amadey | 71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
Size

1.8MB
MD5

2063ad6746859ba2896e6d3bc7082fbc
SHA1

f29d5bca4a5c61ba291be6cff88a46d5ac3babd0
SHA256

71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5
SHA512

1f1cdaf3cacced639f8d5e60a11ed515b52d7687032dd27bd41e0e42c15f2a226dbe4f8735f689a13dbb1eba112dfebbb237601e21af65e7f1f4d08b21720ae0
SSDEEP

49152:7Vel+D6aTiNJ68++EcPsRq+jkFSXc1wEoIJuL:7Yq723pEcmq+jhcqRL

Score

10^/10

amadey lumma stealc 9c9aa5 mars credential_access discovery evasion execution persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://push-hook.cyou

https://property-imper.sbs

Extracted

Family

stealc

Botnet

mars

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://push-hook.cyou/api

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	1dac828ac6.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1dac828ac6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	154e0d4b5e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9091806aa1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	666659c89f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2608	chrome.exe
1464	chrome.exe
1884	chrome.exe
2172	chrome.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	666659c89f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1dac828ac6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	154e0d4b5e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	154e0d4b5e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9091806aa1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	666659c89f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9091806aa1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1dac828ac6.exe

Executes dropped EXE 10 IoCs

pid	Process
2544	skotes.exe
2932	vg9qcBa.exe
2532	vg9qcBa.exe
2200	VBVEd6f.exe
2268	filer.exe
2308	1dac828ac6.exe
536	154e0d4b5e.exe
1648	9091806aa1.exe
1744	76195c6736.exe
1800	666659c89f.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	1dac828ac6.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	154e0d4b5e.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	9091806aa1.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	666659c89f.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	skotes.exe

Loads dropped DLL 14 IoCs

pid	Process
2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
2544	skotes.exe
2544	skotes.exe
2932	vg9qcBa.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe
2544	skotes.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\154e0d4b5e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009394001\\154e0d4b5e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\9091806aa1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009395001\\9091806aa1.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\76195c6736.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009396001\\76195c6736.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\666659c89f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009397001\\666659c89f.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a345-654.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
2544	skotes.exe
2308	1dac828ac6.exe
536	154e0d4b5e.exe
1648	9091806aa1.exe
1800	666659c89f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 2532	2932	vg9qcBa.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dac828ac6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	154e0d4b5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9091806aa1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76195c6736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	666659c89f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg9qcBa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg9qcBa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VBVEd6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2020	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
636	taskkill.exe
2972	taskkill.exe
2592	taskkill.exe
1836	taskkill.exe
2464	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	VBVEd6f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	VBVEd6f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	VBVEd6f.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
2544	skotes.exe
2200	VBVEd6f.exe
2808	powershell.exe
2200	VBVEd6f.exe
2608	chrome.exe
2608	chrome.exe
2200	VBVEd6f.exe
2308	1dac828ac6.exe
2308	1dac828ac6.exe
2308	1dac828ac6.exe
2308	1dac828ac6.exe
2308	1dac828ac6.exe
2308	1dac828ac6.exe
536	154e0d4b5e.exe
1648	9091806aa1.exe
1744	76195c6736.exe
1744	76195c6736.exe
1800	666659c89f.exe
1800	666659c89f.exe
1800	666659c89f.exe
1800	666659c89f.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	1800	666659c89f.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe
1744	76195c6736.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2544	2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe	30
PID 2772 wrote to memory of 2544	2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe	30
PID 2772 wrote to memory of 2544	2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe	30
PID 2772 wrote to memory of 2544	2772	71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe	30
PID 2544 wrote to memory of 2932	2544	skotes.exe	32
PID 2544 wrote to memory of 2932	2544	skotes.exe	32
PID 2544 wrote to memory of 2932	2544	skotes.exe	32
PID 2544 wrote to memory of 2932	2544	skotes.exe	32
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2932 wrote to memory of 2532	2932	vg9qcBa.exe	34
PID 2544 wrote to memory of 2200	2544	skotes.exe	36
PID 2544 wrote to memory of 2200	2544	skotes.exe	36
PID 2544 wrote to memory of 2200	2544	skotes.exe	36
PID 2544 wrote to memory of 2200	2544	skotes.exe	36
PID 2544 wrote to memory of 2808	2544	skotes.exe	38
PID 2544 wrote to memory of 2808	2544	skotes.exe	38
PID 2544 wrote to memory of 2808	2544	skotes.exe	38
PID 2544 wrote to memory of 2808	2544	skotes.exe	38
PID 2200 wrote to memory of 2608	2200	VBVEd6f.exe	40
PID 2200 wrote to memory of 2608	2200	VBVEd6f.exe	40
PID 2200 wrote to memory of 2608	2200	VBVEd6f.exe	40
PID 2200 wrote to memory of 2608	2200	VBVEd6f.exe	40
PID 2608 wrote to memory of 2928	2608	chrome.exe	41
PID 2608 wrote to memory of 2928	2608	chrome.exe	41
PID 2608 wrote to memory of 2928	2608	chrome.exe	41
PID 2608 wrote to memory of 588	2608	chrome.exe	42
PID 2608 wrote to memory of 588	2608	chrome.exe	42
PID 2608 wrote to memory of 588	2608	chrome.exe	42
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43
PID 2608 wrote to memory of 1432	2608	chrome.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe
"C:\Users\Admin\AppData\Local\Temp\71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe
    "C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe
      "C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c79758,0x7fef6c79768,0x7fef6c79778
        5⤵
        
