zgrat | 96996e79693217c967f9a62a997a53137b4b712c9419b7c6cdff2ee8851d7a4a

Analysis

max time kernel
110s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SRTWARE LOADER/Loader.exe
Size

18KB
MD5

de864db51c37274b514bf755e32dbbaf
SHA1

1c61b7eee7e0251551208b70dd76a8e3c67f14c6
SHA256

1a2e8e921618fb0fd4507fc6b56ed172318812116d99bc551ec4e9e416282393
SHA512

bdb9913fe990a964040567a9752107921e28668bd78c5e59900ea05d007c6b2a1b4acd8ce69f53abf9ae4e15b7b2eeba72205db25ed81be1f6b38c789807f902
SSDEEP

384:N9fBKvt6ozbwRMGk79jle1eOLQLw36gSrOT9HcZZn0:NRBKvt6V/k7SkqQn5pL0

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023126-768.dat	family_zgrat_v1
behavioral1/files/0x0008000000023126-769.dat	family_zgrat_v1
behavioral1/memory/5060-770-0x0000000000DF0000-0x0000000000FCE000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000a000000023189-1133.dat	family_zgrat_v1
behavioral1/files/0x0006000000023191-1213.dat	family_zgrat_v1
behavioral1/files/0x0006000000023191-1214.dat	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5960	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6028	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6040	3792	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	3792	schtasks.exe	91

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	SurraogatefRefdll.exe

Executes dropped EXE 6 IoCs

pid	Process
5008	v2.exe
2188	powercfg.exe
2204	srtware.exe
5060	SurraogatefRefdll.exe
3692	xkfxfwdckfsk.exe
812	firefox.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 2356	3692	xkfxfwdckfsk.exe	134
PID 3692 set thread context of 5264	3692	xkfxfwdckfsk.exe	137

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..vices-rdpserverbase_31bf3856ad364e35_10.0.19041.1266_none_d50c6ce1bd959a1e\r\WmiPrvSE.exe	SurraogatefRefdll.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2656	sc.exe
1964	sc.exe
4616	sc.exe
2632	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6028	schtasks.exe
1380	schtasks.exe
4296	schtasks.exe
5888	schtasks.exe
1960	schtasks.exe
3272	schtasks.exe
3872	schtasks.exe
5960	schtasks.exe
452	schtasks.exe
4120	schtasks.exe
6056	schtasks.exe
2216	schtasks.exe
2164	schtasks.exe
456	schtasks.exe
6040	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	v2.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	SurraogatefRefdll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	srtware.exe
2204	srtware.exe
2180	powershell.exe
2180	powershell.exe
2188	Process not Found
2188	Process not Found
2188	Process not Found
2188	Process not Found
2188	Process not Found
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
5060	SurraogatefRefdll.exe
2188	Process not Found
2188	Process not Found
2188	Process not Found
3692	xkfxfwdckfsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	srtware.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	Loader.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	5060	SurraogatefRefdll.exe
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeShutdownPrivilege	2472	powercfg.exe
Token: SeCreatePagefilePrivilege	2472	powercfg.exe
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeCreatePagefilePrivilege	1216	powercfg.exe
Token: SeShutdownPrivilege	2656	sc.exe
Token: SeCreatePagefilePrivilege	2656	sc.exe
Token: SeShutdownPrivilege	4548	powercfg.exe
Token: SeCreatePagefilePrivilege	4548	powercfg.exe
Token: SeShutdownPrivilege	2188	Process not Found
Token: SeCreatePagefilePrivilege	2188	Process not Found
Token: SeShutdownPrivilege	3796	powercfg.exe
Token: SeCreatePagefilePrivilege	3796	powercfg.exe
Token: SeShutdownPrivilege	3336	powercfg.exe
Token: SeCreatePagefilePrivilege	3336	powercfg.exe
Token: SeShutdownPrivilege	3708	powercfg.exe
Token: SeCreatePagefilePrivilege	3708	powercfg.exe
Token: SeLockMemoryPrivilege	5264	dwm.exe
Token: SeDebugPrivilege	812	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4552	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 5008	4008	Loader.exe	93
PID 4008 wrote to memory of 5008	4008	Loader.exe	93
PID 4008 wrote to memory of 5008	4008	Loader.exe	93
PID 4008 wrote to memory of 2188	4008	Loader.exe	140
PID 4008 wrote to memory of 2188	4008	Loader.exe	140
PID 4008 wrote to memory of 2204	4008	Loader.exe	96
PID 4008 wrote to memory of 2204	4008	Loader.exe	96
PID 4008 wrote to memory of 2180	4008	Loader.exe	97
PID 4008 wrote to memory of 2180	4008	Loader.exe	97
PID 4008 wrote to memory of 2180	4008	Loader.exe	97
PID 5008 wrote to memory of 2996	5008	v2.exe	99
PID 5008 wrote to memory of 2996	5008	v2.exe	99
PID 5008 wrote to memory of 2996	5008	v2.exe	99
PID 2996 wrote to memory of 836	2996	WScript.exe	100
PID 2996 wrote to memory of 836	2996	WScript.exe	100
PID 2996 wrote to memory of 836	2996	WScript.exe	100
PID 836 wrote to memory of 5060	836	cmd.exe	105
PID 836 wrote to memory of 5060	836	cmd.exe	105
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 832 wrote to memory of 4552	832	firefox.exe	106
PID 4552 wrote to memory of 3920	4552	firefox.exe	107
PID 4552 wrote to memory of 3920	4552	firefox.exe	107
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108
PID 4552 wrote to memory of 2592	4552	firefox.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SRTWARE LOADER\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\SRTWARE LOADER\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockPortaserverfonztreview\xU23uMqeagEWImFiLN56CeYAwSTsZTiL24QufhbD.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockPortaserverfonztreview\koViGEYxC7LBpVD9CV3QBDKnKZptyOYLZeHd.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\blockPortaserverfonztreview\SurraogatefRefdll.exe
        
