smokeloader | hxxp://amigo-light[.]mail[.]ru/

Analysis

max time kernel
2700s
max time network
2700s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-04-2022 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://amigo-light.mail.ru/

Score

10^/10

smokeloader vidar 706 backdoor discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/5112-270-0x0000000004950000-0x00000000049ED000-memory.dmp	family_vidar
behavioral3/memory/5112-271-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar

Executes dropped EXE 27 IoCs

Processes:

amigo_setup.exeamigo_setup.exef1c6f75dcc2aaa1f10665c23d0bdf435f01e303604608a25a4c7afa5bb3713ba.exe989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.exe989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmpDeviceDoctor.exeDeviceDoctor.exeDDTray.exeDeviceDoctor.exe8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exesetup_installer.exesetup_install.exejobiea_1.exejobiea_4.exejobiea_3.exejobiea_2.exejobiea_6.exejobiea_5.exejobiea_7.exejobiea_8.exejobiea_9.exejobiea_1.exechrome2.exesetup.exewinnetdriv.exe

pid	process
1636	amigo_setup.exe
2884	amigo_setup.exe
1520	f1c6f75dcc2aaa1f10665c23d0bdf435f01e303604608a25a4c7afa5bb3713ba.exe
2520	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.exe
2480	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
2412	DeviceDoctor.exe
2164	DeviceDoctor.exe
2864	DDTray.exe
4456	DeviceDoctor.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
4716	72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exe
1608	setup_installer.exe
3056	setup_install.exe
4736	jobiea_1.exe
4676	jobiea_4.exe
5112	jobiea_3.exe
2944	jobiea_2.exe
4456	jobiea_6.exe
2272	jobiea_5.exe
872	jobiea_7.exe
4356	jobiea_8.exe
3344	jobiea_9.exe
3844	jobiea_1.exe
4620	chrome2.exe
1096	setup.exe
4612	winnetdriv.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jobiea_7.exe989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmpDeviceDoctor.exeDDTray.exe72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exesetup_installer.exejobiea_1.exejobiea_4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	jobiea_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	DeviceDoctor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	DDTray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	jobiea_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	jobiea_4.exe

Loads dropped DLL 12 IoCs

Processes:

DeviceDoctor.exeDeviceDoctor.exeDeviceDoctor.exesetup_install.exe

pid	process
2412	DeviceDoctor.exe
2164	DeviceDoctor.exe
4456	DeviceDoctor.exe
2164	DeviceDoctor.exe
2164	DeviceDoctor.exe
3056	setup_install.exe
3056	setup_install.exe
3056	setup_install.exe
3056	setup_install.exe
3056	setup_install.exe
3056	setup_install.exe
3056	setup_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

291 ipinfo.io
292 ipinfo.io

flow	ioc
291	ipinfo.io
292	ipinfo.io

Drops file in Program Files directory 25 IoCs

Processes:

989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmpDeviceDoctor.exeDeviceDoctor.exe

description	ioc	process
File created	C:\Program Files (x86)\Device Doctor\is-AV60C.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\HomePage.url	DeviceDoctor.exe
File created	C:\Program Files (x86)\Device Doctor\is-CCMQ4.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-NHR49.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-PJVSR.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\unins000.dat	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\offreg.x86.dll	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-KHSV6.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-UNCM4.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\DDTray.exe	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\DeviceDoctor.chm	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-62PAL.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-TEH6B.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\DDSchedule.exe	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\sqlite3.dll	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-O8B07.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-PV2DJ.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-549SU.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-P51B3.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\is-EHA46.tmp	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\restore.exe	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File opened for modification	C:\Program Files (x86)\Device Doctor\stub64.exe	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\unins000.dat	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
File created	C:\Program Files (x86)\Device Doctor\7z.dll	DeviceDoctor.exe

Drops file in Windows directory 7 IoCs

Processes:

DeviceDoctor.exesetup.exe

description	ioc	process
File created	C:\Windows\INF\c_processor.PNF	DeviceDoctor.exe
File created	C:\Windows\winnetdriv.exe	setup.exe
File created	C:\Windows\INF\c_monitor.PNF	DeviceDoctor.exe
File created	C:\Windows\INF\c_volume.PNF	DeviceDoctor.exe
File created	C:\Windows\INF\c_diskdrive.PNF	DeviceDoctor.exe
File created	C:\Windows\INF\c_media.PNF	DeviceDoctor.exe
File created	C:\Windows\INF\c_display.PNF	DeviceDoctor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5096 3056 WerFault.exe setup_install.exe
3540 1020 WerFault.exe

pid	pid_target	process	target process
5096	3056	WerFault.exe	setup_install.exe
3540	1020	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DeviceDoctor.exejobiea_2.exedwm.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0003	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ParentIdPrefix	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UINumberDescFormat	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0004	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceCharacteristics	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DeviceDoctor.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0004	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DeviceDoctor.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exejobiea_3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jobiea_3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jobiea_3.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2204 schtasks.exe

pid	process
2204	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

DeviceDoctor.exedwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DeviceDoctor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DeviceDoctor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3368 taskkill.exe
4156 taskkill.exe
5020 taskkill.exe

pid	process
3368	taskkill.exe
4156	taskkill.exe
5020	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "11000"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "11000"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "0"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe = "1"	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies registry class 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jobiea_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	jobiea_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jobiea_3.exe

NTFS ADS 6 IoCs

Processes:

firefox.exefirefox.exeamigo_setup.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\f1c6f75dcc2aaa1f10665c23d0bdf435f01e303604608a25a4c7afa5bb3713ba.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\amigo_setup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\amigo_ldir_1636_27923\amigo_setup.exe\:Zone.Identifier:$DATA	amigo_setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmpDeviceDoctor.exeDeviceDoctor.exeDDTray.exeDeviceDoctor.exe8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exejobiea_2.exe

pid	process
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
2480	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
2480	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
2412	DeviceDoctor.exe
2412	DeviceDoctor.exe
2164	DeviceDoctor.exe
2164	DeviceDoctor.exe
2864	DDTray.exe
2864	DDTray.exe
4456	DeviceDoctor.exe
4456	DeviceDoctor.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
1092	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2072	8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
2944	jobiea_2.exe
2944	jobiea_2.exe
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2668
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jobiea_2.exe

