Overview

overview

10

Static

static

3

2IHJC_file.exe

windows7-x64

10

2IHJC_file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2IHJC_file.exe

  • Size

    1.8MB

  • MD5

    5ca58d76edc0e7291bf3d6bad7edbbe9

  • SHA1

    694124bf2e8d817b7f188706bbc49d0088317fe2

  • SHA256

    d4e13faefc09eb85be337713e8899e9f6761d45593e33d19b14ac6f986b2a103

  • SHA512

    82b990ce963247c140161ce9ab28c79c5b4d648ddf46d622e152e3c0d79842be1cf1009a493b7af37b83976f36c05b56e353c6f7166dfc701979f87447f51fad

  • SSDEEP

    49152:JzqRbJAOwImTwJuvYsiI5kDbZF6j9FWHK:wRVA8xobiI566j9Aq

Score
10/10
amadeystealc9c9aa5marsdiscoveryevasionexecutionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2IHJC_file.exe
    "C:\Users\Admin\AppData\Local\Temp\2IHJC_file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1008595041\nig47lK.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
      • C:\Users\Admin\AppData\Local\Temp\1008610001\0287fbb7bd.exe
        "C:\Users\Admin\AppData\Local\Temp\1008610001\0287fbb7bd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4996
      • C:\Users\Admin\AppData\Local\Temp\1008611001\2bf4be155f.exe
        "C:\Users\Admin\AppData\Local\Temp\1008611001\2bf4be155f.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1452
      • C:\Users\Admin\AppData\Local\Temp\1008612001\b160eb48a0.exe
        "C:\Users\Admin\AppData\Local\Temp\1008612001\b160eb48a0.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4556
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:624
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4968
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5052
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9e4d085-5359-4b26-9b1d-ed0002f55b6b} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" gpu
              6⤵
                PID:1316
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7bce32b-0c96-4f0f-90d8-a5801b7b56dd} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" socket
                6⤵
                  PID:3060
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3056 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b61867e-21fe-4eff-9e7f-9d5910472921} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab
                  6⤵
                    PID:860
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c44d65c5-9148-4282-9b40-19ec6e47c97e} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab
                    6⤵
                      PID:1080
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4536 -prefMapHandle 4484 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39fe7dc1-bb9a-41ed-8249-ab4b6fd646fd} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5144
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5280 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71d18363-5d18-4c6a-9667-6c917446f515} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab
                      6⤵
                        PID:5576
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 4496 -prefMapHandle 5152 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ade5df-4fa0-47f3-921d-35606881f0c8} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab
                        6⤵
                          PID:5624
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc80d2c5-19ad-46e5-ac53-737de53c8685} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab
                          6⤵
                            PID:5636
                    • C:\Users\Admin\AppData\Local\Temp\1008613001\6cd4bc1987.exe
                      "C:\Users\Admin\AppData\Local\Temp\1008613001\6cd4bc1987.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4320
                    • C:\Users\Admin\AppData\Local\Temp\1008616001\244d0290d0.exe
                      "C:\Users\Admin\AppData\Local\Temp\1008616001\244d0290d0.exe"
                      3⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4012
                    • C:\Users\Admin\AppData\Local\Temp\1008618001\05L6BBv.exe
                      "C:\Users\Admin\AppData\Local\Temp\1008618001\05L6BBv.exe"
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:5220
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:972
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4628

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Defense Evasion

                Impair Defenses

                2
                T1562

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                3
                T1112

                Virtualization/Sandbox Evasion

                2
                T1497

                Credential Access

                Discovery

                Query Registry

                6
                T1012

                System Information Discovery

                4
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Virtualization/Sandbox Evasion

