amadey | a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a

Analysis

max time kernel
25s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
Size

2.9MB
MD5

1d272c9aa998704c62b578a03ea79db0
SHA1

0bfb5ffd37a278143649f15efbf3b8725b25f89b
SHA256

a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a
SHA512

8de05686653f6779327abd212946ea3bcad946fd6e014accd47d411d58c7eb95b62365e015daa0ea94d6bb5835227e7c657fca72a88a1de41674e99a078be6c8
SSDEEP

49152:0wH8eUbUu/g2CpfY3m9/Py/vxbhOQ1kK1dkUsVXos3xfHfMm3ScftLQJiME+N:0wT5u/g2CpfY3m9/PexbQAkK1dkh3xvL

Score

10^/10

amadey cryptbot lumma stealc 9c9aa5 stok discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

https://tacitglibbr.biz/api

Extracted

Family

cryptbot

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://shineugler.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	H9TU4oY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	H9TU4oY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	H9TU4oY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	skotes.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	2GxWWLQ9MnO4hseH.exe

Executes dropped EXE 7 IoCs

pid	Process
3616	skotes.exe
1576	skotes.exe
1612	H9TU4oY.exe
4444	ShtrayEasy35.exe
2236	2GxWWLQ9MnO4hseH.exe
1128	IQ7ux2z.exe
2904	sUSFJjY.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	H9TU4oY.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XCEXiMEo\\2GxWWLQ9MnO4hseH.exe"	2GxWWLQ9MnO4hseH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5580	powercfg.exe
6224	powercfg.exe
5552	powercfg.exe
2880	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0003000000000709-16216.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
3616	skotes.exe
1576	skotes.exe
1612	H9TU4oY.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6864	3180	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H9TU4oY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShtrayEasy35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2GxWWLQ9MnO4hseH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IQ7ux2z.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6996	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
6104	taskkill.exe
5472	taskkill.exe
5272	taskkill.exe
6812	taskkill.exe
6112	taskkill.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
3616	skotes.exe
3616	skotes.exe
1576	skotes.exe
1576	skotes.exe
1612	H9TU4oY.exe
1612	H9TU4oY.exe
4444	ShtrayEasy35.exe
4444	ShtrayEasy35.exe
2236	2GxWWLQ9MnO4hseH.exe
2236	2GxWWLQ9MnO4hseH.exe
1612	H9TU4oY.exe
1612	H9TU4oY.exe
1612	H9TU4oY.exe
1612	H9TU4oY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	IQ7ux2z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3616	1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe	83
PID 1664 wrote to memory of 3616	1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe	83
PID 1664 wrote to memory of 3616	1664	a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe	83
PID 3616 wrote to memory of 1612	3616	skotes.exe	86
PID 3616 wrote to memory of 1612	3616	skotes.exe	86
PID 3616 wrote to memory of 1612	3616	skotes.exe	86
PID 3616 wrote to memory of 4444	3616	skotes.exe	91
PID 3616 wrote to memory of 4444	3616	skotes.exe	91
PID 3616 wrote to memory of 4444	3616	skotes.exe	91
PID 4444 wrote to memory of 2236	4444	ShtrayEasy35.exe	92
PID 4444 wrote to memory of 2236	4444	ShtrayEasy35.exe	92
PID 4444 wrote to memory of 2236	4444	ShtrayEasy35.exe	92
PID 3616 wrote to memory of 1128	3616	skotes.exe	97
PID 3616 wrote to memory of 1128	3616	skotes.exe	97
PID 3616 wrote to memory of 1128	3616	skotes.exe	97
PID 3616 wrote to memory of 2904	3616	skotes.exe	99
PID 3616 wrote to memory of 2904	3616	skotes.exe	99