pid process

2944 jobiea_2.exe

pid	process
2668

pid	process
2944	jobiea_2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exetaskmgr.exefirefox.exe7zG.exe7zG.exetaskkill.exetaskkill.exetaskkill.exe7zG.exeDeviceDoctor.exe7zG.exejobiea_8.exejobiea_6.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	2432	firefox.exe
Token: SeDebugPrivilege	2432	firefox.exe
Token: SeDebugPrivilege	3468	taskmgr.exe
Token: SeSystemProfilePrivilege	3468	taskmgr.exe
Token: SeCreateGlobalPrivilege	3468	taskmgr.exe
Token: 33	3468	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3468	taskmgr.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeRestorePrivilege	2172	7zG.exe
Token: 35	2172	7zG.exe
Token: SeSecurityPrivilege	2172	7zG.exe
Token: SeSecurityPrivilege	2172	7zG.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeRestorePrivilege	3796	7zG.exe
Token: 35	3796	7zG.exe
Token: SeSecurityPrivilege	3796	7zG.exe
Token: SeSecurityPrivilege	3796	7zG.exe
Token: SeDebugPrivilege	3368	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeRestorePrivilege	4356	7zG.exe
Token: 35	4356	7zG.exe
Token: SeSecurityPrivilege	4356	7zG.exe
Token: SeSecurityPrivilege	4356	7zG.exe
Token: SeDebugPrivilege	2164	DeviceDoctor.exe
Token: SeIncreaseQuotaPrivilege	2164	DeviceDoctor.exe
Token: SeImpersonatePrivilege	2164	DeviceDoctor.exe
Token: SeLoadDriverPrivilege	2164	DeviceDoctor.exe
Token: SeBackupPrivilege	2164	DeviceDoctor.exe
Token: SeRestorePrivilege	2164	DeviceDoctor.exe
Token: SeBackupPrivilege	2164	DeviceDoctor.exe
Token: SeRestorePrivilege	2164	DeviceDoctor.exe
Token: SeBackupPrivilege	2164	DeviceDoctor.exe
Token: SeRestorePrivilege	2164	DeviceDoctor.exe
Token: SeBackupPrivilege	2164	DeviceDoctor.exe
Token: SeRestorePrivilege	2164	DeviceDoctor.exe
Token: SeBackupPrivilege	2164	DeviceDoctor.exe
Token: SeRestorePrivilege	2164	DeviceDoctor.exe
Token: SeBackupPrivilege	2164	DeviceDoctor.exe
Token: SeRestorePrivilege	2164	DeviceDoctor.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeRestorePrivilege	4448	7zG.exe
Token: 35	4448	7zG.exe
Token: SeSecurityPrivilege	4448	7zG.exe
Token: SeSecurityPrivilege	4448	7zG.exe
Token: SeDebugPrivilege	4356	jobiea_8.exe
Token: SeDebugPrivilege	4456	jobiea_6.exe
Token: SeShutdownPrivilege	2668
Token: SeCreatePagefilePrivilege	2668
Token: SeShutdownPrivilege	2668
Token: SeCreatePagefilePrivilege	2668
Token: SeCreateGlobalPrivilege	2284	dwm.exe
Token: SeChangeNotifyPrivilege	2284	dwm.exe
Token: 33	2284	dwm.exe
Token: SeIncBasePriorityPrivilege	2284	dwm.exe
Token: SeShutdownPrivilege	2668
Token: SeCreatePagefilePrivilege	2668
Token: SeShutdownPrivilege	2668
Token: SeCreatePagefilePrivilege	2668

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exetaskmgr.exefirefox.exe7zG.exe7zG.exe989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp7zG.exeDDTray.exeDeviceDoctor.exe7zG.exe

pid	process
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
2172	7zG.exe
4688	firefox.exe
4688	firefox.exe
3796	7zG.exe
4688	firefox.exe
4688	firefox.exe
2480	989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
4356	7zG.exe
2864	DDTray.exe
2864	DDTray.exe
2864	DDTray.exe
2164	DeviceDoctor.exe
2164	DeviceDoctor.exe
4688	firefox.exe
4688	firefox.exe
4448	7zG.exe
2164	DeviceDoctor.exe
2164	DeviceDoctor.exe
2668
2668
2668

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exefirefox.exeDDTray.exe

pid	process
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
2864	DDTray.exe
2864	DDTray.exe
2864	DDTray.exe
4688	firefox.exe
4688	firefox.exe
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668

Suspicious use of SetWindowsHookEx 63 IoCs

Processes:

firefox.exefirefox.exeDeviceDoctor.exe72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exesetup_installer.exesetup_install.exejobiea_2.exejobiea_3.exejobiea_1.exejobiea_5.exejobiea_7.exejobiea_9.exejobiea_1.exesetup.exe

pid	process
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
2432	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
2164	DeviceDoctor.exe
2164	DeviceDoctor.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4716	72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exe
1608	setup_installer.exe
3056	setup_install.exe
2944	jobiea_2.exe
5112	jobiea_3.exe
4736	jobiea_1.exe
2272	jobiea_5.exe
872	jobiea_7.exe
3344	jobiea_9.exe
3844	jobiea_1.exe
1096	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2432	4832	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4156	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4156	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 3420	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe
PID 2432 wrote to memory of 4024	2432	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://amigo-light.mail.ru/
1⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://amigo-light.mail.ru/
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.0.626322549\1227076133" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 219989 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 1780 gpu
3⤵
PID:4156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.3.1567127198\2066646043" -childID 1 -isForBrowser -prefsHandle 2448 -prefMapHandle 2440 -prefsLen 78 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 2460 tab
3⤵
PID:3420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.13.492322857\1310026107" -childID 2 -isForBrowser -prefsHandle 3800 -prefMapHandle 3796 -prefsLen 6860 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 3832 tab
3⤵
PID:4024

C:\Users\Admin\Downloads\amigo_setup.exe
"C:\Users\Admin\Downloads\amigo_setup.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:1636

C:\Users\Admin\AppData\Local\Temp\amigo_ldir_1636_27923\amigo_setup.exe
C:\Users\Admin\AppData\Local\Temp\amigo_ldir_1636_27923\amigo_setup.exe --wi=1 --make-default=1 --attr=obpnff --rfr=900005 --cp
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.0.91512900\1724474341" -parentBuildID 20200403170909 -prefsHandle 1644 -prefMapHandle 1636 -prefsLen 1 -prefMapSize 220403 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 1728 gpu
3⤵
PID:816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.3.624749840\1830830456" -childID 1 -isForBrowser -prefsHandle 2500 -prefMapHandle 2488 -prefsLen 404 -prefMapSize 220403 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2504 tab
3⤵
PID:4776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.13.1325378406\357093632" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 2336 -prefsLen 6560 -prefMapSize 220403 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 3596 tab
3⤵
PID:3572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2068

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52\" -spe -an -ai#7zMap24563:190:7zEvent31332
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\f1c6f75dcc2aaa1f10665c23d0bdf435f01e303604608a25a4c7afa5bb3713ba\" -spe -an -ai#7zMap15950:190:7zEvent17404
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3796