        "C:\blockPortaserverfonztreview/SurraogatefRefdll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mkLeQlNVkK.bat"
        6⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4508
        
        C:\odt\firefox.exe
        
        "C:\odt\firefox.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
- C:\Users\Admin\AppData\Local\Temp\msc.exe
  "C:\Users\Admin\AppData\Local\Temp\msc.exe"
  2⤵
  PID:2188
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PIMYDILC" binpath= "C:\ProgramData\ssvoekfhlzpk\xkfxfwdckfsk.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2632
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PIMYDILC"
    3⤵
    - Launches sc.exe
    PID:1964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PIMYDILC"
    3⤵
    - Launches sc.exe
    PID:4616
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Users\Admin\Desktop\srtware.exe
  "C:\Users\Admin\Desktop\srtware.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.0.1987964727\1843756847" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b306836-02a5-4fdd-9135-33b7dc2fafa8} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2032 1ac76303858 gpu
    3⤵
    PID:3920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.1.646500141\637810302" -parentBuildID 20221007134813 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a09e0459-380f-400e-8a3f-c4dcaa100b38} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2432 1ac74d38558 socket
    3⤵
    PID:2592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.2.1422230913\1815203809" -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3180 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cc71e97-9578-42d2-a4d0-06f30dc0678b} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3196 1ac792af658 tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.3.1729166962\347244528" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e395d0cf-3296-471f-8460-060c1ced68ae} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3628 1ac6892e758 tab
    3⤵
    PID:1636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.4.1475620042\6587367" -childID 3 -isForBrowser -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0e43ca-712a-441f-bcfe-25ba55667fdb} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 4764 1ac7b4c5758 tab
    3⤵
    PID:4372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.7.770790068\2127350517" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d882fe-8728-4b61-982b-5ca3f72a1836} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5064 1ac7b5f2658 tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.6.3125496\1220182406" -childID 5 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d1f9c26-fcd1-4cb2-b9e9-d12ae00ec807} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5172 1ac7b5f1458 tab
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.5.2092221458\1953794277" -childID 4 -isForBrowser -prefsHandle 5020 -prefMapHandle 4952 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5a3f48c-27a7-4dfc-aa3b-33a3b4e6ebad} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5040 1ac7b5f1a58 tab
    3⤵
    PID:772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.8.1920554480\96139404" -childID 7 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b9dcbc-9ac8-40b7-a9b0-f3c783fadf25} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5812 1ac68971c58 tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.9.1064216511\869250542" -childID 8 -isForBrowser -prefsHandle 4844 -prefMapHandle 4800 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a70c3de4-8705-429f-ab7b-bc80620ec08b} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3344 1ac7b4dd558 tab
    3⤵
    PID:6096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.10.1943192802\104098877" -childID 9 -isForBrowser -prefsHandle 9700 -prefMapHandle 9704 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e4caa4d-e2f6-4900-ae7e-db69a8feb883} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5940 1ac7d068358 tab
    3⤵
    PID:5188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.12.830561653\517109889" -childID 11 -isForBrowser -prefsHandle 7956 -prefMapHandle 7952 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2ce488a-8cc5-40de-aeec-a3a52c1c78f4} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 4684 1ac7d291858 tab
    3⤵
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.13.1988827342\1250237559" -parentBuildID 20221007134813 -prefsHandle 9452 -prefMapHandle 9756 -prefsLen 26646 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d2ec5c2-c448-4646-b84d-fbaabd78b82f} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 6940 1ac7d25cc58 rdd
    3⤵
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.14.326929167\1353185116" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 9428 -prefMapHandle 9444 -prefsLen 26646 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94949d5b-bfdf-4a5a-a559-8e7ede7f209a} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 9396 1ac7d25c958 utility
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.11.436816927\1075532049" -childID 10 -isForBrowser -prefsHandle 7944 -prefMapHandle 7940 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb55688b-895a-45a9-a9d5-021d9fe0df0f} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 4216 1ac798a5358 tab
    3⤵
    PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.15.1839309347\554597966" -childID 12 -isForBrowser -prefsHandle 9200 -prefMapHandle 9204 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a689bd93-7f29-4e18-bf35-9dd37844b625} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 9176 1ac7dbe5258 tab
    3⤵
    PID:5980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.17.1146025288\295493896" -childID 14 -isForBrowser -prefsHandle 8832 -prefMapHandle 8828 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91bccf3b-3d09-4327-bcb4-9b9ae7505679} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 8840 1ac7e39be58 tab
    3⤵
    PID:5300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.16.485617369\924425359" -childID 13 -isForBrowser -prefsHandle 8976 -prefMapHandle 8968 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45218be8-42ed-44b1-b2b2-69c0d1d907d5} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 9044 1ac7e2cee58 tab
    3⤵
    PID:2948
- - C:\Program Files\Mozilla Firefox\crashreporter.exe
    "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\minidumps\b239d5d8-175e-4f7c-af1c-4184972ff41b.dmp"
    3⤵
    PID:2428
  - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
      "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\minidumps\b239d5d8-175e-4f7c-af1c-4184972ff41b.dmp"
      4⤵
      PID:1032