        PID:2928
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:2
        5⤵
        
        PID:1432
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:8
        5⤵
        
        PID:2204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:8
        5⤵
        
        PID:2392
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1464
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:2
        5⤵
        
        PID:1512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2168 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1248,i,6631383590954305675,12810466976656253361,131072 /prefetch:8
        5⤵
        
        PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe" & rd /s /q "C:\ProgramData\AKEGHIJJEHJD" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009351041\PeRVAzl.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\1009384001\filer.exe
    "C:\Users\Admin\AppData\Local\Temp\1009384001\filer.exe"
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\1009393001\1dac828ac6.exe
    "C:\Users\Admin\AppData\Local\Temp\1009393001\1dac828ac6.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\1009394001\154e0d4b5e.exe
    "C:\Users\Admin\AppData\Local\Temp\1009394001\154e0d4b5e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\1009395001\9091806aa1.exe
    "C:\Users\Admin\AppData\Local\Temp\1009395001\9091806aa1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\1009396001\76195c6736.exe
    "C:\Users\Admin\AppData\Local\Temp\1009396001\76195c6736.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:1512
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2200
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.0.998856251\1183629384" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e387bf9-3563-46c1-87c1-c2271d78b86d} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1320 100d6158 gpu
        6⤵
        
        PID:716
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.1.1348238387\1660593092" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {361e6987-bdfd-456f-92bb-730b6c1b98a8} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1548 42eb258 socket
        6⤵
        
        PID:1560
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.2.2098706005\1399170375" -childID 1 -isForBrowser -prefsHandle 1968 -prefMapHandle 1964 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {379e0b75-e87b-4199-8668-51df4c56c196} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1980 198ba558 tab
        6⤵
        
        PID:1676
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.3.1341194033\1296403506" -childID 2 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7f4aaf-dcf2-4fa7-b6e8-93c13d3b4f55} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1708 d63658 tab
        6⤵
        
        PID:2536
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.4.322406578\2133202068" -childID 3 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d0117df-bcf0-4992-a564-c0577242dcb4} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 3776 1f118058 tab
        6⤵
        
        PID:2276
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.5.39629498\1026077443" -childID 4 -isForBrowser -prefsHandle 3880 -prefMapHandle 3884 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab812b3f-3ca8-4ed8-b9ec-5b2a7ea03006} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 3868 1f158558 tab
        6⤵
        
        PID:1612
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.6.610769382\1982839838" -childID 5 -isForBrowser -prefsHandle 4056 -prefMapHandle 4060 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a335d447-7a77-4064-af6e-99ad9ab19d57} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4048 1f15ac58 tab
        6⤵
        
        PID:2856
- - C:\Users\Admin\AppData\Local\Temp\1009397001\666659c89f.exe
    "C:\Users\Admin\AppData\Local\Temp\1009397001\666659c89f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2061ce0154a72a40422d9363c1b8e06b

