amadey | ad1e3f88d7d1c29836570f13b8b540dfdaca9434b9f47170b00cf54519c5edcc

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

604496f01be7b778d8a564c57677d644
SHA1

b3a7781e8a94cadb2450c4a3df11b4a2e94ef82c
SHA256

ad1e3f88d7d1c29836570f13b8b540dfdaca9434b9f47170b00cf54519c5edcc
SHA512

62b720afcefbf8ba96698d428859466dccd83e03440e06c2264557185ce415b18240dfaed46065cf2775d8f890f112ae2e5d88910b19166fa001c67e671426fc
SSDEEP

49152:UFUzI1/+kp2sID/l8KmuQQHur5j2IZxEmtyeeu:b8V+kksIp8X7QEKWeu

Score

10^/10

amadey redline stealc 9c9aa5 fed3aa livetraffic save discovery evasion execution infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

save

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/3052-406-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/3052-403-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/3052-405-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/3052-400-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/3052-398-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5878b15517.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e34c91c0d5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7025e32886.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e34c91c0d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e34c91c0d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7025e32886.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5878b15517.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7025e32886.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5878b15517.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Executes dropped EXE 7 IoCs

pid	Process
2828	skotes.exe
592	e34c91c0d5.exe
1700	7025e32886.exe
408	c71420f51c.exe
2472	5878b15517.exe
1732	axplong.exe
1304	gold.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	e34c91c0d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	7025e32886.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	5878b15517.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	axplong.exe

Loads dropped DLL 9 IoCs

pid	Process
2096	file.exe
2828	skotes.exe
2828	skotes.exe
2828	skotes.exe
2828	skotes.exe
2828	skotes.exe
2828	skotes.exe
2472	5878b15517.exe
1732	axplong.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\e34c91c0d5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\e34c91c0d5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\7025e32886.exe = "C:\\Users\\Admin\\1000015002\\7025e32886.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00080000000192a9-158.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2096	file.exe
2828	skotes.exe
592	e34c91c0d5.exe
1700	7025e32886.exe
2472	5878b15517.exe
1732	axplong.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 3052	1304	gold.exe	66

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe
File created	C:\Windows\Tasks\axplong.job	5878b15517.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1716	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e34c91c0d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71420f51c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5878b15517.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7025e32886.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2096	file.exe
2828	skotes.exe
592	e34c91c0d5.exe
1700	7025e32886.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
2472	5878b15517.exe
1732	axplong.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
408	c71420f51c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1720	firefox.exe
Token: SeDebugPrivilege	1720	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2096	file.exe
1720	firefox.exe
1720	firefox.exe
1720	firefox.exe
1720	firefox.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
2472	5878b15517.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1720	firefox.exe
1720	firefox.exe
1720	firefox.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe
408	c71420f51c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2828	2096	file.exe	30
PID 2096 wrote to memory of 2828	2096	file.exe	30
PID 2096 wrote to memory of 2828	2096	file.exe	30
PID 2096 wrote to memory of 2828	2096	file.exe	30
PID 2828 wrote to memory of 592	2828	skotes.exe	32
PID 2828 wrote to memory of 592	2828	skotes.exe	32
PID 2828 wrote to memory of 592	2828	skotes.exe	32
PID 2828 wrote to memory of 592	2828	skotes.exe	32
PID 2828 wrote to memory of 1700	2828	skotes.exe	33
PID 2828 wrote to memory of 1700	2828	skotes.exe	33
PID 2828 wrote to memory of 1700	2828	skotes.exe	33
PID 2828 wrote to memory of 1700	2828	skotes.exe	33
PID 2828 wrote to memory of 1716	2828	skotes.exe	35
PID 2828 wrote to memory of 1716	2828	skotes.exe	35
PID 2828 wrote to memory of 1716	2828	skotes.exe	35
PID 2828 wrote to memory of 1716	2828	skotes.exe	35
PID 1716 wrote to memory of 1952	1716	powershell.exe	37
PID 1716 wrote to memory of 1952	1716	powershell.exe	37
PID 1716 wrote to memory of 1952	1716	powershell.exe	37
PID 1716 wrote to memory of 1952	1716	powershell.exe	37
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1952 wrote to memory of 1720	1952	firefox.exe	38
PID 1720 wrote to memory of 2056	1720	firefox.exe	39
PID 1720 wrote to memory of 2056	1720	firefox.exe	39
PID 1720 wrote to memory of 2056	1720	firefox.exe	39
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40
PID 1720 wrote to memory of 1216	1720	firefox.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\1000002001\e34c91c0d5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\e34c91c0d5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:592
- - C:\Users\Admin\1000015002\7025e32886.exe
    "C:\Users\Admin\1000015002\7025e32886.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\1000018042\blo.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.0.502541640\1543603040" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09a88a2e-4c01-4e90-85bf-cc85804a70a3} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 1296 108d5258 gpu
        6⤵
        