C:\ProgramData\ssvoekfhlzpk\xkfxfwdckfsk.exe
C:\ProgramData\ssvoekfhlzpk\xkfxfwdckfsk.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3692
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2356
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\blockPortaserverfonztreview\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\blockPortaserverfonztreview\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\blockPortaserverfonztreview\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\odt\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6056

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssvoekfhlzpk\xkfxfwdckfsk.exe

Filesize
1.1MB

MD5
d14de97bb30459d270b44dd1f6da7763

SHA1
6323803bb3a30ba684f58fa3b9e7309410d1fd41

SHA256
bbffcc1b5e2b09500af9a7c7512f0986973f84b051ea7f59bacdf1610983ee36

SHA512
b70d296cb4dafc42db7789dbbdb4874aa4f906822a1aa7c06849a7372b06a40ff31b6d6d2b8466c1dc11b5d453497cc60a1f751bc03c2e77f5379ae0f28fbecf

Download Submit
C:\ProgramData\ssvoekfhlzpk\xkfxfwdckfsk.exe

Filesize
1.2MB

MD5
c447cf508e7e99bbc946bc58ebcf33ea

SHA1
1f243785f6661a4b905d64fd4b0bd2db3eeec321

SHA256
a2ce8812aed7a6da9adcd5a1b050bb9a0a1eb7f6a93fb18d59b8c1ee56b898c3

SHA512
6e36d68cc0794f85beb705d07b2d8a4266de25beb5c61802c8a7bef73dd703bfa42ab198ac3e0e853f5687a02b8dcfc6ffe7a7f152a976051b0401475547fee4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e2sf79v1.default-release\cache2\entries\E7977F6E10AFB3B4A8B829A51A5BF2749364C136

Filesize
134KB

MD5
4994317e0002506fcbc62adc2316c7ce

SHA1
c8a68b2541aa58cdf2d000b296e4614432e393c1

SHA256
220301fb49cbf22a8d02bb0bf5efa6e5a4f925e06087294ebb38c3e3714048be

SHA512
4598f1f66a3f247f422ce1502347e511fad6840bb13ec9577cbc5296f5286a30c4c462566484a79234f91f0bcebd328986a5a0d76e94f36de41917d867d13ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjr4vzah.gig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkLeQlNVkK.bat