C:\Users\Admin\AppData\Local\Temp\a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
"C:\Users\Admin\AppData\Local\Temp\a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\1015327001\H9TU4oY.exe
    "C:\Users\Admin\AppData\Local\Temp\1015327001\H9TU4oY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\XCEXiMEo\2GxWWLQ9MnO4hseH.exe
      C:\Users\Admin\AppData\Local\Temp\XCEXiMEo\2GxWWLQ9MnO4hseH.exe 4444
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
    "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
      "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
      4⤵
      PID:5880
- - C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe
    "C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"
    3⤵
    - Executes dropped EXE
    PID:2904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUA
      4⤵
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe
    "C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe"
    3⤵
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe
      "C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe"
      4⤵
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\1015877001\2040396f00.exe
    "C:\Users\Admin\AppData\Local\Temp\1015877001\2040396f00.exe"
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\1015878001\1bc94216f2.exe
    "C:\Users\Admin\AppData\Local\Temp\1015878001\1bc94216f2.exe"
    3⤵
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe
    "C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe"
    3⤵
    PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe" & rd /s /q "C:\ProgramData\0R1N7QQIMOZM" & exit
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:6996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 2068
      4⤵
      Program crash
      PID:6864
- - C:\Users\Admin\AppData\Local\Temp\1015880001\a61c1eb788.exe
    "C:\Users\Admin\AppData\Local\Temp\1015880001\a61c1eb788.exe"
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\GJDBSL7ZHH0PQ67KYAMQXT89.exe
      "C:\Users\Admin\AppData\Local\Temp\GJDBSL7ZHH0PQ67KYAMQXT89.exe"
      4⤵
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\C16QQ59TPHAVD1LW3N.exe
      "C:\Users\Admin\AppData\Local\Temp\C16QQ59TPHAVD1LW3N.exe"
      4⤵
      PID:3296
- - C:\Users\Admin\AppData\Local\Temp\1015881001\450f155b1a.exe
    "C:\Users\Admin\AppData\Local\Temp\1015881001\450f155b1a.exe"
    3⤵
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\1015882001\efb3b5ed51.exe
    "C:\Users\Admin\AppData\Local\Temp\1015882001\efb3b5ed51.exe"
    3⤵
    PID:6712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:6812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:6104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:6856
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:2588
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {471c9042-e096-45fa-b46c-c6e1af8bc20f} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" gpu
        6⤵
        
        PID:6124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22b11d65-9538-40a9-b3d4-12c25a09521a} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" socket
        6⤵
        
        PID:5892
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de28d0b1-4bdb-41a4-af6d-6361b2462a70} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
        6⤵
        
        PID:3576
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983c2276-40c2-49da-9a6c-e3c88b727f48} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
        6⤵
        
        PID:1908
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1416 -prefMapHandle 4276 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c8e591-01e3-45c1-9da6-44cda10f559a} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" utility
        6⤵
        
        PID:6032
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3116a89-66b9-4b35-ada6-f2102b91a7e7} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
        6⤵
        
        PID:3716
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {853e92eb-7269-4f63-beca-183d1d19fb2d} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
        6⤵
        
        PID:6592
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b1f3567-ebd0-44ae-b5e1-76ca0d978bb6} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
        6⤵
        
        PID:5192
- - C:\Users\Admin\AppData\Local\Temp\1015883001\6e3ff0ef11.exe
    "C:\Users\Admin\AppData\Local\Temp\1015883001\6e3ff0ef11.exe"
    3⤵
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\1015884001\edfed99544.exe
    "C:\Users\Admin\AppData\Local\Temp\1015884001\edfed99544.exe"
    3⤵
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\1015885001\f2fdf0ed0e.exe
    "C:\Users\Admin\AppData\Local\Temp\1015885001\f2fdf0ed0e.exe"
    3⤵
    PID:6960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:1892
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:5416

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:6496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
1⤵
PID:5776
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2880
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5552
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:6224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5580
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:7124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3180 -ip 3180
1⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
f53b6d9888b5a6262ced98b7d0a506c9

