amadey | ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Size

3.1MB
MD5

2b3dca9f3f8f7b379021a041b731aed3
SHA1

e8fc7d977c0a76e25b1e69f4398a10fef83918d0
SHA256

ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24
SHA512

ce65473353253347788ed1d0641a6c6a3be815c50bd1046c1aa8bf827f48c0f09b61560f3aa3eeb8f641afa6d7a870dd68834615b3fe81b6f62a9ffee946f98a
SSDEEP

49152:QGzTfwucejjjsjgACxGnlEaX+IWYxR8SJe2cC9/1+F0U:Bzb20jIjgACxNyWCR8S42cC9/1+z

Score

10^/10

amadey asyncrat dcrat lumma stealc stormkitty 9c9aa5 stok credential_access discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4596-1265-0x0000000000910000-0x0000000000C14000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1016 created 3492	1016	callmobile.exe	56
PID 3264 created 3492	3264	callmobile.exe	56

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023ba9-1308.dat	family_dcrat_v2
behavioral2/memory/4540-1316-0x0000000000B20000-0x0000000000CC8000-memory.dmp	family_dcrat_v2

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0tClIDb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	130815dce2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f4f14dad19.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5540	msedge.exe
5320	msedge.exe
3704	chrome.exe
5280	chrome.exe
5316	chrome.exe
2684	msedge.exe
4104	msedge.exe
5704	chrome.exe
2368	chrome.exe
5784	msedge.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0tClIDb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0tClIDb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f4f14dad19.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	130815dce2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f4f14dad19.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	130815dce2.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wTMEVe8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7b3Zcx8cIC.exe

Executes dropped EXE 19 IoCs

pid	Process
876	skotes.exe
4836	B3vKvPi.exe
1016	callmobile.exe
4284	0tClIDb.exe
4460	skotes.exe
1072	wTMEVe8.exe
1196	wTMEVe8.exe
4028	wTMEVe8.exe
2192	aH5dIifHpA.exe
4540	7b3Zcx8cIC.exe
3428	Wihnup.exe
1248	spoolsv.exe
3464	ntRoEwh.exe
3264	callmobile.exe
2340	130815dce2.exe
3428	skotes.exe
648	f4f14dad19.exe
1532	0d7e86b45f.exe
5948	Wihnup.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	0tClIDb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	130815dce2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	f4f14dad19.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	B3vKvPi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ntRoEwh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\130815dce2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013240001\\130815dce2.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4f14dad19.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013241001\\f4f14dad19.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d7e86b45f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013242001\\0d7e86b45f.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000001e45a-2668.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cs-CZ\SppExtComObj.exe	7b3Zcx8cIC.exe
File created	C:\Windows\SysWOW64\cs-CZ\e1ef82546f0b02	7b3Zcx8cIC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3100	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
876	skotes.exe
4284	0tClIDb.exe
4460	skotes.exe
2340	130815dce2.exe
3428	skotes.exe
648	f4f14dad19.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 4596	1016	callmobile.exe	101
PID 1072 set thread context of 4028	1072	wTMEVe8.exe	111
PID 3264 set thread context of 2416	3264	callmobile.exe	165