Filesize
194B

MD5
49b7a407e68e5caaa6c7ca353ddac7aa

SHA1
5cf20a1e0047e1455f2aa07c0f76a25e6bb36ac0

SHA256
9ae2d799040f62269913940998b1f6c4829d45192458b6463e7559d152e271c9

SHA512
8c9afea9e1170d0666278ac302532874949dfecfc493a4c7d6e7be75c6c5f497233dfebfed817a6c7818d9c3dd4d1b44bcd56aeb2cc37a4e0e912c37fe2c6b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\msc.exe

Filesize
782KB

MD5
a0a35768b7ca610eb0b3afc047dcf0d4

SHA1
50249ecf487a10d99d744cc1ee38ce895cd2cd4a

SHA256
48cd083cbf88abf8b583fee9df435d4c25e987f9884b480673eb91d61c01bc9a

SHA512
04f31d4534cefc44cb120f8dd3e48d3a449317be93cfcd26723dafa76eeff2ab694fa59f7f34c2a9707ee840b595895620916ec9021c38e3b39ded19b25d0f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\msc.exe

Filesize
1.3MB

MD5
7eceb31a519042ac8934f3102f86e70c

SHA1
e4f18f456330587a128bd70431aaccc23f05afd3

SHA256
6edb58f5649509d6e4f10e2156a9291c9b7b03342819024c9c15b5486e742418

SHA512
913187946553191571bcca9276480b4fa7f966c699cd6a7f5b6ed8be31d467bc27380d8607eac7c2adb3f888deffd1f62200ea0d442d515127566a5b7feed42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msc.exe

Filesize
807KB

MD5
8260367b37601288d8345995cf49c778

SHA1
5f2bc466f48cd2a4140b51a1ef35d4b305423330

SHA256
5b1c80203fe6208ba8c603ba41e4e05e78ef095d4ee444536571ae6f8e137292

SHA512
c42e61f33babf9e5e6d67fe691befc83d1a05230ee6689b72abc8fe191ae3d6da6065aa9397037c428dff76fd68499881f8a9e20a77ee9097fd9f5e60752842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
525KB

MD5
64ba004ee8344072246a1dc58488e116

SHA1
68d13a6762fa2c1ecabdc4d8912d87144e03a91c

SHA256
91c5cdb3e47010b8a56626c4db8566960f0816f75addc9735d8f38c516a93767

SHA512
8c4e2efc0f8d182d79ca5b370eec20291d06848245d7c4c956128f496ab56d629bedda91cf987dcd3d01460a6ccc30f782d27c7cbba89f1ddaa10d205716c41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
428KB

MD5
31a051694b0f9f4777b2b4c76cac1b94

SHA1
c72a3a70b5be6537c07d4c1745262c248cd86a92

SHA256
afac96606ea3872c85d39d1e9f28aa7b2bfac72ba5c881122240b116404fa5f6

SHA512
f1af13f5fd88ee3cd64ce1e563e76fdb233a581940da5ce20f55ae7dbcd50b61ca08217893add7cf324c9e163bfbf91a7d90b3ec37d59bcf43102ba9055ce60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
233KB

MD5
d96321e6466202abf78fd36bb046f82e

SHA1
e2e736dc031f36ade2bc827797f34c4ec8cef45b

SHA256
b8c2109681dffed9d5f2354921549412a61630a4774343bef2a07d72bb60284d

SHA512
73ee00fda5eaeba681e6a97cdc5f53711fa581670de72cf40efb7ff5c7bbc12e07e81c424fb5dcb41d1b81b3ba92055311efcbc8ca4a23b5330e0eba965b0951

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\cookies.sqlite

Filesize
512KB

MD5
de1dff287113e5c4c47015d40703ff01

SHA1
9e959f754b6f261418d46aa469d3f168d81cf11c

SHA256
e4b9abd9f20bcb8fa91b6fe0d9ee0890f9bc2d11fcc4bb2bc8f8bd74a6c8ef1b

SHA512
ed01247a3188bf4c00aaed9ae9fd31872c6d8368699cd3c267d9fc9ea67a82fb966f5850f6617f78817800ec8b1aa50d6c15394e4e3dc3594d6fc5269267147c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\cookies.sqlite-wal