SHA1
952dd1b480c8cfa5158b11052d634082c7c22a30

SHA256
535c2d98aee194ff4b2a59402e739e029295533864282611e69c32e3a0651c91

SHA512
392a62941b6046f6e408ff7443602025b95274bea36613e03c324e7f1f02c8744d26ece29e23f50f7b4966ebf30945b9e306d8d989e40aff88c7add638608328

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
f6f78008e67a38bbb1b0880d5dbc2903

SHA1
de239b9bde6617753bc83bede77fb9c6dfbfddd7

SHA256
f22d919a334b411cb6ee8a722e33a0ac0d72cabd35532e9485bdc3f85638e94a

SHA512
bb8b548e0d07b088eccad1615be7fbf518fe323834749e440d262f09384f883fe5dbb9f7478aee5112b359e31c436b5d45416c408fd1dea54d78874c10303653

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe

Filesize
460KB

MD5
20160349422aeb131ed9da71a82eb7ab

SHA1
bb01e4225a1e1797c9b5858d0edf063d5f8bc44f

SHA256
d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea

SHA512
907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009278001\DPQSEDd.exe

Filesize
30B

MD5
aba880e8d68c1ddc29af3b2fdb32a896

SHA1
8611c3e60d702e34f17a00e15f0ba4253ef00179

SHA256
a2ec5866c667c1261f906973133c39b1889db748852275ce9aa4a410e360fbd3

SHA512
36727e71873a241207283576279f7bc14ec67c92c09a3661a4e248a32dfd7a3f3ac44d031906b0547ec67ab171470bd129a9b7623a0f708d9214bf12b399282c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe

Filesize
409KB

MD5
4ea576c1e8f58201fd4219a86665eaa9

SHA1
efaf3759b04ee0216254cf07095d52b110c7361f

SHA256
d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f

SHA512
0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009351041\PeRVAzl.ps1

Filesize
3.0MB

MD5
2b918bf4566595e88a664111ce48b161

SHA1
e32fbdf64bb71dc870bfad9bbd571f11c6a723f4

SHA256
48492827286d403668996ae3814b2216b3b616f2fb4af2022bf3d2fc3f979a26

SHA512
e3d58adbe13befe91fb950cc52b16d6d2fcb8f6d65bab4020222713207b07ce78b76e2e2532cf3de23149e934ba1e1cb9046a95a18424a668bfa4a355af6f44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009384001\filer.exe

Filesize
25.7MB

MD5
9096f57fa44b8f20eebf2008a9598eec

SHA1
42128a72a214368618f5693df45b901232f80496

SHA256
f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934

SHA512
ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009393001\1dac828ac6.exe

Filesize
4.3MB

MD5
f5776b965778a92b20d7cdcc3ed87b8a

SHA1
1b5a38a9d6b40243306672d8beba4bd38081788e

SHA256
ae296c763a4d1175347ff21ca6b2fe38bbd3f5680be48bd20a27461fcd1632e5

SHA512
b3ee8f35314f237087c8b1d43b0771384e20f2f0a40c3c0d4d064f1b3e5a6fb7986c169a7d7c313f08e0600e03257516bf8ea9c47c5f16c671aeb266b365c911

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009394001\154e0d4b5e.exe

Filesize
1.8MB

MD5
f33c80d517734dd30771a89966179c74

SHA1
da1b46cda41ca6d75753e2efaedb300d0a0ec6e9

SHA256
1dcc039596d3f58e24e1d12ee64d51eb569f157689c3cb6ada3c2e932d314719

SHA512
beeb262db01c7754c88d78ab1ddb3e3d588efec05d5b253003645ae9060e3f728b08d6551db0092d1abe02cda429c0b2cf8aefc7a64c1e845685d61a6f7e3c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009395001\9091806aa1.exe

Filesize
1.7MB

MD5
6b1c2cd2ec903e7deafeebde9bf8fa76

SHA1
86e42568bc553434de430649f85c804e820b244f

SHA256
5f23080097579060ce2606e5980045eacc19bf835e94a0d3a4691b55160cc4a8

SHA512
2bc748c350b61d27dbb31afe2a68e467e4839ef5216f2574106322f3350cd14baa9a84f669cc2c818dae3d43aec69c40dc3d836342aec5c39af0afff4b0cfaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009396001\76195c6736.exe