                2
                T1497

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
                  Filesize

                  27KB

                  MD5

                  c4cea40a0c93778b9e138d7e0c6bbcbe

                  SHA1

                  925a630fa4cff1d48297e2d8f1278549ad6c4c3a

                  SHA256

                  78d8189e9b95245ba083267b92b6eb0a1cb84b2e87438b20c56ff5b213782f87

                  SHA512

                  cfe550a463285a609c73b54cd6d3bd86046f5c99a2ea190b65952090cbadb275e7f62a9bc8bf2398215ce76ba66a7bb200a421b386bb1a06d458d5e0b4229e46

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  47493431e179f3c0e9884246e79f8c51

                  SHA1

                  001ba7ae648564d8dec4c5d9c9399b1b296d4fc7

                  SHA256

                  58c3c729045edf36c3df3b30a2ec2f3717e42b312dde951de226954cf0b7f13d

                  SHA512

                  3281d784fc002805b56b61c3a5a832e5e91a367302dc36d83cff923c8b5471c5eb1ca4d6fbf7d5994393f547b15bc96afea5dc667fcbc6ec48a75b152dcbd148

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008594001\Dy0G0Gp.exe
                  Filesize

                  612B

                  MD5

                  e3eb0a1df437f3f97a64aca5952c8ea0

                  SHA1

                  7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

                  SHA256

                  38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

                  SHA512

                  43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008610001\0287fbb7bd.exe
                  Filesize

                  1.8MB

                  MD5

                  64f25a20bc6a8730e6d230e5d63dac8e

                  SHA1

                  f1c8a90fefc9e7789013cf9228827634ad8410f3

                  SHA256

                  daa2f6c445600573a591de7b8ad352699dcc9ff8b5bd2e1a6f93dc373572ceae

                  SHA512

                  4b0e9001c5304b3deee2dd463ab5d310cf61423d773983994167093299878f28833772a746336aaa583b036a7a6510051602bc2064f7df983ae5999aae487c87

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008611001\2bf4be155f.exe
                  Filesize

                  1.7MB

                  MD5

                  d3fb62af150353d3cb05f84d328d5601

                  SHA1

                  98be84b348beaf1abb2a9327c5918322e840a274

                  SHA256

                  3a0642019f4c38e2b2b89e00492dfa809723534f7753ce480e01482ca191b950

                  SHA512

                  428034b57853c7b0a9e1fd47590f9816a53ef497cad88bba5bf1094a12089c2022ce75be1cfe760da9342ef8d3adb853d70d01fe05f2cc6622e9c6decb91d0aa

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008612001\b160eb48a0.exe
                  Filesize

                  900KB

                  MD5

                  4676050a0ef5a185953ab79d47cb8585

                  SHA1

                  dec41077d44ded9ce6d7bcf29848ebf49a89b6fe

                  SHA256

                  bba632ef9970be97837b7cd9fad3df8c7a0f8476cb2bb8805e1f05c6b5167fd0

                  SHA512

                  3c5f5c50c9c75ebd664fe4b962f0b70791472f33e731dac34547aea673cd65253d31d51f146ad181ddd6bd173636ddf3d0768098d1ba1dd76d853f1e4d72e350

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008613001\6cd4bc1987.exe
                  Filesize

                  2.6MB

                  MD5

                  439e7c18eefd3d53793669e1c9575d84

                  SHA1

                  8d6cf9ea7bcecbce59a28430636f3a6920b97d85

                  SHA256

                  0926fb4154569379a0a942b34acf902d259a7e8d89b0c033ca8858a5503e3965

                  SHA512

                  5f75a4b985dc1d05772a03a3cac8283be54c1cea5a4a6a093796b260b44f8f0ce0549ad979b31c06ae1ea16dd29a5c742ced0fc7f849940c07009df48cd59df9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008616001\244d0290d0.exe
                  Filesize