Filesize
512KB

MD5
2e33c947fcc106fcdfef244b63070ae2

SHA1
c54b8ef66a7c0a890acb3aea65ebf9ed74ae22a2

SHA256
9e89751af95aab58ad8a45ba424b38f38e2a8948b22730dac50c340b06876fac

SHA512
861fff78403dc0b81f346c78ecec667f7c9759b308f09fe771c140d09c0e105decf6ac6813dde7e1693f2f1c9af15284e5e924ff704bb4e3e8b7d7047d52bf18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\crashes\events\b239d5d8-175e-4f7c-af1c-4184972ff41b

Filesize
10KB

MD5
ae1e9953dffea3f377b8794e482111bf

SHA1
03b14edde73fa86bbd9fbda33a0a043cd1aa5ff6

SHA256
1798889130b2ba3b68d966bc01e1ad8704b13b4e3ebe551ba8681629d8a500fd

SHA512
6ed1b76468a3494be0e7c35be7df29259c8b9e5b3fef6136918c2e13efa71131b1c3c7f978670a3e9de22cbf3cc312df17e8a170ee7fe334301b10a542c0896e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a4f4e90e02b13ed22bad4c9ea82cc95b

SHA1
f979f67fb8c0fc5754a918d21bdbed19f6608909

SHA256
eb7dea25b6ebfcc8dc09124410723f92e2c3732fa4ff3c0733720571b5891f3a

SHA512
ebceefbf134db4a6da622a795515acd61300c52b80f1830b731f6169a2281f991678c94840f1153a9d3c8a0fb1d6b300f62f92bf77eca58122ce4378bab5c286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\datareporting\glean\pending_pings\a3dfd21b-c857-47e5-9886-79ac1ede6fa1

Filesize
11KB

MD5
d8f2b09595f363fb7ef4dd1c71f22b20

SHA1
60bdec2b10f31301e445ab1eccc97fd1fc2b7847

SHA256
a9409043c8bfb2fd62d94a1e4ce81c6ed41febdf908c3190e289a344e9a0b784

SHA512
47df45159ffcd9d3f86ea22012acc70a2a9b4e7b51d519ed035683893a60797f487802557ddb165a61cd8aab79a0a30670bc6fa930e31c6ff2b917c0f1248f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\datareporting\glean\pending_pings\ec455098-9447-4f5f-8b14-99278c462479

Filesize
746B

MD5
9bac20ce35e27ab26178c9d0bd671c50

SHA1
c91f52a7965caa936ce34f51343875603fe2fc9f

SHA256
06bee2814fa3a1037841a0a66f2429cdf78b3f11cf4421c3085978e2c1530c12

SHA512
d570cad9f5c24f5e927e482ccc6a6cd64dd1b28b608eb516657f9044e4ea209d0de2dc180705fde81526b6c630733724350b8ec58a82cf28a6fa70ee74476c38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\minidumps\b239d5d8-175e-4f7c-af1c-4184972ff41b.extra

Filesize
12KB

MD5
90d30aac45bdf52620c3917db6de5dfe

SHA1
51e56152876704473b32f432f9c348bbc541c4c3

SHA256
b5021c6899ac7793bd8f10d1a1cb6bc0040ac83f34d15439bab35398487d4979

SHA512
be0fcb9b9bda68b806abe0ffb1504f0a9cb355da5cfadea988be1a21c58487fe2a40bc29442ac508eac2c4072598db421ea5111b8e356c2fe9e928425b1cebf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs-1.js

Filesize
6KB

MD5
1dd2ef4f5cbead74a259349f55595a5d

SHA1
ad83484c3406213de67a2ecbd700bb0c0baf801d

SHA256
b3d11621ea2961757e1b6b9b28ce13263ef4151113cdd544553ce8e145f6064b

SHA512
75f852846bc61802f92866b26fb0952a3162f70b9a13264f438f71ea697cdd047a319d2907804d4761a3139402b309b6dade6b7ad7c782531be9fe25190de08a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs-1.js

Filesize
6KB

MD5
6533272c7e7c3a176e636e11d407e002

SHA1
b4e7b9b7eb6cebd41de317eab1115bae75f009df

SHA256
47479e8c8ddde51280f07bf7f83e3c2356bc664f45e755536d66f65ad14e88c4

SHA512
778d0a56a6ec2c10308646d1bf79cf0afbdb944f0e1d9ed6d837cd93c550fafaa8f64e5e3cde190553d4534a39128d4dfe54967a56a3ba8466f2a4ff2b8f1245