Filesize
901KB

MD5
b14552016d4a0e1ced552484abddd6ac

SHA1
f1bc41839dfa15df8b5e03a4598d6e40751c352b

SHA256
f16f08a83223ee763f2b77189009796bfed2ba29dafdadeb6e908759bee80ad1

SHA512
d90d5537481bbb40fee4858f479f487d4d03fff891c20d38dc90edff5538e30185e67210d30f3e6d012f016c695259e9d876981cc760bf4c19f407e56286a1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1009397001\666659c89f.exe

Filesize
2.7MB

MD5
4136b00434fc0d432a02c695772d4a0d

SHA1
ba1a5e923bff50ff8a5ca73c04974ff1cf5ede3e

SHA256
4a52cfc3f9a089248ff9476810d130863f0913684a321a7338e985f0b84183ef

SHA512
602ffbb8fe4eb23ec92bc6de447cfbf0acc8f57f0d6cde28136db19a930063a591ae7c2c07f7f3805f412edea2db4b45935d66ede764221170515ac256dec468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab23B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23DB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
129882038b3733c30760ea454f632cc4

SHA1
6bf192c092625c79950256b1e8a29d4d100d4a75

SHA256
9213b64909d3645c4e3dec5366fe884079b8282ed8e76b1b628b1b11e8269a8e

SHA512
cb6267ba3bc7fb651a70543647d5e2996ea2c84c39a7e04d3e7b33e35d381a7915f8b8743dcf060a00b8d2e330604a546432bce8a06d1b867ac979060427450a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b0c37d468e492729a6cc7e826bec1880

SHA1
e839433dc434d0eecefb03d023ba73af10c76e7b

SHA256
f71238131381a1835960ee52c4a8c140dde4682002859d1157b3226c5ada7b64

SHA512
39387593a769dd12b36bde38e9cb985deeb99f68800d542acd7efb9d50f334f078b1e2a6a730029c7f0053b9eb6de7a57b343f877fa38e4c38373e5881cace42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\6e217caa-d545-44a0-be86-824266c7f5d1

Filesize
12KB

MD5
bba566e7fd4fb106d7a60a37bce8b50e

SHA1
c0b8aa5aed23ca2147639d3536badadab4082ef5

SHA256
2a4acb3b970eff4691afc8efa471a0936e1e2fdc6852b03a5c7f056b85604818

SHA512
99f75fe3a7986c0616dfd14784bdd40d64130026d4e897c984b9361ebc93b3f8205f27b79edbba2437f17d294a456fb3703b8f24cc728da937ea5b17f4e1722f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\ef22b0d8-da7c-4ca6-9595-60f82db6e235

Filesize
745B

MD5
26e63613af64729e9e961d70b61cf7d9

SHA1
8402e3efe574e871e952fc5e5e52c5cd6808c1ba

SHA256
1f92939a5f4386dd122833b91a8b0fb351492402572c2797dbc5e93a8cb0842d

SHA512
4fddc1fc92b3458ee3be12d4cbe560628815ea3f94d72fbe27847d03c50e466b6be591a5614a8759e402b00af6f95f572b43f3beb39f7377c923be8ec5658afe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

Filesize
6KB

MD5
b7a8464401dabc895791defccc3bd640

SHA1
0ddb2f0275509373d73ee37a6c6c867b53c6bb0f

SHA256
41bc9ad0e526835ea99a56a3ed11fdee00b7dbd2f2576dd07a29269029696f09

SHA512
56e4afdfedcd0a542dbfc1f99985dd966a267e05f7357f50c6916910173158ff857eeae092d6d9a5d9ea2282ee1df012eb47ee9681fc75299b649cb0ef9c94e6

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
2063ad6746859ba2896e6d3bc7082fbc

SHA1
f29d5bca4a5c61ba291be6cff88a46d5ac3babd0

SHA256
71d1727ceeca04f6de46c377c3d94fe31de439e31454e320a7823c9aca1d82d5

SHA512
1f1cdaf3cacced639f8d5e60a11ed515b52d7687032dd27bd41e0e42c15f2a226dbe4f8735f689a13dbb1eba112dfebbb237601e21af65e7f1f4d08b21720ae0