        PID:2056
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.1.1330440985\1008135463" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b786cd4-b966-456e-8b26-de717591473c} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 1512 d71658 socket
        6⤵
        Checks processor information in registry
        
        PID:1216
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.2.1619290160\1672431010" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {149303c2-d568-4f8a-9007-44d4702821d1} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 2092 1ac96c58 tab
        6⤵
        
        PID:1944
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.3.1762937154\2031760128" -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 2868 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c9e2bdd-479f-4258-b87b-3e71d7173733} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 2884 d31958 tab
        6⤵
        
        PID:2664
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.4.284934801\237070395" -childID 3 -isForBrowser -prefsHandle 700 -prefMapHandle 3396 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd194c37-2e3d-40ad-9fae-6346c21168cf} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 3596 1baf1358 tab
        6⤵
        
        PID:944
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.5.1880585216\1236178896" -childID 4 -isForBrowser -prefsHandle 3692 -prefMapHandle 3696 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d704c3f5-5902-403e-a4a0-826f6e51a27d} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 3680 1fc37658 tab
        6⤵
        
        PID:2596
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.6.1781306456\167759522" -childID 5 -isForBrowser -prefsHandle 3760 -prefMapHandle 3704 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {642fade1-02e9-4a63-8c31-47b4dd7af90e} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 3748 1fc5cb58 tab
        6⤵
        
        PID:1416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aewedwsn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF87.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF86.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
- - C:\Users\Admin\AppData\Local\Temp\1000019101\c71420f51c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019101\c71420f51c.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      PID:308
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.0.533844030\320088386" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 21015 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {297c3bca-52d5-492d-898f-65c587d19f69} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1296 10fb7858 gpu
        6⤵
        
        PID:380
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.1.1820506230\1487330537" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21876 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86bcfb1c-9bd8-4b5e-b5c2-7272f37bee49} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1496 e71f58 socket
        6⤵
        
        PID:2588
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.2.1058914379\1882054032" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21914 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cd2e23f-5bc9-4e05-8769-1208eddde4f6} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 2080 1aa7c358 tab
        6⤵
        
        PID:2356
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.3.1151962677\1373704255" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2664 -prefsLen 26292 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c94783a-2a18-4578-8e80-b45f32bb3158} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 2680 e67b58 tab
        6⤵
        
        PID:1676
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.4.1646761790\1226819104" -childID 3 -isForBrowser -prefsHandle 3516 -prefMapHandle 3504 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc3b2546-3b50-4376-8513-0114e4cd6dd6} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 3556 1b9d3258 tab
        6⤵
        
        PID:2764
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.5.1864092118\1661810723" -childID 4 -isForBrowser -prefsHandle 3664 -prefMapHandle 3668 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b32ad63-f517-48b9-ad08-0c6237840e92} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 3652 1e22f058 tab
        6⤵
        
        PID:2580
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.6.821908163\1797837289" -childID 5 -isForBrowser -prefsHandle 3816 -prefMapHandle 3820 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {553121cc-e25b-40e6-bf6c-3109ac2fa362} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 3576 1e230b58 tab
        6⤵
        
        PID:2524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.7.1388399388\386460123" -childID 6 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56e66620-250c-4a53-b20c-e0d297f8c41b} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 3864 1ab59e58 tab
        6⤵
        
        PID:3236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      PID:2028
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
        5⤵
        Checks processor information in registry
        
        PID:2400
- - C:\Users\Admin\AppData\Local\Temp\1000020001\5878b15517.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\5878b15517.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1304
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2212
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000018042\blo.ps1

Filesize
4KB

MD5
90019cfd00d043c3f6da5719cd344c62

SHA1
034bd2d68f4ec66b227ab7d31d2135e28d75b131

SHA256
1401c46006791e4d0fea52e9e98991df542eb0a24c50da4856f4ac1eda5cd4ec

SHA512
7e00c5eade73a95225f71574b48d66e19241943f47732ed4d352440e6fcfc7c44b8cc4bdfeaa51b04f7bb16b3a4cc2005e1a4b71c578c4dd0399fabbe997b1f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
39KB