C:\Users\Admin\Desktop\f1c6f75dcc2aaa1f10665c23d0bdf435f01e303604608a25a4c7afa5bb3713ba.exe
"C:\Users\Admin\Desktop\f1c6f75dcc2aaa1f10665c23d0bdf435f01e303604608a25a4c7afa5bb3713ba.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\Desktop\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.exe
"C:\Users\Admin\Desktop\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Users\Admin\AppData\Local\Temp\is-LVTG8.tmp\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LVTG8.tmp\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.tmp" /SL5="$602CA,5738023,721408,C:\Users\Admin\Desktop\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2480

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "DeviceDoctor.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "DDSchedule.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "DDTray.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe
"C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe" /INSTALL
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe
"C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe" /START
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Delete /TN "Device Doctor Schedule" /F
4⤵
PID:5024

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Delete /TN "Device Doctor Monitoring" /F
4⤵
PID:4524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Device Doctor automatic scan and new device notifications" /TR "\"C:\Program Files (x86)\Device Doctor\DDTray.exe\"" /SC ONLOGON /RL HIGHEST /F
4⤵
- Creates scheduled task(s)
PID:2204

C:\Program Files (x86)\Device Doctor\DDTray.exe
"C:\Program Files (x86)\Device Doctor\DDTray.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864

C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe
"C:\Program Files (x86)\Device Doctor\DeviceDoctor.exe" /CHECKUPDATE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce\" -spe -an -ai#7zMap1552:190:7zEvent26299
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Users\Admin\Downloads\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
"C:\Users\Admin\Downloads\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\Downloads\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe
"C:\Users\Admin\Downloads\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce\8cf318151897b3c240807d584ce49fcf75e9d62312a30ceb0c189730f1d787ce.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a\" -spe -an -ai#7zMap7552:190:7zEvent16110
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4448

C:\Users\Admin\Downloads\72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a\72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exe
"C:\Users\Admin\Downloads\72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a\72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_1.exe
4⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_1.exe
jobiea_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_1.exe" -a
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_2.exe
4⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_2.exe
jobiea_2.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_3.exe
4⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_3.exe
jobiea_3.exe
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_4.exe
4⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_4.exe
jobiea_4.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4676

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
6⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1650731159 0
7⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_5.exe
4⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_5.exe
jobiea_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_6.exe
4⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_6.exe
jobiea_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_7.exe
4⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_7.exe
jobiea_7.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_8.exe
4⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_8.exe
jobiea_8.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_9.exe
4⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\7zS8469BA5C\jobiea_9.exe
jobiea_9.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 492
4⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3056 -ip 3056
1⤵
PID:1772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 1020 -ip 1020
1⤵
PID:1816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1020 -s 3172
1⤵
- Program crash
PID:3540

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\06FC6B818235493BBBEC2B9CE6991189E8621F0C
Filesize
213KB

MD5
afc5ae5272cd06d89c964ebddf05972d

SHA1
81f0b119bca0c3dca9fe0b0dc9728072568b9716

SHA256
96b92e0c5048a8857bd20f511954e4c561c41e4ad064264a3c67c4f78a1fa95b

SHA512
a804c572fbfed50e7dc7b6a66374c971b0aa1eda85e3f51222f58c156f800a8c921a5da53467aa02df4a3198e03bfdfcdc74af937107adad876e3ac95e585ec8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\075194AE83D023F67C9C5C20DB6543A9D0E02049
Filesize
220KB

MD5
478053c004989f6f76b26e0b454c3e02

SHA1
7c09ddce6495405dbd1b4e2e5238d93ca3801f53

SHA256
32d168fe06d749710afb017d9094c9686bf76a5787d134611ce0f3ceb552a1de

SHA512
1b315b5221d0206ea0520ad548d05a238042c8ceb9f0e3ac463effaa335ba15c3617720f546a90cc8bd6a8e134986674c0c8688f89fa462e44dc43f55e5ebd25

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\0BAB0C836149B5E6E79B55F5F5EA347931BCA4CB
Filesize
1KB

MD5
0208cda4fbf545ac9a1ed412af1ede47

SHA1
ab0bf1659866a8b175c614baf07cc3c689c333b8

SHA256
552ce897b795b61738b6b595fdaf65f1366e9fb55466b99da02942c1b6d44ebb

SHA512
40316652738d331649a6b8c84a348684bcb7847ffd8a3fa3782fd22ff2cfdf33b924e28d8b4b0cccdf2df3d3618dd68ba9bc4d009f12c79c9447c13caf1d95d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\194CFBA91A25FCD5D3BCFF9D45901DB273AA5CAD
Filesize
1KB

MD5
4cadeef1ad50f5003f1cffcc1d9374c2

SHA1
095fcd5fa9e2e972c043fe482a9b300bc2512930

SHA256
d1f325237b73e7a76a8282ff37fbb00130a0ed1bfdba6d9a614ab74a9a0788d9

SHA512
72ab91b0b121493d217854d09f819f1158ed7a2ebc420548dbb35bb8dfc2c41ee7f52f1509992bb1578f863d1815a16530ec553cee117271621cb6286b3105f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\1C8CBD7AB6D54530CDE7FD60DBF2F63F9E388D6D
Filesize
18KB

MD5
9b2a22d5e055b1ee93339bb1aa327a22

SHA1
7303fce6de76d9295a5a9b22e725877e19cd6762

SHA256
db27d3e9e195d073a7b0c23dd241a4f3cc29769da86cfd434a474e248f9eb0be

SHA512
a151a24332c2109e9100ccdfb9489cdbe750df7034a5d96bd9c419736a0b63a260faaf24cf4ee6859f82c5b6391c7da4c8479ac6330eda47bef27c9f94020afa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\215DC01575062CB653438BA5AFFE08162ADB2194
Filesize
1KB

MD5
ebacdcdacdae32d289c9a12d869e36a6

SHA1
d78805e44462c8e8972f7e9a1eb46d182c9a97f5

SHA256
f04d75d10d943e407d20e55e27c55807daefba208715a45a6643db047dbe5d2c

SHA512
d7c54954a1503c4f591342ee28812043969cf716fe8cd025ed41c180bdfd8f53f20e1fc2578390a44d91b1d1848240e5c5df25f38404d1193479e641995c73ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\235D7C112869138E88EB456F003689E9F0373C02
Filesize
220KB

MD5
b3449ea61efea309aac125cfd8874700

SHA1
388b75d2459e929ba96d7f6d06d5c92497f4bbef

SHA256
26c491d423dfcb78a9282968bb4d9193026c63d894117f0b43e239f235d1406e

SHA512
92bf4eeb0dfd54b9ffd09b298b15b7bf3dcbe8a5370675c57a93089d2f035a9cef2efca64f42226c7daa3965683be01bf1f959afe81c2d958c51ec7e0f02232d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\2997A73C9F3EB38249522F9078508B2CB980928C
Filesize
1KB