                  4.2MB

                  MD5

                  f35acf76c5ace4e007dc64fcde784dbe

                  SHA1

                  8c3fbdc41b3d357b06902049e2ad6f2e4d136344

                  SHA256

                  86088c0dfa1761f1989204ae2d46a3a0b3defaf379a2ccd0b81b0067aae8ec07

                  SHA512

                  81c0f7526b83b76e9dbf8fa1256baa0945df7337dc876f45b774651449ef98d776b371d0ec91ff771dad0e722bdb2358205bfeaefc5559e738da157111f3002a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008618001\05L6BBv.exe
                  Filesize

                  243KB

                  MD5

                  b73ecb016b35d5b7acb91125924525e5

                  SHA1

                  37fe45c0a85900d869a41f996dd19949f78c4ec4

                  SHA256

                  b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d

                  SHA512

                  0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3nriirlq.bbk.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  5ca58d76edc0e7291bf3d6bad7edbbe9

                  SHA1

                  694124bf2e8d817b7f188706bbc49d0088317fe2

                  SHA256

                  d4e13faefc09eb85be337713e8899e9f6761d45593e33d19b14ac6f986b2a103

                  SHA512

                  82b990ce963247c140161ce9ab28c79c5b4d648ddf46d622e152e3c0d79842be1cf1009a493b7af37b83976f36c05b56e353c6f7166dfc701979f87447f51fad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  18KB

                  MD5

                  e6086c8bd70985171fb240bd5bf491e6

                  SHA1

                  e2d784dd51de0b9f8026ae2e986887e5b0b9a12e

                  SHA256

                  37b5595cec4957bcf9773169296137b60ad22d3842b314d327cdeb0c232800c3

                  SHA512

                  47aa0ba624940469b27701ea80c1a4039d06e6b4cd2dc1531809131cdfe99f0236a5257f081c5701fb407f2d15d4e2a1c26a364ab1ed983d4326c434eaefe6ae

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  24609daf957114021633e120aff640ef

                  SHA1

                  237c415d7b53762a33216b5ddf81b10f62950fd1

                  SHA256

                  f0b96512f2951a0762c9869acf4d115a94ceaed7a7f88d980c5cedf85e152c67

                  SHA512

                  d6915bfe1f65c09282795e9d65218d947b4226ddb684db8b7e5bc5f8cdb48f31b63da9cc400d2b8b0ca2ac773d629d8ab5435c11057141a0992b2dd14852beb3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  4d33af632e54e972a077f7bb90023106

                  SHA1

                  db960cdd09d5699ca3176874acbc32b2df17c1a5

                  SHA256

                  41f699e2bef0d666118d0dd4c89ca01da893d2959a84111112e106016f7c3748

                  SHA512

                  962154697921ee31e31e011b2eb3b18d75b1ccd8134bf4b728a5c87475a5c260a39d05b598b46068e92c3b3d6467364f690714c272b3256f0a7fb9288efd4cb9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  12KB

                  MD5

                  c36ab07a0338385dea590d686c2e72bf

                  SHA1

                  05276941bf783cd2f4d2142c496ded9ef86b5143

                  SHA256

                  e3ab69749db5ede321ae668f6e7a561a9962d4ef715f1cca6d7063e51a9e4a7a

                  SHA512

                  a3411c1bdbba666600533a3f4291c849aa724d351130c339e8508141b612d5309e975b623f220712e9e429a4fc084d1c5aed7b0285c371c1af48ae915ff47e00

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  21KB

                  MD5

                  a4ffbf458a4924613c3835f88b5c1885

                  SHA1

                  8825e3e7248a832930cc17384a09a00de9764bcf

                  SHA256

                  23e2a19d209220b109ff19319b80e7825bf944e7c6680a6f816253d5a4c90e8d

                  SHA512

                  265f0808cc6b60a9b9ecae393cf284940a355b044f45492ddcefca7baf0788ac02b4d275bc6ff74a57b4441c8973ec2be07747e573bf2b0df737687d0422e7aa