SHA1
94cb458f3e23929191e7fd50d4f77a31093890f8

SHA256
1b1ba36e8e55b0ce1756ce9fab17b603de08be16f006d202ad857841bc71f6b4

SHA512
8448199126afa6fbbe4dc90a682c64d6eff3b86ffaa4bd0f305dd7059f74c48eb126f43c2abc042918955bcae2b5347b82798e6b5a3e1d624a59ca790dfcf39a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015327001\H9TU4oY.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe

Filesize
256KB

MD5
c37a981bc24c4aba6454da4eecb7acbe

SHA1
2bffdf27d0d4f7c810e323c1671a87ed2d6b644f

SHA256
d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361

SHA512
2f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe

Filesize
2.8MB

MD5
262910eb7fc46edcb0d3fd7f6f17ed86

SHA1
bab28bfa59dfd46cbe199459e3444196c886c71b

SHA256
6fdbc3d0051edb05905ad7ba78cdba76673449b7740bbfb90f4cf7ed8c773711

SHA512
c6d0d4079a4ca491bff01512b53ee213b8262273f06345b46b46b56e600ea11278698099f0fdd94cc0252bb76b4e398fb50a13c925b9941ab764a8fdbe238f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe

Filesize
2.8MB

MD5
0dad190f420a0a09ed8c262ca18b1097

SHA1
b97535bf2960278b19bda8cad9e885b8eefbdc85

SHA256
29e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a

SHA512
8ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe

Filesize
87KB

MD5
3c104350cc2661c345673e91ed672c4c

SHA1
d205e94d47949cf3bc3f5226978f6d370c3d3b94

SHA256
1fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4

SHA512
9c02bde2d096e181f00e906f4e242905d0e54dd207f309764805c7444c9f43073106812ade97fca9fc2363f59ed071371276880ce85e9a307fcdb03d3250cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015877001\2040396f00.exe

Filesize
4.2MB

MD5
3617bfad36063c68a129b7e2bd89ceef

SHA1
6621e1f1403b9fa874124c374021034a3c86421e

SHA256
e5637e64459e1868bf6318ea3b48b76ecf3f5669992ba882a7ddab2567af8b24

SHA512
fdf2d08361b48faccf5ee0e2f04104f07f4677a0299a80d49cf50aabd952a6bb23332f51b12102d87c01ee3291bf1bc3833035e42d613e4c35e657dc06044c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015878001\1bc94216f2.exe

Filesize
4.3MB

MD5
c5f945671aec219fd0af66f72065a536

SHA1
7956212b4272158ebf29243e79067cc73066fee6

SHA256
7fdc637cd02ad95b233c17569424fe28b53228f5d7dc853dc1449527ad2fd05d

SHA512
1cf363e35bbdaa90af47ff79e59a3175559b81d6ec63b296534793b1b406b883dd0b89412b0115be4a42041d27c15e97e494b284e092397d1878b8dfb544144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015880001\a61c1eb788.exe

Filesize
1.8MB

MD5
f9694cb15c258cf8125cf0c317c77479

SHA1
ad7ab004164e247a32fb8eb4187103a1eaf73657

SHA256
37aafa95a96bdc9144593c820466f3f063cd0e9fb3c6d2bcfab4c1bf0b61e51b

SHA512
41504ae13f21e126508b91cdacc3d993790b7ce6001a0d58353860ad4eccb76858f553f4dd49d1960fae09a777160493932c0bb9acebd3bad3aae6e0dc2e2351

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015881001\450f155b1a.exe

Filesize
1.7MB

MD5
f660a7ff99befe7ae52d2636a0e8db46

SHA1
41b7e90dbf2ce54bd4e3048d0dc1b7e9d59d81ee

SHA256
526d8ce745c14bac28de547ee616d66bec13517e558da772982b41cb9d6dda62

SHA512
4f13dc0b5c8003b3dc7a5f3faa02c4e103da106722d53494a74e419756d1ce8c35b308641e7690bb932002b0d16411caedb60e63138d33cbfe78520ca8bd0240

