bae41f7db3ef

SHA1
06c5d3929fe215180455f771eccaf67e107a2f59

SHA256
01be31d9e89c730cc3204343cb7ccf8a765d0042a2de86d97b1489dccf1e3cd8

SHA512
092f0cc00bb2698df8ca4034f963d10a12f2f158480afca39c77f0d5a1f950cdb9fb46713da5d51a349232e05062df9cb69c8341766c4b28bd01063ed9da877e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010610001\bac6cebc66.exe

Filesize
1.7MB

MD5
2843528f4a04c4d3532c3b54af2f5537

SHA1
2e9a764fdae46b271af76e7e55a85ba2dc580701

SHA256
7d36844cd7e12fd72f6f94f6d6cb5fd3b37fdd956f7f9a9bc09d96404b834a46

SHA512
d7d24803be7fe970652e6c37b2e512c6e7fa27b7abd892caaf67fbbc863703cf3748389f02a39958696a2fc866652921a98efca01de1ca468ebcc02ec1c6bfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010611001\1291e0919f.exe

Filesize
901KB

MD5
b41ec8796f23c8adbc8c485921e30c05

SHA1
317a826843e8d682d29390645cbf98b4cc2e61d9

SHA256
fcfa6a31d016d9b4e92fe59ffc959cd406d88543643f375d18e549e52f249197

SHA512
709d4964561b8ecc30eb692369bb03478242d6b5b77e376d15da0ea9e2258306611f6c9428b3190cc714464f1f089a24fcbfd7e6472d3b27fc4f79c0f101be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010612001\6fd732f38c.exe

Filesize
2.7MB

MD5
d411ff4997d06a1d8946b0bb6c1c4392

SHA1
851900aeb53cd9ecf0e6ed07589e3da3f82ea722

SHA256
8b61b8ac54efabf8708464399025293f88934ed3b8cb68d8c1bafb3e17fc20a8

SHA512
bf5a7bd9b53a4e43ac6b810370d276a63e528faccf4be373349b4f7f7753923e5a1c514aedf71d0e47f777fce952065e66f2d3ce3f5bb51e4177aee201c7e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010613001\9d09b8afaa.exe

Filesize
4.3MB

MD5
b9135cce5a371bfe6dadad02845410bd

SHA1
96fedda72617bb217f710f8470e97146d7fbc70c

SHA256
6099d2337b585d79dd82ff5771a4b86840668a1213d01862cabccf09f40b3e6e

SHA512
337c7d41a81eae7649d4bf115be33ec7b4f3f630702e3ffe522929e39c2609656bcb5f6ae2d4bfa53b74779a0a178d786694ee893bffbb794c6f32b3f22cd5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010614001\f67cb369d6.exe

Filesize
4.3MB

MD5
4c8baea05797d476b79aae87e81462ef

SHA1
447003951e78565e626490da1a98eae52d9f46c4

SHA256
564f4ac4ec2dc73a83e271c0b957c3a4e211d38b31781b01e3ea01394be9fe4c

SHA512
55f0ffaa387a3e9a1ed1b9e1e590fb2dc8f22689f71f920f72a37235dcdff43aa62697b5f7cbc1588d9ea92d785667e8bd24d39881e21de7f52b201f845b79e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010615001\3a14c8cf7f.exe

Filesize
1.9MB

MD5
ac44247e8835b336845ad56b84583656

SHA1
ff499dadf0fd0f90d3e156ba2d521367678be35e

SHA256
e1a6fe984f3ffc681defb85678e20fb0fa1c4afe1a8e99dc974dc3253a04b371

SHA512
0a9476d193084f2232301734cb558b2e5bf56e59d73c2e6f418c51c0592e4b350e19855c3b4a7ca95c19fe071baf3ff097ee0b68077d9976f68600a0266f15d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.9MB