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  22KB

                  MD5

                  a2fc1f01f857e4c8a79e83f8e6e94c74

                  SHA1

                  5f1828eed252d4e8bc57efbbf36fbf379b72b670

                  SHA256

                  75771de8886f12a16e1da7d7cfbfbedf66be1be9b5245c3e5f904227faaf8e04

                  SHA512

                  03eb0f708782023befd91a56f665902e60313f34f6dc7fd8a2801340926dd227b93503fd872040bf0bb1e853e1046ae233a4120074c375c9d48a719ae1dd356e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  25KB

                  MD5

                  122cb5b5ee6df80e3b13809cdb8df294

                  SHA1

                  795c84ce58387ab191d6dba7925837db56a4174c

                  SHA256

                  d7815877ed84ae56f04d772872fd3ef9028a7380bfdc9a7b99161108b8ac948c

                  SHA512

                  e5e2694cdbdaf7d91bcd332e6cb2c080f57dfe8637f5570b7315a1260480c6726343cd0ad51257c58dfd2d4b2e7e9a161311b0b61f0179d0bce40133603f7300

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\97aba873-cd31-457c-bacc-5581d02daf3c
                  Filesize

                  982B

                  MD5

                  15149859e1c560ffd5e632f36c2c8267

                  SHA1

                  cf7f81a634aab6a3bd8368531805a24629dfba6f

                  SHA256

                  8915f82ab2d50899b49b6d91243e50e61f7078fe371287f847ab9c095793684b

                  SHA512

                  6953e67b127a53e8b8b6b58f888adb10cf68c22456124109a6f15ea8296034002853977b642b7c3a63274475b67215137c7214fc1756690d1865a2f74584c7e8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\c8d32e42-c6f5-4618-bbff-a6cd25e5f0f2
                  Filesize

                  659B

                  MD5

                  2fb4b3b1198ec282307c226ad1c10afe

                  SHA1

                  1322167340eb16ce1f8f0406bdb8dc522c4d7e1d

                  SHA256

                  53bd6ae7aeb7822de2797cd5183033d2fa883080ff13b138fa62db7842eeaf3c

                  SHA512

                  b7e169f40b8691182768c3448695df7ba85ab6ed907526993c1a247ae3c15af394d026c5a8ef28a32131addaafe56052961cb3e7fa460a43592b76ab198134e0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  e90176d5c698f00a76b3e9dade2da4f4

                  SHA1

                  e1a6a4505468155ee550e50612db9e8a301fb9ee

                  SHA256

                  24ffb16af834233878f2622595481d84a9d17cbbeee280ffc5868b8b14edb865

                  SHA512

                  940bf94054e87d4ed73563357f96b70abc15743b54f3c120cb570c7b49e1079f85ef34eca47f91b4582a72282b0ff2ee90b3f49d8715196dafcf242d0fce4b82

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  7faa905067782f84647de79dc062bc7d

                  SHA1

                  5317a2a920ef1a1d8f1101f69338f28fac71f082

                  SHA256

                  c54c3ff817179bf7b272ac930422cec019806dde161919f9d60caee3a220eaf4

                  SHA512

                  d81c7d42ab642b0ea4983787365d0feba0396ccfa5128e0baaaf95e8b1ee413c5c5bbb0eeeb7cda90d85656bd7148e8006d11df36208b6d09f15f31d7e98575c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                  Filesize

                  11KB

                  MD5

                  5295c142d5765847df8bc580f899cdcc

                  SHA1

                  e338ef6f2469fbb95fa629fd6db02de0ad2e8415

                  SHA256

                  d7fbc4dd56bf3d1e15ea2bce73dda0a83458d5a7b7f1beab7c4b01ecf498a22f

                  SHA512

                  a7de10530f176c5bd83c9b5a10de87244a0fdf08e3be7b25a355e1a60c31fada1c6ad2e9055d27a7b6d2567163bfc51c305b23399f57438d303327ed1811e5b8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  bf28f7a99b206921cdfa1fd77b616835