MD5
912debf7611667ec4a8fcd664321994d

SHA1
29e00b75a72451188057f9e1cf360c0483143bc7

SHA256
dc5cd9ff2979cc1ee1747de9026a0bbdea4ae2cce893274818c5591314199fba

SHA512
fc355f9ca1f858eee35da22d2775a4b45a121e8818cce4e73ed9e23d2a525b4830a87e33a0d59f269bfd6a4d8cc7605201b42d60e01e71f1d67da5c5b357f489

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
15KB

MD5
a6035ec56845d6969aa6bcaca5a754c0

SHA1
73bd4b67675cb454993d6e9f49105ebc6286a630

SHA256
7f22050ea4c8dc2ff8dd6257e87d728e8cef299ec7cceaba842a1b84ac5f446a

SHA512
a39d545536dd38a51fcfdf86983a65e5c671e37f76f22abfc886b49292bb1bfccff6cae81558a05bd4d5d5e268dbf082aeefd57f05fc5f720e78447a97e34aed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
3bd66b4a3b6eb868b66ef4195936b6c2

SHA1
c98777683757b272b21910b105e9b1dfb4a0c32a

SHA256
0dfedba413f29cc495f83c2d3c1b99616023f5f98bc865cc2226237d6a18754a

SHA512
f4dc2214aaabb20a67cc075473c6825775ae3ea8a13e13eb19485348b1fe286c06c956e7d609bf99fe4b24ec51cfdf17b5f5d383dd4634c92dd3556cff68763f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
6d5d5367114b1ddb151bca5665e6d053

SHA1
5407528695e8951edad673cdeab41de555e1bf0e

SHA256
2d6f31c8c3479d83242e5d8220ae8ace5f06f708f923d45c3d37ce4bedeffc31

SHA512
dfbe5ba5ebe545cb0f291648f2297bc168700f0cefeaf8f4542f2db13400d3d911ba281d168277e797b70026259509b76912d02b2615536b984180706888e207

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
e45212baf050fea8cb9edcac0351da99

SHA1
a4ebef2cf206e604aa6d598e6433ddc8ce682aff

SHA256
9f354e0c142a3e9a13a78911fc28310572f57605e235c2ba33e5eb8bfd21c24a

SHA512
bf447c6dbadbb7c964ab08ddce0338451651503426a82b9c1e337d38440e70714cba0d5c3b5e1d2dca65270b01d153b685f682a98cff55bcc114d3c05fce9bcf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\startupCache\scriptCache-child.bin

Filesize
458KB

MD5
ba124be5761a8fbe221625fec2d7ee84

SHA1
f8617b00ee3c0d312c28852369da1878d564ad73

SHA256
2f4592abf022de009ea331c95b31ef760e78efa67b20c7d66b054e8914d027dd

SHA512
53ce61703079932f08d881d51daa75f46a808b1ce64c1c0c85d56b6af2e6922294ffb7245ffa6375b8106ffd6e9750612f1ce53b97d955e792a707a2c277cbeb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\startupCache\scriptCache.bin

Filesize
7.9MB

MD5
a2eb899b6a832c1f3e14e8f54816915a

SHA1
055129abffdc38196c7eacedc9c020d6079c6818

SHA256
a3b122469193a2125456232eaebfe4fcab5fd0c8bd0662c1d5652d27d3dcd5db

SHA512
0cc24967fd83d695cc85a7a9f4fe5663028804243ed13aa2e458fc722887616b0198f20ded528d7e56be3fe48cb0745885c841c161a4656c597a4c4047321c66

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
9e2a8d9a3b4ceb287d82dac9db23b3f4

SHA1
e7ef82975d6d84231dd84cf7c31acf224efe4528

SHA256
3508c1e1e23c2551d52fdcdcf20b4e4e3ef2f1cde1417f06cfee9afdf0ddb7ac

SHA512
e02335e4fc544365519d4b8659c2e9e4aeafb22c1cb87d5924eeb288756ad993605575d70c9e3d41811f3724f4e6413e632af61507e65aa2624abba94201782e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\e34c91c0d5.exe