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs.js

Filesize
6KB

MD5
15ac3f4178ada2a9116bf4dbc6ac436e

SHA1
c2739e7d6072319a447c17bd670bbae5728cb3fc

SHA256
d038e0248c9d26d6dc6ee80f69c3e2e3f48806f1ac4a15c26d5fb1f318816b4f

SHA512
be87a6f4d2e4bf5b9cf588343454f8260da2c8f829b46c60885a5905078d977b3eef4eba8a1037705556cf2f7300dde5986f7d6c97509cd097562d8a2482ca8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs.js

Filesize
6KB

MD5
06cb9dd562bced3b625c2dbd88760cb9

SHA1
da6c6afacdeabdfd4068925b271c847537e6711f

SHA256
fd65fc926759f694e9cf869253c4dfbc99dfb301101a5d5b168561b76724e6a2

SHA512
f9a832ea0319fb67d32b5c8e77891d94d3eb9db1f9167ddf5e9134cb1acbc90477c5072d26294dd0714e9b8c81f9dbe9585d3e7f36b8b1e5d350552bbcc1938d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
89444490b527011edd1917dc637726d4

SHA1
d184b08b6e834753b570540215288560d48d602d

SHA256
5bcd04e8f8aa1b5dc7f061fd8fd79e625670f730fa70359c71a531fad180460b

SHA512
4f0a5e1b7c231453719c36ff6074e9f12663d18c261594ce76351ecdaff0790173a8a5551158ed27d0693aa807faa352f70f41020797a1d6fba4cc6b1d57ebe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
7711fe5f1c7bdef6b7ed4143af853530

SHA1
06702309149d19b5fc6e98c119fb3aa25a9feee3

SHA256
a7f2d3cda817a2bf4619354eab089c21718bdeda18f0ae4703929f31a35e8cad

SHA512
78279484d740b7e51de34cb59b30481f4bc2daba907ad2465f3ff2e8606d40ba998d6ffdf10c2eb6b1577904983e52580f603045743f84fc519dec567ffc7e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ff0793dde9d647d736bd9ff27c7f3f27

SHA1
d2531287d2a2ef8ce382dc3df38a42e05edb127f

SHA256
50d94c5211432bb4cd998d37f0a810ee77b9c211eba8e500e342e0537523144d

SHA512
bb7301ee4df28140b58e71f3adbdb587f3091c6501d5191022807127ce7b1d3f61b964b1306d0070d9ef68aec9bbae7696750e689829012881b00a1759031721

Download Submit
C:\Users\Admin\Desktop\srtware.exe

Filesize
354KB

MD5
fd40525b8517b5f30b193a8b3d990f50

SHA1
2485fb3891ff8fc239125ff524c504c1d18be96f

SHA256
d0f72e571ea098b56e2091818917759dbb6101c98fa8cc39992a7446aaef46f3

SHA512
6d87374e9a3d2da9c5a61920a1b4633e6965c4711414037813da3772aaebe4839f129515bca06d244725ad346360de037f3f32c833b83a2373567ff7e55e75d5

Download Submit
C:\Users\Admin\Desktop\srtware.exe

Filesize
397KB

MD5
b57ec46c8108fff25a7fe349477c0c00

SHA1
e40e203f3bc7a5585f9f3b83b5a4f376d1edaa9e

SHA256
60a3c99175daef03737ad8440546297c7e4d48a18172a36105b5606f941eef3d

SHA512
1498e7569e19fcbb1ec14ed2484e0e0d5d79d31b04eeedc4630078ce59e86ff0936abe82b7fcc0d42ee88034af368f491b3ba0404dd8ce3c735e480a67383bcc

Download Submit
C:\Users\Admin\Desktop\srtware.exe

Filesize
380KB

MD5
a40e74d20af32d5c0596d237e03e45b1

SHA1
a8796596a75c4caec50da6efc66478d9d8f119ec

SHA256
3fda7099a00725c51403ae72a2f2f27c9ee76e908b624791f4762938ca48eaf2

SHA512
7119872e4110f5e8e3001ed2e19b930c687ba15dada3eef9bb1cc1aeadd498f54d76ffcc1b28b07f6e0a5868f3342862fffbd531a1d922fd1bef307289bc1c46