                  SHA1

                  b0877a33d155d4391448673852fdeb9078b1a8bb

                  SHA256

                  650ba1cd2b939f1fe6061a54ecbf99eebda1bd07852110e9dab259051c084433

                  SHA512

                  35af421c8571a9b8eaa22576c5d83bf1ee2e708c5b3d60e0705b133c23f45270e905cb759277f1f9b5e284ce4e5c890c75aaf9b573304d9bd604aec9f01af7d7

                  Download Submit

                • memory/972-689-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/972-708-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1452-125-0x0000000000260000-0x00000000008FB000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1452-124-0x0000000000260000-0x00000000008FB000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1528-65-0x00000000066A0000-0x00000000066EC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/1528-44-0x0000000005FA0000-0x0000000006006000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1528-87-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/1528-88-0x0000000007C20000-0x0000000007C3A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/1528-89-0x0000000007C10000-0x0000000007C18000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1528-86-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1528-37-0x0000000072BAE000-0x0000000072BAF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1528-108-0x0000000072BA0000-0x0000000073350000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/1528-84-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1528-83-0x0000000007C40000-0x0000000007CD6000-memory.dmp

                  Filesize

                  600KB

                  Download

                • memory/1528-82-0x0000000007A00000-0x0000000007A0A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1528-81-0x00000000079A0000-0x00000000079BA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/1528-38-0x0000000002D40000-0x0000000002D76000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/1528-40-0x0000000005890000-0x0000000005EB8000-memory.dmp

                  Filesize

                  6.2MB

                  Download

                • memory/1528-80-0x0000000008050000-0x00000000086CA000-memory.dmp

                  Filesize

                  6.5MB

                  Download

                • memory/1528-41-0x0000000072BA0000-0x0000000073350000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/1528-79-0x0000000007870000-0x0000000007913000-memory.dmp

                  Filesize

                  652KB

                  Download

                • memory/1528-78-0x0000000007850000-0x000000000786E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/1528-68-0x000000006F430000-0x000000006F47C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/1528-42-0x0000000072BA0000-0x0000000073350000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/1528-43-0x00000000057A0000-0x00000000057C2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/1528-67-0x0000000006C60000-0x0000000006C92000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/1528-45-0x0000000006010000-0x0000000006076000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1528-64-0x0000000006660000-0x000000000667E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/1528-55-0x0000000006080000-0x00000000063D4000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/2204-4-0x0000000000CF0000-0x00000000011B5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/2204-16-0x0000000000CF0000-0x00000000011B5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/2204-0-0x0000000000CF0000-0x00000000011B5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/2204-1-0x0000000076FB4000-0x0000000076FB6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2204-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/2204-3-0x0000000000CF0000-0x00000000011B5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-858-0x00000000003E0000-0x0000000001031000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4012-524-0x00000000003E0000-0x0000000001031000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4012-777-0x00000000003E0000-0x0000000001031000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4012-568-0x00000000003E0000-0x0000000001031000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4012-569-0x00000000003E0000-0x0000000001031000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4320-355-0x0000000000590000-0x000000000083A000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4320-173-0x0000000000590000-0x000000000083A000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4320-567-0x0000000000590000-0x000000000083A000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4320-557-0x0000000000590000-0x000000000083A000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4320-364-0x0000000000590000-0x000000000083A000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4572-20-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-556-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-19-0x00000000002E1000-0x000000000030F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4572-2798-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-17-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2797-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-85-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-39-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-146-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-570-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-862-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-21-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-1742-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2672-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2782-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2796-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2790-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2792-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4572-2795-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4628-2794-0x00000000002E0000-0x00000000007A5000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4996-145-0x0000000000D70000-0x000000000120B000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4996-104-0x0000000000D70000-0x000000000120B000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/5220-555-0x00000000355E0000-0x00000000355F0000-memory.dmp

                  Filesize

                  64KB

                  Download