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\7a0fd90576e088	7b3Zcx8cIC.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	7b3Zcx8cIC.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	7b3Zcx8cIC.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5b884080fd4f94	7b3Zcx8cIC.exe
File created	C:\Program Files (x86)\Google\Temp\explorer.exe	7b3Zcx8cIC.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
File created	C:\Windows\Web\4K\spoolsv.exe	7b3Zcx8cIC.exe
File created	C:\Windows\Web\4K\f3b6ecef712a24	7b3Zcx8cIC.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2824	4284	WerFault.exe	94
2040	4284	WerFault.exe	94
4260	2340	WerFault.exe	124
3876	2340	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wTMEVe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	callmobile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	callmobile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0tClIDb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d7e86b45f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4f14dad19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	0d7e86b45f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	0d7e86b45f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wTMEVe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	130815dce2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f4f14dad19.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f4f14dad19.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4924	timeout.exe
1436	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1832	taskkill.exe
2164	taskkill.exe
4256	taskkill.exe
1684	taskkill.exe
2788	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133781559883658161"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	7b3Zcx8cIC.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
404	schtasks.exe
4088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
3100	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
876	skotes.exe
876	skotes.exe
4284	0tClIDb.exe
4284	0tClIDb.exe
4460	skotes.exe
4460	skotes.exe
1016	callmobile.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe
4540	7b3Zcx8cIC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	callmobile.exe
Token: SeDebugPrivilege	1016	callmobile.exe
Token: SeDebugPrivilege	4596	MSBuild.exe
Token: SeDebugPrivilege	4540	7b3Zcx8cIC.exe
Token: SeDebugPrivilege	1248	spoolsv.exe
Token: SeDebugPrivilege	3264	callmobile.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeDebugPrivilege	3264	callmobile.exe
Token: SeDebugPrivilege	2416	MSBuild.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe
1532	0d7e86b45f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 876	3100	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	82
PID 3100 wrote to memory of 876	3100	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	82
PID 3100 wrote to memory of 876	3100	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	82
PID 876 wrote to memory of 4836	876	skotes.exe	88
PID 876 wrote to memory of 4836	876	skotes.exe	88
PID 4836 wrote to memory of 1016	4836	B3vKvPi.exe	89
PID 4836 wrote to memory of 1016	4836	B3vKvPi.exe	89
PID 4836 wrote to memory of 1016	4836	B3vKvPi.exe	89
PID 876 wrote to memory of 4284	876	skotes.exe	94
PID 876 wrote to memory of 4284	876	skotes.exe	94
PID 876 wrote to memory of 4284	876	skotes.exe	94
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 1016 wrote to memory of 4596	1016	callmobile.exe	101
PID 4596 wrote to memory of 2024	4596	MSBuild.exe	102
PID 4596 wrote to memory of 2024	4596	MSBuild.exe	102
PID 4596 wrote to memory of 2024	4596	MSBuild.exe	102
PID 4596 wrote to memory of 2272	4596	MSBuild.exe	103
PID 4596 wrote to memory of 2272	4596	MSBuild.exe	103
PID 4596 wrote to memory of 2272	4596	MSBuild.exe	103
PID 2272 wrote to memory of 1436	2272	cmd.exe	107
PID 2272 wrote to memory of 1436	2272	cmd.exe	107
PID 2272 wrote to memory of 1436	2272	cmd.exe	107
PID 2024 wrote to memory of 404	2024	cmd.exe	106
PID 2024 wrote to memory of 404	2024	cmd.exe	106
PID 2024 wrote to memory of 404	2024	cmd.exe	106
PID 876 wrote to memory of 1072	876	skotes.exe	108
PID 876 wrote to memory of 1072	876	skotes.exe	108
PID 876 wrote to memory of 1072	876	skotes.exe	108
PID 1072 wrote to memory of 1196	1072	wTMEVe8.exe	110
PID 1072 wrote to memory of 1196	1072	wTMEVe8.exe	110
PID 1072 wrote to memory of 1196	1072	wTMEVe8.exe	110
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 1072 wrote to memory of 4028	1072	wTMEVe8.exe	111
PID 4028 wrote to memory of 2192	4028	wTMEVe8.exe	112
PID 4028 wrote to memory of 2192	4028	wTMEVe8.exe	112
PID 4028 wrote to memory of 4540	4028	wTMEVe8.exe	114
PID 4028 wrote to memory of 4540	4028	wTMEVe8.exe	114
PID 2272 wrote to memory of 3428	2272	cmd.exe	115
PID 2272 wrote to memory of 3428	2272	cmd.exe	115
PID 2272 wrote to memory of 3428	2272	cmd.exe	115
PID 4540 wrote to memory of 372	4540	7b3Zcx8cIC.exe	117
PID 4540 wrote to memory of 372	4540	7b3Zcx8cIC.exe	117
PID 372 wrote to memory of 4100	372	cmd.exe	119
PID 372 wrote to memory of 4100	372	cmd.exe	119
PID 372 wrote to memory of 4180	372	cmd.exe	120
PID 372 wrote to memory of 4180	372	cmd.exe	120
PID 372 wrote to memory of 1248	372	cmd.exe	121
PID 372 wrote to memory of 1248	372	cmd.exe	121
PID 876 wrote to memory of 3464	876	skotes.exe	122
PID 876 wrote to memory of 3464	876	skotes.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
  "C:\Users\Admin\AppData\Local\Temp\ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe
      "C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe
      "C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1524
        5⤵
        Program crash
        
        PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1548
        5⤵
        Program crash
        
        PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe
      "C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe"
        5⤵
        Executes dropped EXE
        
        PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Users\Admin\AppData\Roaming\aH5dIifHpA.exe
        
        "C:\Users\Admin\AppData\Roaming\aH5dIifHpA.exe"
        6⤵
        Executes dropped EXE
        
        PID:2192
      - C:\Users\Admin\AppData\Roaming\7b3Zcx8cIC.exe
        
        "C:\Users\Admin\AppData\Roaming\7b3Zcx8cIC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ5g1y3XkU.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4180
        
        C:\Windows\Web\4K\spoolsv.exe
        
        "C:\Windows\Web\4K\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\1013239001\ntRoEwh.exe
      "C:\Users\Admin\AppData\Local\Temp\1013239001\ntRoEwh.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\1013240001\130815dce2.exe
      "C:\Users\Admin\AppData\Local\Temp\1013240001\130815dce2.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:2340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1496
        5⤵
        Program crash
        
        PID:4260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1476
        5⤵
        Program crash
        
        PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\1013241001\f4f14dad19.exe
      "C:\Users\Admin\AppData\Local\Temp\1013241001\f4f14dad19.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcf3e8cc40,0x7ffcf3e8cc4c,0x7ffcf3e8cc58
        6⤵
        
        PID:3532
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
        6⤵
        
        PID:1468
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        
        PID:3428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8
        6⤵
        
        PID:1960
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5280
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5316
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4268,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
        6⤵
        
        PID:6132
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
        6⤵
        
        PID:888
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
        6⤵
        
        PID:5196
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4448,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
        6⤵
        
        PID:5620
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
        6⤵
        
        PID:5552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        
        PID:2132
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5268,i,18168031999589192489,2400483351494619805,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5276 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:2368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf3e946f8,0x7ffcf3e94708,0x7ffcf3e94718
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        6⤵
        
        PID:5552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
        6⤵
        
        PID:728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
        6⤵
        
        PID:5184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,9389458086595135535,12000321461667428604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5320
  - - C:\Users\Admin\AppData\Local\Temp\1013242001\0d7e86b45f.exe
      "C:\Users\Admin\AppData\Local\Temp\1013242001\0d7e86b45f.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:3308
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {071ceb57-a696-48c3-972a-2364c9a983ea} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" gpu
        7⤵
        
        PID:5052
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dac59ef-8c7b-494f-bce7-50ab3b485a7c} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" socket
        7⤵
        
        PID:2472
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3332 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f81d193-b0cc-4694-a911-ddaf61bc1e4f} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
        7⤵
        
        PID:3676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3836 -childID 2 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f9c45ef-90dc-46c5-9d67-44cf2d95ec9e} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
        7⤵
        
        PID:3048
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4768 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b420409-892d-4d12-b3d6-76059fbf7df4} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" utility
        7⤵
        Checks processor information in registry
        
        PID:5208
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {943c22a8-8c12-4b8b-b044-abfa73d64b6e} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
        7⤵
        
        PID:5868
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97adccdf-8ccf-4e2d-9a3d-da5e6bcc046b} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
        7⤵
        
        PID:5880
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed428cb5-653d-4e37-bade-6b3021ea8edf} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
        7⤵
        
        PID:5892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA217.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1436
  - - C:\Users\Admin\AppData\Roaming\Wihnup.exe
      "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5660
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE14.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4924
  - - C:\Users\Admin\AppData\Roaming\Wihnup.exe
      "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
      4⤵
      Executes dropped EXE
      PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4284 -ip 4284
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4284 -ip 4284
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2340 -ip 2340
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2340 -ip 2340
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3428