Download Submit
C:\blockPortaserverfonztreview\SurraogatefRefdll.exe

Filesize
1.1MB

MD5
8744c3d3b2737a47f8732a0ea7f8cf08

SHA1
8fdcdd85fc617f80c1eba3ac2a1685815ad95c69

SHA256
ec546f5425a1f782dfb0db106c3e5b0388ffcc59c8f370115d90f23959e45677

SHA512
0f2fa74807ad5f81497d0b35469ac6c1f3181cb65d3117112b6dc52fbc06e96fac376cb634118ab61e1cc0d0782d9e292cd1866845e38e9651a990d6f819fe74

Download Submit
C:\blockPortaserverfonztreview\SurraogatefRefdll.exe

Filesize
1.0MB

MD5
b04a0fb2bb33d8c63d9ea42680215775

SHA1
41f8639b174d62ff4198d2963d1f49c0211a6e5a

SHA256
e11479b3dba0baf4f183ee7d465780de63eab838711b085861c9e704f0e849f2

SHA512
83aaf2398e37de17cc8379af0f702ffb7f2245fbb8d77800d4dd5a6afd04af18b458aa30a9c5dc3886eb5899adda5b183450d11f1db995383c20644a4bb42e5c

Download Submit
C:\blockPortaserverfonztreview\backgroundTaskHost.exe

Filesize
1.8MB

MD5
e9454f03b1c0cc9a49b390e9ea4de93e

SHA1
b74825e68c201fe016c2921cf5a0df9315b428e3

SHA256
bce14087f971a1e7f3dc86c6de5aa0ecd010145a47eb7032d7fa4d90580105fe

SHA512
a238a7e4aec864bc997f340173b0a2953211485e9898d306bca2a8cc4b04cc5a2044bb214216486d4f933d083d6d84c4c442e923712841f9573abb8dbb5a0551

Download Submit
C:\blockPortaserverfonztreview\koViGEYxC7LBpVD9CV3QBDKnKZptyOYLZeHd.bat

Filesize
102B

MD5
bc25dff8236f83e8bc9d984a8eff5287

SHA1
e9ae2101756cc874680538bba8e5354d1b479b25

SHA256
11d6371148eea78b4e59daff6fb76b36c170abe01007f37a453b18611f9bb0d3

SHA512
31badede81b93d03041556a2c9d21c8d4ddf2e37f91aa57feb325d9f687f12cf280c73331569bf2bd6f889c40cedbdc3a63f46fd34e0082d197cd5c33d8084c1

Download Submit
C:\blockPortaserverfonztreview\xU23uMqeagEWImFiLN56CeYAwSTsZTiL24QufhbD.vbe

Filesize
241B

MD5
2fc915ce3249a54327cb1c98eb1c417c

SHA1
4f6fb5528f863796a15545c77034b22d42031a4e

SHA256
0106bbc0a78339a377a08050abbca0d81cae7e642014ca49402ff9deb8ba0f87

SHA512
90c1ba61c11be5d973c927f26bd7dded00539c86b950819743186f6b1176980a65b6375e9b9ddf9bf3ef9c059534a082c092a5b451167909f67ae51d8639abd1

Download Submit
C:\odt\firefox.exe

Filesize
1.4MB

MD5
91732a7fca905989d1ba9f72c763c3c0

SHA1
6489a60386cc348fc139812226133fd48472c4cd

SHA256
cc602dd36c3c4ca6ffd1d3a31049a67567abf785cb79f6595951435aa81f7117

SHA512
7c15d124e984da1a43f468cc4bb4960daf44a8e723199e9c0385346914cf3de96fdfb37168a9eacf70e266f20277e554e92b053bd592089d980048dc285f4cc9

Download Submit
C:\odt\firefox.exe

Filesize
1.5MB

MD5
c53c257f3cab37a711219fab07f46481

SHA1
15363bacdc304dffe16d4f7f407999e53ce425be

SHA256
a541f64bbd1519f02ad91cf48e75f6cd6237bda301699e9277e4db14f8e8745d

SHA512
c1f6930619873956d764d0967879d95bfc900bc7727311b8c345deeb43c25ba4123f3bb3b6aff24f7b233df228b0c28ba7b68b585f7cace2b5d4e73e38295613