Filesize
1.8MB

MD5
d512cd419c532fc7d6c3a5c6c4a303a3

SHA1
3ea05f000ad46070d41e449b3f1b7419144d98ff

SHA256
d1dc3eca3c7794fee2ef250e63d99101aaae555751ab83eefa9f8952a7f2c7d9

SHA512
c92c15990c12770d75310b8ee32181ce165348c898cb8665afd28be7e4224f0876ba7aab2667246e393c90ad3facab79fd03b4876d5b086d436d52188954c448

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
312KB

MD5
389881b424cf4d7ec66de13f01c7232a

SHA1
d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

SHA256
9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

SHA512
2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019101\c71420f51c.exe

Filesize
900KB

MD5
5d8d57a3729cfbbaba4e3e60d6bef3d8

SHA1
5c1c7352807360845a264980c17fa5dccf4a0498

SHA256
a11d5ba1eb5d8d3d5b6e29caf6c4fa6c3a74a28b66fcf29ab46891d2ff9747b3

SHA512
7145ae65934de9d06b0a6813c4e542ed97cb7789beb28e34d492a732204bc312d2a0382e185875b8749911edde0dcbf22d83560f45e7399533ed3fe47425a8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\5878b15517.exe

Filesize
1.8MB

MD5
6a6234ce6830b57e0f1fa2e728e7e8d1

SHA1
92d0e6aeba51aeb9d79196d06be442768f1a78c9

SHA256
edc95e00991bbd33ceb4cb2cfd88aa714011ed69296ec62cc40c0be6c83450f3

SHA512
926eca735e4b3eac6cd6f178ce98721d50fc4f3aa8fd9bf49332c9d58b14ceb12ffb0bb029fb1162f771b8ad76d6c35f58b2ab4f99b77d5c81a29a55a2e7c50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF87.tmp

Filesize
1KB

MD5
9a8b4d251cd5c71c40ff8ec70a626217

SHA1
7c93114bac7447c4fc25a1c21b0e8f06ca250bcb

SHA256
1cb7825ab08ca7b50c90f0ad7ade5627f27c68320adaf23b06cf4233374db697

SHA512
cf5b5973a67631f2133f9391971d02b276d68c81af743235777bf7bc83716968c212e307968fb1931fd51edf2448267eb5eb8afeb8528759bb22bbd6f6c2ab08

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF806.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
604496f01be7b778d8a564c57677d644

SHA1
b3a7781e8a94cadb2450c4a3df11b4a2e94ef82c

SHA256
ad1e3f88d7d1c29836570f13b8b540dfdaca9434b9f47170b00cf54519c5edcc

SHA512
62b720afcefbf8ba96698d428859466dccd83e03440e06c2264557185ce415b18240dfaed46065cf2775d8f890f112ae2e5d88910b19166fa001c67e671426fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aewedwsn.dll

Filesize
3KB

MD5
7a8b87f2633f3dfad329ecb73bf6eff8

SHA1
b223ec1d69361bc81b5d5113d8a7d54338168b3d

SHA256
4c35f16caa87c50cdb0c813a641a35198b84058d7cd4fd3f2c5874fc721763b1

SHA512
b8d5f92b879e578071c96e0275cca3db4365fcc21968bc3a135d46c0a514f86477d735c20d16c2f05ad52c9dadb1050dcad4ee281b7c7a50350facdb09298556

Download Submit
C:\Users\Admin\AppData\Local\Temp\aewedwsn.pdb

Filesize
7KB

MD5
ea65e1ed195bfae1eb5960a215c08562

SHA1
c4c012595c94d253c359914f759b6eff3e5be62b

SHA256
e5327121c048632467fcfe15bd1a336ff71587f5af41472f05d81dfdae147936

SHA512
ce3d01c67c4f3a2e4356c8949b9c2a2e5203300521844501d819c7ab5359d02a839817adb1a3885dab04f99d3613f3e75901b2d7d5d67f015d0adfd34a42146d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\AlternateServices.txt

Filesize
465B

MD5
51671c204005c5be607cb9ad15c9d639

SHA1
8fff9fc1eb82e2428f9cc4837543fce8087acf7f

SHA256
6f68107668923b1f2829bab08dbaa3bad1be9ec69050427ba33a4b3a987082ac

SHA512
94ce35d2bf4e8946600c5a1b1974447d1bc362611a28970eca3896eaa837f93f4a631399ee650c3206d0829dae1a81cb6f898f655fdfb88c663c0eab13ad0514