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DHJKJKKK

Filesize
114KB

MD5
d9f3a549453b94ec3a081feb24927cd7

SHA1
1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8

SHA256
ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73

SHA512
f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

Download Submit
C:\ProgramData\GCGIDGCGIEGDGDGDGHJK

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
669ea27ff399a00eda4be80155be2064

SHA1
d21ab72a3c684e3d72d2a3376da17a49a66f4395

SHA256
e888df01cbcb03c065110d844dc424fc020f74278381be111a7f356567d88616

SHA512
25c52b7c4208580d6b91c7f29ae9a2484c476faaca35cad139b8f5ffc4a1106fb33a5913b6788580fd2e7c030e633f4f5c22f044d7eb5a64f871fc43d68706e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
942B

MD5
08fd55ab7b211d3fba9ba080bb93fc07

SHA1
3519a855c1d90857159c68422848785d68a89591

SHA256
eb1d1fa6b376f369681435d4e310dc2e6e832877a6e2880640727f9390559614

SHA512
61c362ac9ac9809532be0383eb239e06290b1387bc6e49e0ab0045bd7e4b904032f8def000d4b1e4800b6387c193f4ab78f8c507138030490014104cecb726d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\43791cc9-be2c-4414-9d79-7762cfa7ac70.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ee2998fd2cfbe847f52454857a02d8b

SHA1
442bec3a49ab9d11ee4bf6b86c9f4ae580c7ebe2

SHA256
867e8abc166ab00b5773c748f0e76685dd173cddd81ded1db57491d3628e16cd

SHA512
61bf1fa964c7fecb9f3d1eeca88ba4e9262f0bc12eb4831769af011c9353157c06269c5f22b7309f1c7d7a72df99f46bc9ba9b5c92c4ae4c0301bb19b8cf65b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
12b4d98affe7cf0a3fdeda3843127586

SHA1
b0b911eee3d6761ac0b8bdd8f03f422be90f9bbb

SHA256
53fe54c698105f2934c911ac95fd894f1bd474884ab8849a0bc2d38cc8481b19

SHA512
89d8770ba8b95b984cd0b8ef05d576ccf95255003f4977e9b1018f2bb323e248f699ea4da4425137e3ba9f3dfe3e917b55027134872d1ccafa40c0751f85d772

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe

Filesize
2.2MB

MD5
3541c1ac26eb5bbb87f01c20fd9f8824

SHA1
bf5d136c911491f59bdeb3bf37b8f1a155fd3a97

SHA256
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1

SHA512
babc17723d2389919acd96f977821d57bdd737f01a9598209efafa72ae0418e914a5d229f196d80cb5ba70ce82b0f340b18aa255bbe4ed77d821a432d5794a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe

Filesize
1.8MB

MD5
6367fb8a64f997be8d65536534bdd057

SHA1
3ee062142dde2330881566a63a92957037a0e6b3

SHA256
bdae46a5cb1f1b6b9864b5e944ed5b2e24622d7385a196e0293f7b9da59bda5e

SHA512
ace2dbba313180a64f70f49c7763fb9da23ef76b82548c8fa54a7d1e8d4810cad83726fe532459660e12e4f6a9210df09dd836ea28f1cc5a791a4873b95a274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe

Filesize
3.9MB

MD5
5db95c4de9b6e98c653ac3dec5dce83d

SHA1
c3e1cb98b5450d21c8e9e975148c282afcf4ccae

SHA256
8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7

SHA512
42e5504904f0db4e62d56c03c8e7e302df0eba488a966259aa686e7d952db8a25eb56b5ac72731400cfd2541b6429d82e95e3bb8e87565bdf0cbe2b488c47368