MD5
68e75de520b84ae27ab099a9dca3e3eb

SHA1
341193c7923afae93a0e9330b3b691ddc07b4af3

SHA256
eb5453b7cff6408b1dff6acdfa6e7142c9bf8f32f1dfd8e82817f5e019f6abb4

SHA512
14110e936db7b714d1b482d753c97e5522119264d7a29b14fa720341d8d55da619224f38d75935112707d48bd76e4628d4af5024e980538192f392a8d4331b09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\2E0C4058E084A83FFD5E59DF25634B4708213893
Filesize
20KB

MD5
5766aa7f6989cb25b556281074e9c44e

SHA1
c33471359728684fa8f51cedb60a0e354b2a0aa4

SHA256
78ced867cad3b461b0d96cb9b35f3b88a50d56d7585fb103a7c70c10f91b6809

SHA512
360d36feaeff08c19ebc746a155dc34ac749c943617050b1ee56815e76e1699691304a929d3b6e7fd060bea3ed2e02dd48983480a7a7757a5ca1224a7cdcf85d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\32F6B70E2739A32EEF02D95FCFFB1EF3ABFD4A76
Filesize
213KB

MD5
4f3ad21969fc65aa6e607e7e5d675023

SHA1
4bac8d6e73b1d1c04122ab5c9e101f24f53da90e

SHA256
144511a4d215f759b14199e2724a540a80490d46d30d0efe9c1abd103e71a988

SHA512
04efd7f799bcedbee406da7e4e0297fdf546e6d7c87346f44bf0381328d0f215bd9ae3157634923c39091ad2a423b42347c95c8fd01c5581463c1e8076ea900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\37D4C2538200DB67979ED3940910BD2EC8688418
Filesize
157KB

MD5
cc9ae705d0ebf2ac554ccb7269948f80

SHA1
b91e7acc158515182bd8a9f6a89f5ec0e7cbcc52

SHA256
4f2737bf664515121bfe06ca7e5f4c0538c104ea4a971223100b7411f9fbf99f

SHA512
a16900e4969dd898980a66c5f273430398e741476582b5be1816c280330f7c1fd6bf37e590516d7e5d33aba7da395156a3af45faa167260240207783fc80065c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\4903E7ABE348ED39D98D1C844FB81A906D5ECA16
Filesize
9KB

MD5
fbd1c61a5775cd90925827dd52b913b8

SHA1
bbea5592a76d438e7bf9b0b6f4c88de84468e3a5

SHA256
75a98c20cb1c5e75ee257409968308316e0c7aa96389b94352524bd8a7821951

SHA512
99b068afc880d6bf5e5f205f1f96872dc3c2bde9a7aee2e2dbba6503cfc876ed2967147e39ce69799b4c7f2eaeba08e0a5991d79d7ecdcd95a1e39ee49a077bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\53C5A63DD10FCCCBBB92D7F43CAB295FE10FD0AF
Filesize
1KB

MD5
cb0daccc9f17b1f9dc15fb2fb136323f

SHA1
decf425fc47233e22307f215ab681c39480a1555

SHA256
d6ce72696e0b616e39f102fa3bf0b9f2099ebc69663464044b4b3ba6d5a69a49

SHA512
8d25811d97d70f04c5b37a84a25813d9dc4b0457443f4144cef4c74539294a4877bb7fcf68d5f1b5ced79342ff329b9627f877e1e54f699c3ede23b584099bee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\5F144EFB84CD71651AB02773B712DD9389942D9C
Filesize
19KB

MD5
7d42c8587de731b4e85b2368af5efab5

SHA1
e86d0c0ecae9f62f37286a0da0b721230a4f14da

SHA256
813a7dd46645c089839234daea1bd8644152892650e6b6b7e027c077fed9ace6

SHA512
0739677dada4cc805cb1d3f046acf05e4ea1dcdeb3b499196b90f5f8244465928b0e66e95b4faf5b2a6ab15deadaffbd0124c293b789c65ff54c6f98e8566820

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\655E8A0863E307C99EFB92CE6918EB2455425FCB
Filesize
2KB

MD5
c090d70a5f296613a3ef47bd711aa06b

SHA1
91c1f142237ea4cb4ac668f959aba7edb73c30d9

SHA256
d1717a7da135f1f60179030f532cb0c6f9e06f96c23ffb4bb2738f15aa3a8f36

SHA512
7a53cbad885370aa496bd2331dcf007e3c5f4f78ba996e9c207ed348139bf1291365e1ec31db119e6f5e8e092af21fc0c1233b3fbfe9d1fe1c5893c47ad2288a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\67BEFD6A321CF88B55B2F07E0BC4AFDC66DD7DAB
Filesize
1KB

MD5
d3a1577c1a66aaf15fee18f88558a24d

SHA1
9ab8263d04660a63ac24bb258dbee3280f7051c7

SHA256
30dc7a6100e3f0366558ce8baae34489c9778cca555945f77b17322ea320772e

SHA512
fd12d8b59b7db7038820e6e1ad4a2dd965065f041224a9d65626cf7dbd2a525a78efb28de10ec9ec851a32af3d5803a656692cf8403c99a04742ee991d29541a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\6D4934FE31BFAF4563C9C133D9CEB4B986FB5CA0
Filesize
9KB

MD5
4847ac7bf81a57859b252bb312480d7f

SHA1
27ac29c33183ee113671276c6ebf4acf9dcb1d66

SHA256
222e177d95fb0db46d96aaca0c4e6519b4ffb443edc74863278f7879c52cb90a

SHA512
35f4578306d07989403092cc5130e1b3cab163f9d4c98141991fcc386c4215d6f4b73447c3d4d203f09815e929e99afaa0ad81c55ba5d4caa3b009f73ab5b9f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\8507E971A5AE9DB2C48EC2CF56A84EC4C40BAC50
Filesize
14KB

MD5
f5e550605cae259739a869045fe20c78

SHA1
ff0733acff77892406262536d2c42f3f529f02b9

SHA256
987ee18f52c67209fc73b34bb91b255de8bcab065b12f0fc522e8ee2ac314741

SHA512
331c0abad34742952e41127ff8b2bfdc6ac5bbd486fc2cec16f3a01733508ca2a2c257464a21c4519bd3a7105fc634eeb0958e69cc8bfd0318d7add4d16bfdc6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cache2\entries\ED07F042F4253F704BFC7070ADB92A3EDC4588A0
Filesize
9KB

MD5
95b1fc72242e6ca43ed59d5d71c92472

SHA1
f49f4cada7de02622735876b9280a8119e775821

SHA256
54d30d199fc08474bbf952c5a88eb1eb037ab1fe56864a6ff1e692a29b4ba6fe

SHA512
6e3a1dd61af3c8c8e339245e5c26440b3a16d4d367e8f72880fc14580ff0c54daf8d6f3deab2a0821313bb4d99f9d0138cf2151a0e9341aeba55f4936a8b377b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\ads-track-digest256.vlpset
Filesize
51KB