Download Submit
memory/536-630-0x0000000001250000-0x0000000001709000-memory.dmp

Filesize
4.7MB

Download
memory/536-626-0x0000000001250000-0x0000000001709000-memory.dmp

Filesize
4.7MB

Download
memory/1648-649-0x00000000009D0000-0x000000000106D000-memory.dmp

Filesize
6.6MB

Download
memory/1648-648-0x00000000009D0000-0x000000000106D000-memory.dmp

Filesize
6.6MB

Download
memory/1800-838-0x0000000000B10000-0x0000000000DC6000-memory.dmp

Filesize
2.7MB

Download
memory/1800-839-0x0000000000B10000-0x0000000000DC6000-memory.dmp

Filesize
2.7MB

Download
memory/1800-837-0x0000000000B10000-0x0000000000DC6000-memory.dmp

Filesize
2.7MB

Download
memory/2200-573-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2200-90-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2268-594-0x000000013F1C0000-0x0000000140BE1000-memory.dmp

Filesize
26.1MB

Download
memory/2308-629-0x0000000000840000-0x00000000014C2000-memory.dmp

Filesize
12.5MB

Download
memory/2308-631-0x0000000000840000-0x00000000014C2000-memory.dmp

Filesize
12.5MB

Download
memory/2308-830-0x0000000000840000-0x00000000014C2000-memory.dmp

Filesize
12.5MB

Download
memory/2308-610-0x0000000000840000-0x00000000014C2000-memory.dmp

Filesize
12.5MB

Download
memory/2308-663-0x0000000000840000-0x00000000014C2000-memory.dmp

Filesize
12.5MB

Download
memory/2532-46-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-59-0x0000000000C30000-0x0000000000CA6000-memory.dmp

Filesize
472KB

Download
memory/2532-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-54-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-50-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-628-0x0000000006760000-0x00000000073E2000-memory.dmp

Filesize
12.5MB

Download
memory/2544-430-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-574-0x0000000006250000-0x00000000064BD000-memory.dmp

Filesize
2.4MB

Download
memory/2544-575-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-576-0x0000000006250000-0x00000000064BD000-memory.dmp

Filesize
2.4MB

Download
memory/2544-578-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-69-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-68-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-595-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-516-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-609-0x0000000006760000-0x00000000073E2000-memory.dmp

Filesize
12.5MB

Download
memory/2544-58-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-611-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-515-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-624-0x0000000006760000-0x0000000006C19000-memory.dmp

Filesize
4.7MB

Download
memory/2544-835-0x0000000006140000-0x00000000063F6000-memory.dmp

Filesize
2.7MB

Download
memory/2544-88-0x0000000006250000-0x00000000064BD000-memory.dmp

Filesize
2.4MB

Download
memory/2544-514-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-513-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-512-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-632-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-80-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-646-0x0000000006760000-0x0000000006C19000-memory.dmp

Filesize
4.7MB

Download
memory/2544-86-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-647-0x0000000006760000-0x0000000006DFD000-memory.dmp

Filesize
6.6MB

Download
memory/2544-317-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-89-0x0000000006250000-0x00000000064BD000-memory.dmp

Filesize
2.4MB

Download
memory/2544-20-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-26-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-24-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2544-23-0x0000000000E81000-0x0000000000EAF000-memory.dmp

Filesize
184KB

Download
memory/2544-767-0x0000000000E80000-0x000000000133B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-19-0x0000000006D80000-0x000000000723B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-22-0x0000000000D50000-0x000000000120B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-18-0x0000000006D80000-0x000000000723B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-10-0x0000000000D50000-0x000000000120B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-5-0x0000000000D50000-0x000000000120B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-3-0x0000000000D50000-0x000000000120B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-0-0x0000000000D50000-0x000000000120B000-memory.dmp

Filesize
4.7MB

Download
memory/2772-2-0x0000000000D51000-0x0000000000D7F000-memory.dmp

Filesize
184KB

Download
memory/2772-1-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/2932-44-0x0000000000C52000-0x0000000000C53000-memory.dmp

Filesize
4KB

Download