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015882001\efb3b5ed51.exe

Filesize
946KB

MD5
6bf59db9dafe72201466700ea8cb334d

SHA1
e3649b55eb5141245e634374aa4a6385dba214e6

SHA256
acdc360a0c9680c407d43df48f143af92d99d5c034a152e78b5da5220dbeb249

SHA512
f44354e412d85b7025c486d2582976f684a57216267c37dbc2fea2b6ba5e9808a098f663258569a5a998d849e97b15a15d617f834e9b768e01391daf0ff261bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015883001\6e3ff0ef11.exe

Filesize
2.6MB

MD5
e5cfad81f5397d7eeed2e7251b7e6e7a

SHA1
84184161e1b542773e5c74909ce37bb1f8f2238e

SHA256
46cb31f14f15b4f13d203fe4138401adccf3163cf405fe907e7ee86bbd1c2387

SHA512
fad966d925810d75be01d20b2b2bbf45755a30d385754878764fec0f1d45100490ba8c4ea279429f91c627cfa8f6b0e2abc70abdb8b645dddf1abd4cf021656a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015885001\f2fdf0ed0e.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51d0koaj.tiw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
1d272c9aa998704c62b578a03ea79db0

SHA1
0bfb5ffd37a278143649f15efbf3b8725b25f89b

SHA256
a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a

SHA512
8de05686653f6779327abd212946ea3bcad946fd6e014accd47d411d58c7eb95b62365e015daa0ea94d6bb5835227e7c657fca72a88a1de41674e99a078be6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Filesize
1KB

MD5
f1358bff48b36280aa92a53b83f0ff38

SHA1
4975bbb3bc33cc0cca7d9c508aa1ffcb0cfe5b48

SHA256
f8f1c343928201165c52d00e6d785d59ec98f9f27ffb7e005f2f7a59510f0925

SHA512
da9f515938b13532c4f7b45f92cedbeb462aac8891ae7c17e0cb07757d310e45926a643cd302f0a0574ff015cb31181b2a1ca54e0e2d433382416c19e0d6dabc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
8KB

MD5
7ae88575fb2871047e9350dc66c4a39e

SHA1
2cf401652472f9583cc1de5703eef11d08c1a8ec

SHA256
96c6b2783a44920f8e83802407c381169048942fb4cdb24d28c3e84c60d09d32

SHA512
2f17385fe2728c933bbc8e245e3b169baa9353acc890fbda917850881114a0b2f902fa5d2fabd5d72eb54397ecffb3c3efc627eb0fb6f1c293b77231c2f1aaf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
67612784bb7581902c7fa28b7e514cfe

SHA1
27fb3b6897f30076af387cca0d64da8f1a78f0f8

SHA256
b06e5ade49fb7a914ba2472c0c9bdc4880e862ab0e4c26f64a952aaa3e12daac

SHA512
298c610795c90651fb49ed87606307e5ab882285d9ed16648decc1fa2944b6ce9b102bf910f6dec5651770ff0e7e833f08eff609cd32c380969b816f0b92a110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
462ffb2c80a1d7050a1e4fe0a989ac90

SHA1
32451d68ffdb7919aab5bd9d4477d5dc99d4f250

SHA256
112986dfb6b5449ada643b86eda48e4686e39e789c9b2e617ca7403a04ecb596

SHA512
9eb035aad61a9a89d357b0330aa07fedc5299ba860c3fc5305497d8fa3f0c515b053c2392779ddf0ed4e2ced27abf2ccff505b7c1f140dd5a008eddc54b5ca5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
69489c2b2a666dffcc96b1d464a7edf9

SHA1
1fc95272e2e4b10c6dfa7fa629a43a295c0aa817

SHA256
9f5b2eb0842ae118db288fc7662eb42e407ed1cb64ce7c95f36a74b0f235e2e7

SHA512
ff7b9532d70139c9801b47a7ca3d6a8b6ce901d41e49597fe675a5905518b9e76bc167daf56a452e5d2059932e9e055aa9721783888b645a687918f70f430e54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\42166efd-a965-474f-9280-63e05b36b172