MD5
6c3605de4e50f585c2dad2819d138112

SHA1
4c647f39e09f9a3f16c982febbcca061ffa42652

SHA256
1983aa1c36d96d197aa522d6347f0ab6a62234294964f1d5889600c2ca6605d0

SHA512
b619f4fa7138b90ea92064fa9e614e978b014257a59a71738d2fd2382988d395c1d9d7aa362e90abe5acf82dbe786f860bdeff65684db16ab5b42ebd5f47fc44

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\allow-flashallow-digest256.vlpset
Filesize
69B

MD5
de0d88480c24350c59e1e9a3583de0d1

SHA1
4e3c279344cb37deb5e893ab24770982de135789

SHA256
01ba9f0b913e04ed10bd7166796483dd4f72005f249d6ee68b12117be4b5d3c7

SHA512
f627c69598baa9bc60b036cea03fdadc8b4cc424ef8cdf93614275a336de05a60961f5e77553226c99c29ec2932272ae994327a4da77d75d2464f6722cb700aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\analytics-track-digest256.vlpset
Filesize
9KB

MD5
2b077f437067b52d00d4280df1b248a5

SHA1
19c10d8bdf159b9e53db9855d1d97a658d92c994

SHA256
a8cb2ff713acaba0b4612c5bfece51a5e5d436a739c0455a3731d1ef8e0eae12

SHA512
ba03b93b68e5cc0de34f890d7d112a1df0a17dcb451bd9c0761e087260fe9b3cb2afda9efb0b9d075cb722b77a859ca0b27c570a6db62a08b2fa9d30a04d00d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\base-cryptomining-track-digest256.vlpset
Filesize
2KB

MD5
f45cb33dfea35013b6d5951f464a7841

SHA1
21c9d73636871aafe063797059078fe2373d1233

SHA256
498ab828f2dff25b45deed474bebdbcfadac63a1cbba2e393162ab54bbc9f2e1

SHA512
88ff2955d709d53fe248b88beb3f6bc31a485c17c80c5ddb8ea91abf46b0a43bcaf7f357ea4ac09dfb1d7988f8b7b1034ded15c2861d9de01719c131cf72a27c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\base-fingerprinting-track-digest256.vlpset
Filesize
2KB

MD5
cb73b8baffcd07ff5d1df58f8477370b

SHA1
3bdda94d12aea19a659c3b4035d0e613e18ca202

SHA256
1e063a0cbc2d947925265cabbbb0da6721b7e05361b1171316fca37e906226fa

SHA512
f5004c43ba0b5b48fae0c45c5f61c2a608a4ca3c61362cf27c51da7335597f9862f6c5a04e137bba16e92f3523e1009b5ca2542f52d478f56b946cebf2140712

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\block-flash-digest256.vlpset
Filesize
6KB

MD5
130b9ac2beec5ada274561105d81ae36

SHA1
85a4785b34bb151da41bc0dfed380cceb7a29983

SHA256
7d99fec08182a5b95d18d1569edaa2c60c2aafbd15a56d8882f22f3b395e6460

SHA512
cbf32630bfe48fe6dd0e815f2e9752ca75c066bdfb5f12941f3278883b0530f1736b2d179801afc7ab4680be6ca9976c6e2e3705147d95503ef32cf730194631

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\block-flashsubdoc-digest256.vlpset
Filesize
71KB

MD5
40165280ff1345b5241ec2a9d1da2af0

SHA1
c49f9172a6bba2dc4e91fa97defd161d9e87773e

SHA256
f80bdd5341d8b1ee946e344e258ef2d35c3c0bb6b13eb7b3e6a77467dfa8b97f

SHA512
b5ec96e5f786de54976de804491aaf01bd79dd48d81ec81e1a9d32157881b0e7690d3608ee18e60e4381291a1c179999f40e0b98f9483519084da268b4904c8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\content-track-digest256.vlpset
Filesize
15KB

MD5
9f355ca06a2c5eed2b13ab75dd4ca3d3

SHA1
16a014268d85c8b1cd476da2cfcf7aef79d5218c

SHA256
039695d5ea6e79797e1b2acb4aa95bcbbe3f4c53970abf28c68aef2b13f1a95e

SHA512
ace6b46c28c25ce5d87162566a882cf99b4a2512ac5fd9f0168ff9936d316af8652e775ebce8b1fc8b95d33844425da3a4832348115ead078d7b78a0b369b78f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\except-flash-digest256.vlpset
Filesize
101B

MD5
c2994d388f8780c87d35c352d9582985

SHA1
b4e9ecdf3ecce53f072b7ce9e695ffcc17ea9f76

SHA256
7ed09f7d2bd632f70077a4ae4f2bd2f3fb654b03cd72652f51678b0c7d027f25

SHA512
60edd83f6e0ff782ab251579e0f3c113d3d5fff7ba7f3a8900cd4fd6bc7271921445e94b53073129db9529f0210750615318348307db650fd11ffaedaeb7bd15

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\except-flashallow-digest256.vlpset
Filesize
69B

MD5
7194b6bff691a056852a51e2e06ce8fe

SHA1
0adb901d9e202ee31ce6a8131ff15e5ecca834f7

SHA256
cbe2dc6abfe25bead60f4dfaf419fc0f441ff8a8dd4a2febf5553be1cbd90c49

SHA512
b0d8240050a25b2ab754e8f260361298d0017e3a938e965a34b6db072380cb6167c4fa5e0c2293b46b1135207ce9242ce1441b77af8b07a3212a49000e8bbd36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\except-flashsubdoc-digest256.vlpset
Filesize
133B

MD5
0c0d67875bd75a0227c02dd8529ba01a

SHA1
2b12efb5e31bdac680b6283e2585eeea096fe73c

SHA256
614be0169ec36e67223eb9645a98da66dbfde5dfbb89bb064f428aaeabdd9d97

SHA512
8fb01246c4b7b4a2cf0379f931e0cd3ea5a32781078efdc4c4a5ac3bc496697957f6d15a0b6daaf562e48bd1b1ffbafe0583c59962689b030c4c5543cf8e2ce5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\google-trackwhite-digest256.vlpset
Filesize
1.4MB

MD5
e54e5b84194eee15e64d2a03f1136bb7

SHA1
308413c74a49af1a575bc6f64fea33f9ad2f220d

SHA256
07707b589be3dba3bb0bdac67760a2b180ea3531e9d7976b73e4c1d8df9dbb1e

SHA512
f3bae1816db808c69871bd1a059236bf57982e90da5706adcc3359a200f1ec2c529be516be629fbdb5e7da8c3ea80000815d99c8c2c347440cacd9237bddd3b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\mozstd-trackwhite-digest256.vlpset
Filesize
293KB