MD5
69f7588863e91f123d7cf2fef9452c0c

SHA1
1c60375348fadf76013f96d4a1122a85d7004a5b

SHA256
6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009

SHA512
2421dfa803a4c1754f1ffa7b3ce596150fceadd33b7f67d9e0f8f6c0f09bdd2e0d88523e095af4da8777133daf1de1d5d60afc5aaa2901197cd2a4ae7eeaab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
7KB

MD5
448a2492012a9a8464383929f34d0bd5

SHA1
62cd728640cb1ed0fe1f57f8122e235275ee6520

SHA256
818954e5ffdd6c2f57e891cb8ab4b752d0330da876e1affd43a308fc0025da20

SHA512
4723d581600e3fda7316d25b43cad29f722a558ec605e469e92d4ad41ea414c1f5c290e8836747d4b8b54888b03445a2554f62d749fab956baf02254d1930c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
17KB

MD5
ac00645e69b00912df72e48787895ed4

SHA1
fca6280fe9af5c7b3b1620c8fbb8b180a7ae0808

SHA256
c54dfce2abdb72fc2eb480ce0293fe0491ed25d29cdb334aea3ad78ed0be1eca

SHA512
428cdd14317f0615367f93be1b07ebeefa44b397966b9463496dd20c400f0b6ff24c6f07613874a307ee01c36d2a46ebee0c331fb43755e433ffc98a58cb566f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4ebe8b164216eff693b07d070551cdd6

SHA1
d3e0c6f115ac9c1a681fd1b1b86cfbe50cc36019

SHA256
ad82e38ad0cecd5808f98fb8e7ec293bff46554eab3c4f23c8d3a6aeb38f2d3a

SHA512
4a2090700f54d0a321a19f8bc39b6436ecf556a7d548e4ecaf3b3ee5270c554a616ccfb787055e7c152a6b5c93595f53cecbeb4dd49cc1ad4a2b2b1088a932a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\4179960d-3868-47c2-8545-4ac8fe189daf

Filesize
982B

MD5
58e73c9dd880fe03d819240d2020342c

SHA1
8c146793e0e476689c736514410e3f8818d66117

SHA256
767dc8a13ddfe69ab2447c80d2c10933ae63206f8442767486da0ad52d7244ce

SHA512
5068cc11208fc6f4de27c401e52d34b20b7286e2a755f0870e6e36bcb2094ae972593de630e921949cec8b05f5377cd8d277810dbf3c75701206c648ad3b8190

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\7661fb69-1cd3-4edc-ac95-e7edb1e30ce0

Filesize
671B

MD5
febc62aad55a5d029d6243f288b25224

SHA1
0aa5c7e9ae47021532ef64e71e0de3178a981965

SHA256
5bb94a5f64c27e183072be59944139c0eceef6c9dc86db1215b88407aeb1e354

SHA512
9c3d11069e3bfa6865a4253e8d04f8a6febedd39c4d25f57eca2b42b148293aebadf4e63234e178d32caebeed9e74eff0e6538add4f61e3b3ec045b566f506b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\baf1d125-eb85-44b7-b59e-fa61e14e1679

Filesize
26KB

MD5
1af5588d0d69a0ab770e2ce4de548a19

SHA1
f7e9253041588c3a5e4718626086965ddc911083

SHA256
5945cca82950c0162192a12509ee4eb081f3297ad0a2684acfa6679693dfb910

SHA512
a3df8bfbb440bffc5a2dc4f5884e0f006e092f4b861f73540623f6d1b77751bd0eb1892bfffc189f937d346d978a0d2d5781a8aeaa8cc4a11263e30e228a9c37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
10KB

MD5
de3556beca82cd5f7d5e71f519d5efa8

SHA1
9c00f88e1a315a01aa4d8869c64ec25defe943e0

SHA256
112d55b9ec548902e0ce8c442169c0582f74649bfcac2c2dfd6cbff7abea540a

SHA512
77296f9c09e49723e94c612df9ae587ccca67ab2139b30d66ed54070483b512876ebc5b60bfc795679fd89b2b2cb70dd801d339fdd9eacdc16a93491c75b6b46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
11KB