Filesize
659B

MD5
32e2c4299c8698331229c3cc2d164252

SHA1
349b8e5be97be21b5177de7fb8f3cb1572c6220e

SHA256
3ceab137c4258b4143c0673972a691d945f2e524f62c6b5326f880b5408815bf

SHA512
9453ee52aebd2357d1f54ce96767437b1be547791d6364b95c0edc5978fbcc406eb5fdb635e186cd2f288cce88ddedd3b5c43e47b1b8f35f9a2c7511c58d1d34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\723976ed-416f-4bab-99c1-4a0df611ab37

Filesize
982B

MD5
68c94c999c73146d6a1d4cc170705215

SHA1
095bcf1f044a546a338d9b2010a5e0cbbe4a891d

SHA256
38ae0e7e5cccd2fbffa9928b2957126065c6e10e4f4f15649233f36506575cdc

SHA512
2e8c726601cd20f290f30707c447873a7c92ef4d8837a56c7093fa06501039b7952b814b2cabf73d67e2a7b4f9b716c4c3288bff20f8757fb6fb349aab3f1fea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
10KB

MD5
ec9341ef08754d61e51960d742a52102

SHA1
1fa599fa0d4cc7ab556fb6cb8de54daf85af6b7e

SHA256
34b7ecff3675bf66f167f423048536b69e210902436f5afe5472a3b64c2ffabb

SHA512
d6b3f44d60cce46ebc3ad521a6c04c3caa1267ae6503c08fe1c23f3cbb81e3d6032c04f25aea4b5e8e6b3325bb94671bee09afaecfdff782cf21bb1217d82a73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
e4d4b07409f05b162104d412ec1df9fa

SHA1
6bc0b432a0a93a43675d1672052578f11e5cfc27

SHA256
e661a7835171f1c30ab97df720fc2aa13b2b954247bb85f1ad068146098ae6d5

SHA512
553277f695919b859696d35f9a4cf32bcd82b1b2a380879866cf0eafcfa59c23f4b3bb7d9355debd55318989fae8c93925323b2ffd1e1076cad0c00c67e0953c

Download Submit
memory/528-29786-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/528-30494-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/1052-19078-0x0000000000300000-0x00000000005A8000-memory.dmp

Filesize
2.7MB

Download
memory/1052-19756-0x0000000000300000-0x00000000005A8000-memory.dmp

Filesize
2.7MB

Download
memory/1052-19755-0x0000000000300000-0x00000000005A8000-memory.dmp

Filesize
2.7MB

Download
memory/1052-22376-0x0000000000300000-0x00000000005A8000-memory.dmp

Filesize
2.7MB

Download
memory/1052-23784-0x0000000000300000-0x00000000005A8000-memory.dmp

Filesize
2.7MB

Download
memory/1060-16727-0x0000000000EC0000-0x0000000001363000-memory.dmp

Filesize
4.6MB

Download
memory/1060-13322-0x0000000000EC0000-0x0000000001363000-memory.dmp

Filesize
4.6MB

Download
memory/1060-30510-0x0000000000EC0000-0x0000000001363000-memory.dmp

Filesize
4.6MB

Download
memory/1128-147-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-101-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-131-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-125-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-129-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-127-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-123-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-119-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-117-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-139-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-115-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-113-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-112-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-109-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-107-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-133-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-155-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-105-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-103-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-157-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-100-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-141-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-143-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-137-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-153-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-145-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-135-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-149-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-96-0x0000000000C60000-0x0000000000F3C000-memory.dmp

Filesize
2.9MB

Download
memory/1128-121-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1128-99-0x00000000059E0000-0x0000000005B9E000-memory.dmp