MD5
dbd7544bf04db52719348298521f4ed4

SHA1
ab838a83ae023aadba87bcae62093e874393a0e6

SHA256
f87c0e78f812bf39363b1974ed20175e907cd6114173db31e1c7243f4d515dfd

SHA512
0ef0ba0a594bb019133a133b9edb73901e804c845a66d427686f32a48c9d1ba665623d3fcd10018c2415202fd3f722aa23420598ce892444b4574c108ce4d6e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\social-track-digest256.vlpset
Filesize
2KB

MD5
399e146c7c24fb3a69525f748f6742ab

SHA1
5a19c6f96244a65ec44af582956a9085407768a0

SHA256
11bddd57f215cf440ef5e41385a618123658be38b03097b547a9ac5220db425e

SHA512
3d280f40d78b0ef1b76fb8210f1d59edc5412208058d7f9448e14ff11c4e717505735c161979e2f84c4ccbcf4c4fa13ff3e8200b27ee2bb96e8d1180fca62e5e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\social-tracking-protection-facebook-digest256.vlpset
Filesize
485B

MD5
c6e5d0e5cc6cabbb446b625d9a14f3ef

SHA1
2d46657ed7ddb6f4c295b90aea7c477f2560d4f4

SHA256
de974099351ab8e3b4945d3fae34a2d8bf43407921800719256cf29139f516e7

SHA512
6e30e2adc27654d3052fbdaa8c4bf6d2ea41687bea67cc80c412c0d07a6174211e633a1aace5629444ba9ab0289af9f56651b5ab9061bcbb820b04debe175098

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\social-tracking-protection-linkedin-digest256.vlpset
Filesize
165B

MD5
e28d310df430e7b6d95d9c912fa94e2f

SHA1
6c54ae3b421f47b73260751c44584d4b1effbb16

SHA256
0f6bd075711185f73238b0cd030f84a6fa9ddc17d341a669aadd07b806a86626

SHA512
1dc3c42fd79042eb9d17746a6f5c3e46d3bcbf36bda2143b380a02519771c39870cef4e8031e29191505c125c52a73e20c8167e1c26c3458fd9b7c89f231f0ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\safebrowsing\social-tracking-protection-twitter-digest256.vlpset
Filesize
261B

MD5
dafe2c58eba7740af1a2bad64cef0f54

SHA1
f10d56c4c9d035744f46ed60690d7eab35952c27

SHA256
16093715575f4b5990d69d92459156f5843134a22135ff93185fbf109d64423d

SHA512
5e6e65b2e357e6dabb163496135b0269f4e6f19f230e2f5f51f17c18b3462280f83e48d621747aeb88eca016906acc9d6c05664b3f5d20ac6d90ba0aca41ba4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\startupCache\scriptCache-child.bin
Filesize
667KB

MD5
c1ca216d0f45cec4874ab63a361a3a8c

SHA1
67443b0898901c8fedc35fa4f65c4789e3322a6c

SHA256
06f3b147f84360a78a51210bf49eb0fdeeac4cbaa74ea374e6449acdf9d89f30

SHA512
24ae4ef7bf2ce57427208e117b9143288e795d695c6a001df6440b4ff0e43e4e43193c28fbf74d874c41753f1cf450c7bb3cc0277d54f3e22a5ec550526a5c87

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\startupCache\scriptCache.bin
Filesize
6.7MB

MD5
f44163eac2dbd32078ec8aa42c543907

SHA1
f40385e1b25141a0ef3f23f2edd3c43b07bedb3d

SHA256
f5c661f4146b474d2940f645425cfccea47964a55b82302ffcfbbf10fdd63d0f

SHA512
becdb9db853e4a0e0f3bc8e96204f9c5846c010141ec450122fd31ff1c7115762cac25f750da98c81b3158ca7c1b363ea39f9b1a73531fdca223d7a74a309795

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\startupCache\startupCache.8.little
Filesize
1.6MB

MD5
047785683ae5207b3f9446442f9696d1

SHA1
2c94c2b32263222e388524640fd946b0ec57fd7b

SHA256
144a282269381c09094510422e8a759c09cb8c6d41b36baf3c5bf1395f1643ef

SHA512
5b0fb4d9440cfad69462e44b9840866dfb9a2dfe71eefb043f21e92df2436de8e5a29afdc43b9118267514297299a58b8512cbe1bed5e18bf8d64534e74da129

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\startupCache\urlCache.bin
Filesize
2KB

MD5
bc4d12c70264fb984e917f98210b51b7

SHA1
b35dbb971161e26a9ef2927484c7dd6b647c5239

SHA256
ac2d4465b4d09002d617ccc51a4ab81bcb7878bcd8736404520e6fc99e9667fb

SHA512
2e77e862274f69117b976d78961582bdbea54026a02f5dff7645b3404b84f80c6072a2e8673d820239be68e014054b10c2d1f63102ffc468bbacf8b3a4c7642c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\thumbnails\55436b0a5068d13e3d7856cc042fe37f.png
Filesize
19KB

MD5
3b46c1cb36cc7d6cbd0c05fdb8b93c64

SHA1
3a45632ed3be2fab146c2c5608acf97312e593e8

SHA256
a6236b4d120cb3f13773f8382f34a1260c7849364148ba34a6e0738fc74d34b6

SHA512
f6a749e151a2a9ce3ea741fb0bb63c0311231c3f3ede2edde650ae7085f1c5c0803f84d87ce80d28596cbb101673c01ca2e5b05f96cf8b2a0dd6b8e351e27a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\amigo_ldir_1636_27923\amigo_setup.exe
Filesize
402KB

MD5
149a6aeee20fc3b661b604cecfe309d2

SHA1
7ef2991d09383779dc58d2a9222dee10141d4e59

SHA256
175a54bf84a37444ce3ad26dc5260094c245c0f4fd9b0a8f76567d576db42f51

SHA512
3464230e6bd545c5c805fd5e44f6e49701848924a35fdab93ce674358efec68b1acd802fd5215026fa44760725995682a2afdac9f5e2a92fcf7f09b78096fbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\amigo_ldir_1636_27923\amigo_setup.exe
Filesize
402KB

MD5
149a6aeee20fc3b661b604cecfe309d2

SHA1
7ef2991d09383779dc58d2a9222dee10141d4e59

SHA256
175a54bf84a37444ce3ad26dc5260094c245c0f4fd9b0a8f76567d576db42f51

SHA512
3464230e6bd545c5c805fd5e44f6e49701848924a35fdab93ce674358efec68b1acd802fd5215026fa44760725995682a2afdac9f5e2a92fcf7f09b78096fbcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\F5UU7Y~1.DEF\cert9.db
Filesize
224KB