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin

Filesize
4KB

MD5
4b31f69370d27c66114496f79f317285

SHA1
d21d14b0d63defe7c90a07ec5a609262c64c36f1

SHA256
1be53bd25d253bc7e0a594f338c83ea42aa4e880dbf3a5346cfefa1f53b2316c

SHA512
d9db694af67d94e8de77ca7e5d47f6d984da4c0b2a9b248ffb3c67b9036f19f9bd64417e7b0c10084def5d5ba00479da76e5666f71176797373ed75fd28f4f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
dd8dc2450fc46d7016b83a3eb54c261b

SHA1
02190d93bed4f15ee11e057b239dff900bb4b647

SHA256
86d2414bb28f95177ca9edc7744ca2a7bc20eccf85b87f6d38f2d3e020a322b9

SHA512
72a4a82ca050957dcc6986649654c0ab8c6c37276a598df7fac5f799db0a05313cb75b76d2bc26ffb2cb7e6f3103440ea19773c3384dec7ba1ad4236d20fa69c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\05375d69-48a6-480e-b327-c1687bf40489

Filesize
656B

MD5
5dbfb70c1b5696ecf8f4e6230755a33e

SHA1
9964a9f7597ce487bd02d0867727724e60865d2e

SHA256
7c5f476baac7e5f6f801a817a097379524174713209af6c8177e9a7b9dfbb7da

SHA512
1efeb8681a594ebe71563b25bfe132fa9a6fbc4498e04d85254f5cf551995c36ad5d88af58709ddcf731017d377f3759fb764753dcb5c24a892660132c00ff3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\aec3e0e6-9084-45eb-a5ce-98439b1ee7f0

Filesize
745B

MD5
07dba92ede1f3a00bbe0baa23328bfad

SHA1
8696c06d4b10a835c91981f2f8dcbb47e20d0b81

SHA256
ae781e33a46fe0761e15a9058409d77dd84a34476970187cb3b6ac9c52f070d1

SHA512
d6ebf5cee135ddb1022338ab23cf6bfc8d6bb78734413d084be66ff6e90a49c58d8cb0438ebf15e0881cdc9b7b3fba0ba6205f1d5eb0e301b29191397bd8ce21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\b1747275-391e-4dd7-bfb1-6d0ed6650632

Filesize
12KB

MD5
fa0aa510463b146792b5b940e5d39dd2

SHA1
45a316d7a31d7ce3253a463fadddec4e01f29d5a

SHA256
06573e697378012056438741c4ee0ec939cfb3b8c6511f869e88fe2a6d55b0a1

SHA512
2dfedafdc9bd0cc44d441a13b56eb67e9aae8c407053589a7d64a97315ec150bf0ec8fc22ea3a40c0d22bdb2505424b20cc4990b17fefbd55433fd4507356238

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
6KB

MD5
e86a759676240c7189df6ecc67d41570

SHA1
473fd6f4b4032f633db4662a3716c5237058b782

SHA256
53f8dea42091f2c00b1bd87c24bd8ff153e49e8a90e71ed391c8ed3395eb17bd

SHA512
859f4e06ae67104372efd581423d753e303c66bd37dd6aeb01d8d06cb799ac28e0587483a0240a3937b7fe3d39b5b29b06e412b3eda6c78aae9f8aa31191c594

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
6KB

MD5
1f92f8061027f824eb65db13ad2133e8

SHA1
a0948e23b31a401bb522387a32e57d7330ce9423

SHA256
b4d019cc7fb104a9722032a2c3a38d85f3b349e129ea9e1e2ef645c53374c30a

SHA512
2520e0db617c7f4d0854a94440c79c7cfeba4a92fd6d3213ab8cce7497629fad152dd7228dd60239ee5edf074d73e09ecd7cb9997b085d67094651dabad44964

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
6KB

MD5
9af5abb8de843150dd3613c43c31fa54

SHA1
4695473861b4ecf254ef6b60eb9ff179abdee175

SHA256
386a71a113daf2272b806608df0ddc0d016023fa9aea28ead76de75a7c6ded29

SHA512
c26f54b489157afd9ca74dc3de6b7a9f655a531373a01d89cf5aef817a1c697363baa7181bc4cf26302a084febce1c476b041ec0b9753646d3a84a8684922cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
7KB