Download Submit
memory/812-1221-0x00007FF849300000-0x00007FF849DC1000-memory.dmp

Filesize
10.8MB

Download
memory/812-1227-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/812-1228-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/812-1231-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/2180-852-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2180-749-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2180-938-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2180-785-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

Filesize
80KB

Download
memory/2180-874-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/2180-861-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/2180-784-0x0000000007A90000-0x0000000007A9E000-memory.dmp

Filesize
56KB

Download
memory/2180-774-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/2180-771-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/2180-765-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/2180-763-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/2180-764-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

Filesize
104KB

Download
memory/2180-725-0x0000000002EE0000-0x0000000002F16000-memory.dmp

Filesize
216KB

Download
memory/2180-727-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2180-728-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2180-762-0x00000000075B0000-0x0000000007653000-memory.dmp

Filesize
652KB

Download
memory/2180-729-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/2180-761-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

Filesize
120KB

Download
memory/2180-732-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/2180-733-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/2180-734-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/2180-751-0x0000000074D10000-0x0000000074D5C000-memory.dmp

Filesize
304KB

Download
memory/2180-740-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/2180-750-0x0000000006B00000-0x0000000006B32000-memory.dmp

Filesize
200KB

Download
memory/2180-747-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2180-748-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/4008-26-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-40-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-52-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-46-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-730-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4008-54-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-44-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-56-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-50-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-48-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-42-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-1-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/4008-64-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-2-0x0000000002E90000-0x0000000002E98000-memory.dmp

Filesize
32KB

Download
memory/4008-66-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-3-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4008-746-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4008-4-0x0000000008510000-0x0000000008570000-memory.dmp

Filesize
384KB

Download
memory/4008-68-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-5-0x0000000008820000-0x000000000887E000-memory.dmp

Filesize
376KB

Download
memory/4008-6-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4008-693-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/4008-7-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4008-8-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4008-70-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-9-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-10-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-12-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-14-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-62-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-16-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-18-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-20-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-22-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-38-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-0-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4008-36-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-34-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-32-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-24-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-30-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-60-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-28-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/4008-58-0x0000000008820000-0x0000000008878000-memory.dmp

Filesize
352KB

Download
memory/5060-775-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/5060-877-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/5060-1069-0x00007FF8495B0000-0x00007FF84A071000-memory.dmp

Filesize
10.8MB

Download
memory/5060-770-0x0000000000DF0000-0x0000000000FCE000-memory.dmp

Filesize
1.9MB

Download
memory/5060-858-0x00007FF8680A0000-0x00007FF8680A1000-memory.dmp

Filesize
4KB

Download
memory/5060-863-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/5060-1123-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/5060-869-0x00007FF8680C0000-0x00007FF86817E000-memory.dmp

Filesize
760KB

Download
memory/5060-871-0x00007FF868090000-0x00007FF868091000-memory.dmp

Filesize
4KB

Download
memory/5060-1165-0x00007FF8680C0000-0x00007FF86817E000-memory.dmp

Filesize
760KB

Download
memory/5060-1168-0x00007FF8495B0000-0x00007FF84A071000-memory.dmp

Filesize
10.8MB

Download
memory/5060-795-0x00007FF8680C0000-0x00007FF86817E000-memory.dmp

Filesize
760KB

Download
memory/5060-878-0x00007FF868080000-0x00007FF868081000-memory.dmp

Filesize
4KB

Download
memory/5060-873-0x000000001BB10000-0x000000001BB28000-memory.dmp

Filesize
96KB

Download
memory/5060-870-0x000000001BD70000-0x000000001BDC0000-memory.dmp

Filesize
320KB

Download
memory/5060-862-0x00007FF8680C0000-0x00007FF86817E000-memory.dmp

Filesize
760KB

Download
memory/5060-860-0x000000001BAF0000-0x000000001BB0C000-memory.dmp

Filesize
112KB

Download
memory/5060-845-0x000000001BA80000-0x000000001BA8E000-memory.dmp

Filesize
56KB

Download
memory/5060-847-0x00007FF8680B0000-0x00007FF8680B1000-memory.dmp

Filesize
4KB

Download
memory/5060-781-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/5060-773-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/5060-772-0x00007FF8495B0000-0x00007FF84A071000-memory.dmp

Filesize
10.8MB

Download
memory/5264-1075-0x000001FBB1A00000-0x000001FBB1A20000-memory.dmp

Filesize
128KB

Download