MD5
d2d07d4d149a3c83df007c72a3dece12

SHA1
ccfcd21bb2859f6789f86aa196ba6dd4f12c48b7

SHA256
35860ccfe0966ff4bad132aeeb892557d298a2a5bee8c90b161efd3cf6f77518

SHA512
13c2010fe0da5b4202720912a25efe1fbec20c30afe7b4fcc98d44368f63866ea6c013299ed54de5cd643ed057f0737be4c9732a45e29b27f78e078ddda3e6a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\SiteSecurityServiceState.txt
Filesize
622B

MD5
b91a43e1b895b271d7a2f15aae36234e

SHA1
bd76c72c39ffaa6abbd5b0b39a4177162f057743

SHA256
1b82df4a21a3b5355b098cc79d329743da31849fa545be6b3db2ae36ec0e9eff

SHA512
f784eb024ec3cea5c53a792b7ac84a4a645e235f1bb200eeec2b6ff5ad403e21f2c13b02e4893f481eeca7049e053faf937fca9044f3068a96c6ae97c2edb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\addonStartup.json.lz4
Filesize
1KB

MD5
bc4bd0071af0574fe57b6756f0b26071

SHA1
dfc6af6b87b58391f67679a24c28495503f9e75d

SHA256
2f0cb964330decccb1375985d126d6cd2fec171e344cdd6e21026fa9459d8ad3

SHA512
9cd3f9140a3beca18114253556281c48e0a2401d8e7bb01b518a0615caf6a1f4a8cece627c00caaf9cb3f7cf3a57a224ec5233682b5b3f8e933619b85488551d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\cookies.sqlite
Filesize
512KB

MD5
be7c17775b2f4f9b9c2e932bb471221f

SHA1
9cae1c923c2cc74bcac4795a56238f1a02c9db11

SHA256
ff20486c0a07fdfd3d8c4c5cdfe22d45696ea2697c31f6ebf9e412bca16b785f

SHA512
3eb3bb089a3d5ceb18013dd87d7c1050cb66249d6d0005a9150bfd31eb39af4a0e17fb9e2d01d0dc324c0e1b2cf75aca98095ecdaa5ff88a80d49eb3f2f06646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\favicons.sqlite
Filesize
5.0MB

MD5
6086c1402cd3ad057655192e14f1f7ce

SHA1
97753e6d4f6cfa4fcb2605d534a4478f64f89baf

SHA256
ae94371ed199892fa727027c4dbc1f5e6667cf0b57536008a460e75df466bf13

SHA512
cadd4f79961e77c2c9ac308ede37887e6b442a1bcdea9b65528862b6fb155fdb2c10e8d9929684aee4e5494b7651b7b30ccfb1be226e681ca171c87c3a8ad8ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\permissions.sqlite
Filesize
96KB

MD5
67b65fb8aaff3028a19aa965d9c0fa9a

SHA1
dcb2ad8b1d3ce29e67eb50c1bec2b298b69774fa

SHA256
51fd0550a2ec05e1d6bfed7065de3a11cfac31f85d1425a423c46478d16cce12

SHA512
f16b011dfe5d1fd87ea05cb25a439cff2dea976432105a6f2390fe5711c584789b64ab417c4f753224bf20d4c412c899d1595c9d31ba43b88693216b91e379a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\places.sqlite
Filesize
5.0MB

MD5
1cff50dafec34d7855b576ff7034154d

SHA1
8b884b201e4f63eeabd1cbe16f4059202b8ca424

SHA256
bcc197831ab93e9e31244153bfdd3b4ff851a2da05153f0e983cba1c941a551a

SHA512
849088c9a962857e0d6b8e864a401ea7a12209fb6dc2c82bb72e345d5ae34ea7d579f90622d615aa77e414ad38d491b27655f2b34917dce50458c1a64f3820b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\prefs.js
Filesize
6KB

MD5
847654ff1fb759188a1b3f5044f00584

SHA1
793d234789adb1f1684a207016638407ab427fa5

SHA256
310192625c5d776154ddf170749515ba64cef4d23a1c44ac553f9e070c19549a

SHA512
b296af96068ef553b46c6d51a4ea8c26198873089a24c748123c58ab3f31ae087de92fc8354bef551d95ce77d5c48927defb2bc7980e14436472e62ace5f8848

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\protections.sqlite
Filesize
64KB

MD5
4dc8479224410a964fcc7226e43b2d24

SHA1
eb170e3a4aea4022de266e6eeb76ed72d3bcdd73

SHA256
5cc787bbb0151471c3c11f69478aa4e37af09dc30a136a618e97f8663611ef2b

SHA512
7d6859c6bd278cb57bf144515b99b349a6dfe39073fb2807bbd6897eed6df68424574cccabea3c0707b47d00a31c4c700e07dd7bb101ca7729ad3cfd2b08c069

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\search.json.mozlz4
Filesize
2KB

MD5
82e75694a270d94605ca40f40c3446f3

SHA1
b5ae29a1d8b27f8d6e096a5bc2a0a5c6d94eff36

SHA256
276f5c7c1e6522177a6d0fd8bea4287c8efb348aefc856d9da79698c43e804cf

SHA512
9fb956a10f080a77036a20a67e58a90dc923706835ad0a09aa722062204b11df8bd518a1ad52e1b0d3c176d423648a1a506d36574b8880376fbbcb993f00066d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\sessionCheckpoints.json
Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\sessionstore.jsonlz4
Filesize
3KB

MD5
ef0bff57b813fc966d9891594255c012

SHA1
d094c1faf82618e00289d24ed5b76f73357d9161

SHA256
4e38811931d6001487f11555997861019f0852dca1aaf5928c2b85454143b8fd

SHA512
3dc59a2e0701f5daef3e3c8a1bf90b4b45c340e8b060583d15030733b0d07807e398070f1fbfba76da5bb8bf5cc7159a27dc6cf894f61509ef3df53e81a23cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize
48KB

MD5
8823221193f7b17bc504aa18ea324743

SHA1
86dc91ff0c2d7f4b26d570377f0c54a5d526d2cc

SHA256
28a892d4ea2fd9db290164d41ec20154e7d848968d8272b01cf50de48791f3bc

SHA512
fa25d851079a039837805a32c297847a5a3218fb9f6b4bd754e5009057bc0b39444454e0c4ae37b71a5d623d3ad6f93cdd3715bee4026d3a3cd9fe507ecf5af4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
3.1MB

MD5
85b3e082465bc0b71244d87957304324

SHA1
8f0246accd50b8949343ee3f1a9bed951d761950

SHA256
049d01958f7090051db04a2e0f6d93d0d24ce4daedcb3f11b05d91fe97ae14d5

SHA512
f715a0dd8dca4fa5e8db1c479f6a0977658fe521128c28adaf91fda92f0ebcea79d1c3403b5e592cdfd8b14586b190f39f289824a04ac921d1d826ec4eaa2a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\webappsstore.sqlite
Filesize
96KB