MD5
e1f25c9e54a90c53e3501fb6747742ba

SHA1
dfafeaa8cab3191e135c29e2d15049417c7c7ddd

SHA256
9c65d30c4136be05610ba5de0e5911ebe8c46462d956141e5781d417781a0968

SHA512
325f57bc0908cf7ded4d05b051cc25eff744f0ef21b7b8a6995b98274b7a698892a5e051af378d7d6314ab90c8963edb820a6a0793a94e0233ce5cc1a4d39af2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

Filesize
6KB

MD5
db7a90ce151d94838843a0293d01ff61

SHA1
4e2208e5481d4d80230f37dc5e55b5156d93b62e

SHA256
d06fe32beb6d5b832cfbc33e6710f857f7c2044a8318576ec4f148a50ce7eddb

SHA512
f4eba0ec9b594439c372e557725105ced65f40e68a6a08dfacd7188a0f6c4f29b080dec9d3c1469848048e203243481763e9fa3b342d6296e6d23c5f2e403047

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\protections.sqlite

Filesize
64KB

MD5
deeced8825e857ead7ba3784966be7be

SHA1
e72a09807d97d0aeb8baedd537f2489306e25490

SHA256
b9f022442a1506e592bf51284091a8a7fe17580b165d07e70c06fd6827343a54

SHA512
01d303232d6481af322137b44fef6c2a584f0643c48bab2836f9fe3193207015da7f7514fe338500ae4469651e3d9618293858ae507e722198a249257677099e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
940B

MD5
2a9402b4fcc9ab5179be654189a58424

SHA1
4b0c01ef6619fdddbf17cb3540df63faed688622

SHA256
3c421dc0e36b2726a4df1b5666a7afccfdc0aec2dda2dde748fdda3d16c59bf2

SHA512
1a8d53b49dfac6b7c329dfe8213f58dc1c17cea4cb0ef6dce3a06b04e5bf87d22109afac66319f6411cb999d806f02f43a2dde5aafd5836804256c114d6d8600

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
648B

MD5
c0ff1bb13b39139d3b2f5d06743ede8e

SHA1
1b61f5f39e96aca376073e385ce7a18c93df9e8a

SHA256
876d604368accb81b43aed55fdcf8743d1c835bfe71a5e59772eccf57b6d7f4f

SHA512
5bc9a74a7f91ca8a042e3e54b4d410ba2bfbdcaecd081d2f3c18989a3e4965948f760f688126a4ba3464ab8f8fffe34343c37eecdf9480f4e3e70c6f84f8f3b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1021B

MD5
052fedd0f3ddb5419c37977b5605a222

SHA1
1bed711c4e40e70a64c784c5e19bc58f5454572e

SHA256
0482e2fc8771050142ce78fb54090fb663b9e624dc8db5f1240605fa123e8bb6

SHA512
133de1643318f82e0ec9107f039ebe47b6920d01bcfe9b71763ff728c918df71784b8005e9bcb7c08f54e76750b9a48f6591fb1c5fee1f45590090d2f9a1f102

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
940B

MD5
e94a9954a4d66c1a6f98ffd27a2db121

SHA1
77bc18dcb929c66763114c785d2197c7a05d21b6

SHA256
0c5aa17f2d041c12ec4d159d62901493880af2cc2864e54a939532fe158227e6

SHA512
e923c6246c38564b201c49bc3abfce3f116343887ef33a24f3c330d73ae299dc22d34f78ce3d24e9be30b46442aced6ccdcc9103e3a6d18f1c7ff6e83e7e27ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore.jsonlz4

Filesize
391B

MD5
aaf67ffba745b9278a5d5177b17f8b05

SHA1
57b1b9fec379b399cceb1adbe8411f11da9dbc23

SHA256
1257893f20677b3feda154a87e0f6a4488ba1e600a84f6b866b06e8646c1d1a9

SHA512
492bbbb667340344967c23d1bda97d92af47e8dfb73f9c15c1f21f8e931768e6e30f3471c36fc49532868afa1edc6812cc4c79ac182d104c4043367afcc3156d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
76fdfeee466c4ba1ba999313fdb60979

SHA1
537dc6e028bfdec37c50351d03d04905f0f1c666

SHA256
df4f74a752204b80cccab8e59165a609d3772c2833d1d1600978b2ae04e0fcfd

SHA512
4c5f289fd73b4dd3eab77066b744f727e2a4fc52c371351afc8059bacdb40bccaa717fa3671ad590309e5b16a8b3678078824da2a139f0ec988c0053ad92fab2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\xulstore.json

Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDF86.tmp

Filesize
652B

MD5
ef856f87da62966846c290bc4604b8ab

SHA1
df1c3e1f3df3481cb584cddd4233ad5f0459e9eb

SHA256
bef5b2ce9c36a9a5fb9fcc2b5753ae7bd6ea13345e906c587beaca7e11a67ad0

SHA512
f2e441171a0a02c3108fbc5b0f9b12729f5cba1e1d31cba491e0a7aac6e361afd49fd9542432bebde2d2a146e99108be0bb90ba16431410966e41eea42a6cd12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aewedwsn.0.cs

Filesize
580B

MD5
d83df3d6161b621f56402401dddd6195

SHA1
4a658a72eae666d8e1431bec08cf8be55a4180c4

SHA256
940b2536894a381f4eaeeda3289a969ef8c50e2c3988ffdee26b4fc70cc18f37

SHA512
b7280b953c85e054387a6e5429aef3e607c6332621983cdfbd01277c40fb54af07a2badb0743270104a5d17c99eaa9438072abbda728f8104ea634642fff6a2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aewedwsn.cmdline

Filesize
309B

MD5
bae6af149b2aae9c05182e51e0ed18c5

SHA1
07caf7d298c09c920877cd49026a62424ea644be

SHA256
5139a0e73a402bff9b916cd90d665bc2e196a362dfcb52f7e294ed438ea5b386

SHA512
bec67046abd930a13dc92a938cce929534ee1f0435c66ec18007ac98efb62b0d24d3f2e10ca8717a8f154e157ca31024e54de0485f01137a7a999c70c6cc44cf

Download Submit
memory/592-43-0x00000000002D0000-0x000000000096A000-memory.dmp

Filesize
6.6MB

Download
memory/592-45-0x00000000002D0000-0x000000000096A000-memory.dmp

Filesize
6.6MB

Download
memory/1304-391-0x00000000012B0000-0x0000000001304000-memory.dmp

Filesize
336KB

Download
memory/1700-66-0x0000000000B20000-0x00000000011BA000-memory.dmp

Filesize
6.6MB

Download
memory/1700-65-0x0000000000B20000-0x00000000011BA000-memory.dmp

Filesize
6.6MB

Download
memory/1732-498-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-568-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-554-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-480-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-556-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-566-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-446-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-526-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-436-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-430-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-574-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-504-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-365-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/1732-532-0x0000000001190000-0x0000000001639000-memory.dmp

Filesize
4.7MB

Download
memory/2096-2-0x00000000003E1000-0x000000000040F000-memory.dmp

Filesize
184KB

Download
memory/2096-1-0x0000000077B30000-0x0000000077B32000-memory.dmp

Filesize
8KB

Download
memory/2096-0-0x00000000003E0000-0x00000000008AD000-memory.dmp

Filesize
4.8MB

Download
memory/2096-4-0x00000000003E0000-0x00000000008AD000-memory.dmp

Filesize
4.8MB

Download
memory/2096-6-0x00000000003E0000-0x00000000008AD000-memory.dmp

Filesize
4.8MB

Download
memory/2096-3-0x00000000003E0000-0x00000000008AD000-memory.dmp

Filesize
4.8MB

Download
memory/2096-15-0x00000000003E0000-0x00000000008AD000-memory.dmp

Filesize
4.8MB

Download
memory/2472-363-0x0000000000D30000-0x00000000011D9000-memory.dmp

Filesize
4.7MB

Download
memory/2472-308-0x0000000000D30000-0x00000000011D9000-memory.dmp

Filesize
4.7MB

Download
memory/2828-525-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-497-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-64-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-573-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-56-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-567-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-364-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-428-0x0000000006870000-0x0000000006D19000-memory.dmp

Filesize
4.7MB

Download
memory/2828-303-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-435-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-17-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-565-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-445-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-18-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-19-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-309-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-479-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-306-0x0000000006870000-0x0000000006D19000-memory.dmp

Filesize
4.7MB

Download
memory/2828-21-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-150-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-22-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-503-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-23-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-42-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-254-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-555-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-41-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-531-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/2828-40-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-63-0x0000000006870000-0x0000000006F0A000-memory.dmp

Filesize
6.6MB

Download
memory/2828-553-0x0000000000060000-0x000000000052D000-memory.dmp

Filesize
4.8MB

Download
memory/3052-406-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3052-400-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3052-403-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3052-405-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3052-402-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-395-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3052-396-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3052-398-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download