MD5
98d7dbed2c14cae5a441b4c0107ce0e3

SHA1
9a0185a9babb08a17afc3ba6280c51708b2c8519

SHA256
59185a6e73e705f6e0b988055211507f283034ba89e21515a5003b6820784427

SHA512
6d530096e850cde500c34ffdb2938d4735379dbaa977a959989ba934decc3971e9fc556adeca42f1e028f1489f60607091261592add0c670c9b122492af0cd87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
a09d7d93a66be78eb30ef61948567fd0

SHA1
e4d00d2a78e9bd57dfc4d099629dba81c524ee8a

SHA256
f89e8493d29030c4623126f4e875bab23808c6077df12f606ce9291268aa0a0c

SHA512
389a37e48da7ee59e7a5e301d641ba8ce869afcb4815753afa4dbc3a6bab46454194c7daff7a31710d39a33f5531684a9a7a6ee44ab279a303f87f5f6210a789

Download Submit
memory/824-0-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/824-18-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/824-4-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/824-3-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/824-2-0x0000000000061000-0x000000000008F000-memory.dmp

Filesize
184KB

Download
memory/824-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

Filesize
8KB

Download
memory/1624-88-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-41-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-38-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-39-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-645-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-40-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-42-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-697-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-95-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1624-215-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1800-571-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1800-683-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1800-125-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1800-710-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1800-151-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1800-61-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/3144-44-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-819-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-60-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-569-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-43-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-828-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-842-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-823-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-834-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-840-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-62-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-19-0x00000000008C1000-0x00000000008EF000-memory.dmp

Filesize
184KB

Download
memory/3144-21-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-838-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-797-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-22-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-836-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-685-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-20-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-713-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-150-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3144-16-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/3824-121-0x00000000004B0000-0x0000000000B50000-memory.dmp

Filesize
6.6MB

Download
memory/3824-122-0x00000000004B0000-0x0000000000B50000-memory.dmp

Filesize
6.6MB

Download
memory/4956-696-0x0000000000EF0000-0x00000000013A0000-memory.dmp

Filesize
4.7MB

Download
memory/4956-87-0x0000000000EF0000-0x00000000013A0000-memory.dmp

Filesize
4.7MB

Download
memory/4956-162-0x0000000000EF0000-0x00000000013A0000-memory.dmp

Filesize
4.7MB

Download
memory/4956-631-0x0000000000EF0000-0x00000000013A0000-memory.dmp

Filesize
4.7MB

Download
memory/4956-160-0x0000000000EF0000-0x00000000013A0000-memory.dmp

Filesize
4.7MB

Download
memory/5268-839-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-714-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-715-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-835-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-705-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-837-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-805-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-829-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-820-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-841-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-824-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5268-843-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/5836-188-0x00000000006B0000-0x0000000000966000-memory.dmp

Filesize
2.7MB

Download
memory/5836-180-0x00000000006B0000-0x0000000000966000-memory.dmp

Filesize
2.7MB

Download
memory/5836-189-0x00000000006B0000-0x0000000000966000-memory.dmp

Filesize
2.7MB

Download
memory/5836-647-0x00000000006B0000-0x0000000000966000-memory.dmp

Filesize
2.7MB

Download
memory/5836-641-0x00000000006B0000-0x0000000000966000-memory.dmp

Filesize
2.7MB

Download
memory/6180-682-0x0000000000340000-0x0000000000FF1000-memory.dmp

Filesize
12.7MB

Download
memory/6180-668-0x0000000000340000-0x0000000000FF1000-memory.dmp

Filesize
12.7MB

Download
memory/6208-831-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/6208-833-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/6792-684-0x0000000000570000-0x00000000011FA000-memory.dmp

Filesize
12.5MB

Download
memory/6792-617-0x0000000000570000-0x00000000011FA000-memory.dmp

Filesize
12.5MB

Download
memory/7088-630-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download
memory/7088-624-0x00000000008C0000-0x0000000000D8D000-memory.dmp

Filesize
4.8MB

Download