MD5
2f40c20e4e4cdf9c6331c5a48b28e761

SHA1
0ebaf4de3c1dc427f04fe67d0a7121dee63168a7

SHA256
d0af6dc53462d1455770af4f46fdb3d341a751a256bffe0083acd58b9cc38bd9

SHA512
88d4e8e6ad5ade39947717cb1265b5e9646599b8f05e77730ed2da2d6ee778bb5485728774544f86618c8ff2ce511f12dd72b8a93b5c0e426ac4248801205d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5uu7yj6.default-release\xulstore.json
Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Downloads\989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52.zip
Filesize
5.7MB

MD5
b1644acebdbb7866d3ae766d5be51c95

SHA1
eafb11b1c525d1f163e787573cca6317635cfaff

SHA256
9dfee5ce4955b69a0888874b8c1a51eb219b7c0e364040a7036f14d9d460aaba

SHA512
e84bb9bc602a42c22f4c34551ee75ecbffcf16400b224acfd1be4eb6ac80df64275037f647ae58186137f2f654160eec684d729bfc64e65703ea44b473c4e453

Download Submit
C:\Users\Admin\Downloads\amigo_setup.exe
Filesize
402KB

MD5
149a6aeee20fc3b661b604cecfe309d2

SHA1
7ef2991d09383779dc58d2a9222dee10141d4e59

SHA256
175a54bf84a37444ce3ad26dc5260094c245c0f4fd9b0a8f76567d576db42f51

SHA512
3464230e6bd545c5c805fd5e44f6e49701848924a35fdab93ce674358efec68b1acd802fd5215026fa44760725995682a2afdac9f5e2a92fcf7f09b78096fbcf

Download Submit
C:\Users\Admin\Downloads\amigo_setup.exe
Filesize
402KB

MD5
149a6aeee20fc3b661b604cecfe309d2

SHA1
7ef2991d09383779dc58d2a9222dee10141d4e59

SHA256
175a54bf84a37444ce3ad26dc5260094c245c0f4fd9b0a8f76567d576db42f51

SHA512
3464230e6bd545c5c805fd5e44f6e49701848924a35fdab93ce674358efec68b1acd802fd5215026fa44760725995682a2afdac9f5e2a92fcf7f09b78096fbcf

Download Submit
memory/872-242-0x0000000000000000-mapping.dmp

Download
memory/1096-254-0x0000000000000000-mapping.dmp

Download
memory/1096-257-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1428-227-0x0000000000000000-mapping.dmp

Download
memory/1520-193-0x0000000002D50000-0x0000000002E2C000-memory.dmp

Filesize
880KB

Download
memory/1520-194-0x0000000002E30000-0x0000000002EFA000-memory.dmp

Filesize
808KB

Download
memory/1608-211-0x0000000000000000-mapping.dmp

Download
memory/1696-228-0x0000000000000000-mapping.dmp

Download
memory/1924-234-0x0000000000000000-mapping.dmp

Download
memory/2164-203-0x0000000000000000-mapping.dmp

Download
memory/2164-209-0x00000000082A0000-0x00000000083A2000-memory.dmp

Filesize
1.0MB

Download
memory/2204-231-0x0000000000000000-mapping.dmp

Download
memory/2204-206-0x0000000000000000-mapping.dmp

Download
memory/2272-241-0x0000000000000000-mapping.dmp

Download
memory/2412-202-0x0000000000000000-mapping.dmp

Download
memory/2480-197-0x0000000000000000-mapping.dmp

Download
memory/2520-198-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2520-195-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2668-272-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2864-207-0x0000000000000000-mapping.dmp

Download
memory/2884-132-0x0000000000000000-mapping.dmp

Download
memory/2944-268-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/2944-266-0x0000000002EFA000-0x0000000002F03000-memory.dmp

Filesize
36KB

Download
memory/2944-267-0x0000000002EC0000-0x0000000002EC9000-memory.dmp

Filesize
36KB

Download
memory/2944-239-0x0000000000000000-mapping.dmp

Download
memory/3056-226-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-214-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3056-221-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-222-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-223-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-224-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-225-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3056-213-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3056-220-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3056-255-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3056-215-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3056-256-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3056-253-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3056-212-0x0000000000000000-mapping.dmp

Download
memory/3056-251-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-219-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3056-218-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3056-252-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3056-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3292-230-0x0000000000000000-mapping.dmp

Download
memory/3344-244-0x0000000000000000-mapping.dmp

Download
memory/3368-199-0x0000000000000000-mapping.dmp

Download
memory/3844-248-0x0000000000000000-mapping.dmp

Download
memory/3944-233-0x0000000000000000-mapping.dmp

Download
memory/4156-200-0x0000000000000000-mapping.dmp

Download
memory/4356-243-0x0000000000000000-mapping.dmp

Download
memory/4356-245-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/4356-263-0x00007FF9B3CB0000-0x00007FF9B4771000-memory.dmp

Filesize
10.8MB

Download
memory/4456-246-0x0000000000820000-0x0000000000858000-memory.dmp

Filesize
224KB

Download
memory/4456-258-0x00007FF9B3CB0000-0x00007FF9B4771000-memory.dmp

Filesize
10.8MB

Download
memory/4456-208-0x0000000000000000-mapping.dmp

Download
memory/4456-240-0x0000000000000000-mapping.dmp

Download
memory/4524-205-0x0000000000000000-mapping.dmp

Download
memory/4612-273-0x0000000000000000-mapping.dmp

Download
memory/4620-250-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4620-249-0x0000000000000000-mapping.dmp

Download
memory/4620-265-0x00007FF9B3CB0000-0x00007FF9B4771000-memory.dmp

Filesize
10.8MB

Download
memory/4676-238-0x0000000000000000-mapping.dmp

Download
memory/4676-247-0x0000000000EA0000-0x0000000000F8E000-memory.dmp

Filesize
952KB

Download
memory/4736-237-0x0000000000000000-mapping.dmp

Download
memory/4936-229-0x0000000000000000-mapping.dmp

Download
memory/5020-201-0x0000000000000000-mapping.dmp

Download
memory/5024-232-0x0000000000000000-mapping.dmp

Download
memory/5024-204-0x0000000000000000-mapping.dmp

Download
memory/5068-235-0x0000000000000000-mapping.dmp

Download
memory/5112-269-0x0000000002ECB000-0x0000000002F30000-memory.dmp

Filesize
404KB

Download
memory/5112-270-0x0000000004950000-0x00000000049ED000-memory.dmp

Filesize
628KB

Download
memory/5112-271-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/5112-236-0x0000000000000000-mapping.dmp

Download