Filesize
1.7MB

Download
memory/1128-151-0x00000000059E0000-0x0000000005B98000-memory.dmp

Filesize
1.7MB

Download
memory/1436-18810-0x0000017C89740000-0x0000017C89762000-memory.dmp

Filesize
136KB

Download
memory/1576-30-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/1576-28-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/1576-26-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/1576-24-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/1612-97-0x0000000000910000-0x0000000000D9B000-memory.dmp

Filesize
4.5MB

Download
memory/1612-46-0x0000000000910000-0x0000000000D9B000-memory.dmp

Filesize
4.5MB

Download
memory/1664-0-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/1664-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

Filesize
184KB

Download
memory/1664-18-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/1664-4-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/1664-1-0x00000000770F4000-0x00000000770F6000-memory.dmp

Filesize
8KB

Download
memory/1664-3-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/1980-17345-0x00000000006E0000-0x0000000000D75000-memory.dmp

Filesize
6.6MB

Download
memory/1980-15247-0x00000000006E0000-0x0000000000D75000-memory.dmp

Filesize
6.6MB

Download
memory/2904-13046-0x00000215A11B0000-0x00000215A11FC000-memory.dmp

Filesize
304KB

Download
memory/2904-13042-0x00000215BA2F0000-0x00000215BA7CE000-memory.dmp

Filesize
4.9MB

Download
memory/2904-16767-0x00000215BAC70000-0x00000215BACC4000-memory.dmp

Filesize
336KB

Download
memory/2904-1142-0x000002159F910000-0x000002159F916000-memory.dmp

Filesize
24KB

Download
memory/2904-1071-0x000002159F550000-0x000002159F568000-memory.dmp

Filesize
96KB

Download
memory/2904-6055-0x00000215B9D80000-0x00000215BA2EE000-memory.dmp

Filesize
5.4MB

Download
memory/3296-30509-0x0000000000770000-0x0000000000E05000-memory.dmp

Filesize
6.6MB

Download
memory/3296-30514-0x0000000000770000-0x0000000000E05000-memory.dmp

Filesize
6.6MB

Download
memory/3616-16-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3616-47-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3616-19-0x00000000008E1000-0x000000000090F000-memory.dmp

Filesize
184KB

Download
memory/3616-20-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3616-21-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3616-27-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3616-25-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3616-22-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/4412-10238-0x0000000000630000-0x0000000001282000-memory.dmp

Filesize
12.3MB

Download
memory/4412-8701-0x0000000000630000-0x0000000001282000-memory.dmp

Filesize
12.3MB

Download
memory/4476-9529-0x0000000000690000-0x0000000001275000-memory.dmp

Filesize
11.9MB

Download
memory/4476-11424-0x0000000000690000-0x0000000001275000-memory.dmp

Filesize
11.9MB

Download
memory/4476-5470-0x0000000000690000-0x0000000001275000-memory.dmp

Filesize
11.9MB

Download
memory/4596-30789-0x0000000000FA0000-0x0000000001248000-memory.dmp

Filesize
2.7MB

Download
memory/4596-30503-0x0000000000FA0000-0x0000000001248000-memory.dmp

Filesize
2.7MB

Download
memory/4596-30502-0x0000000000FA0000-0x0000000001248000-memory.dmp

Filesize
2.7MB

Download
memory/4596-30499-0x0000000000FA0000-0x0000000001248000-memory.dmp

Filesize
2.7MB

Download
memory/4596-30856-0x0000000000FA0000-0x0000000001248000-memory.dmp

Filesize
2.7MB

Download
memory/5880-30799-0x0000000004E50000-0x0000000004F14000-memory.dmp

Filesize
784KB

Download
memory/5880-30756-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/6164-25130-0x00000000004C0000-0x000000000094B000-memory.dmp

Filesize
4.5MB

Download
memory/6164-21240-0x00000000004C0000-0x000000000094B000-memory.dmp

Filesize
4.5MB

Download
memory/6164-30517-0x00000000004C0000-0x000000000094B000-memory.dmp

Filesize
4.5MB

Download
memory/6496-12727-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/6496-14126-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download