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013240001\130815dce2.exe

Filesize
1.8MB

MD5
c42fbc53b1b42194728f4f5904cc925a

SHA1
e62e1d938f9a9be31f3ccb82ece3997354df132b

SHA256
46253c842675dfbc5fc9c852bcf64e6d6175b6efe9d81774b6d84e42a3be9cb9

SHA512
e833b0fa711fd4bfaf3f00c1d816b4f7988959f445509089f4795f4d6a419aed154b2d33cb71ea49e918c82ba0545d70a36eed8687597378b0065817f8bb5f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013241001\f4f14dad19.exe

Filesize
1.7MB

MD5
7dcf4c4df2997ccd8c4a0fd2398b784a

SHA1
7f623f31d30a0d45058eeaa38f12ecf43f54fd33

SHA256
4c2d2f9f76daff7560ac8bf55c348f7051216db171fba2a25f7ac939410b7cff

SHA512
697dbc4f0cda3affdfcf0639b53de8a67273cd4ff3e356236277cb2851c6c24be67c4b6ed51bc1229a842ddbd53231b07d2b9dba2d484447240066ad32845d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013242001\0d7e86b45f.exe

Filesize
948KB

MD5
ea332702c8adf6f8be3dd834363924bd

SHA1
eaf972aeb4a0eebeede9b2a53c48670965af4d17

SHA256
3b609f119a3ac3d881d7e2e7bf637618500e6d5afe0b65f9087b6653cbbc42eb

SHA512
02662320d09805f2a09fd7431576a7b70c83fdc2ea6a139e53c23509705659b4a9034f135383166b0c0d0f3777f0220a53d2e7a02a2a1642af96eb0030cb44fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe

Filesize
2.3MB

MD5
ffabcc262fb699998b6191d7656c8805

SHA1
fd3ea79a8550b14e9cc75fb831fd7a141964a714

SHA256
f46e4a7de978baceec5f64cbc9fa1f1e772e864fa3310045cd19d77264698cde

SHA512
79b2e21a9111b16b0f67ae5d1cc40a25773b847d3f4cf78711a8dfd8b67c30beec332ed65ac008c9dca62c84de891eff20d7c6050bc868bce77a17fe56da61ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ5g1y3XkU.bat

Filesize
205B

MD5
c29994ee9c78814f43cb3443aa94e223

SHA1
37242c80d3607c39f652649b33018a3d14ec8222

SHA256
6b1a71dd337fe978a20ad2cb932d39e2531915672a79efc4e3ef7ffbffec4a68

SHA512
571a872931436123ae53cb45ad73ffdeff20c8e7d5c551157b81a3307c8524725a20242b3ac585b840299774f7e85c27c54775b06a4c79697f29c84dc57b457c

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.1MB

MD5
2b3dca9f3f8f7b379021a041b731aed3

SHA1
e8fc7d977c0a76e25b1e69f4398a10fef83918d0

SHA256
ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24

SHA512
ce65473353253347788ed1d0641a6c6a3be815c50bd1046c1aa8bf827f48c0f09b61560f3aa3eeb8f641afa6d7a870dd68834615b3fe81b6f62a9ffee946f98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3704_32002041\3ca64688-5483-4c5a-a073-b1e020c5c530.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3704_32002041\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA217.tmp.bat

Filesize
150B

MD5
0e5356897a8ecd811dbc789fc618f0fc

SHA1
d0e23823af1a02438cf5727654c111aa29208e76

SHA256
d24792b6756e26d638cda563857c619d4bc3a2f0489c9f2ec75f9fb0f101d532

SHA512
cace5afdf6b9dbf558e1c5ef27f209e32dad3eec7dfb738d13dfe2bee97fef5866dcd7a1fb5e55cbd78bbc279849e31fb0d0c9e6ee3aa721464fdd5651f2e836

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE14.tmp.bat

Filesize
150B

MD5
a3b202723d643ba50b69949814ef7485

SHA1
73273c20d6770ad7689d0ee3fad58901ee052c7b

SHA256
48d882a9db56d08b88e947b46f7444bfa46cafd1ba671fcef21ae486279badfb

SHA512
77b260c1e6dd02458cdd5cc3a9c63f9a08844a3084d4c89f3e74784f1b2c221ec74e3285c278271ae3e144ad1b140e012410284cf2f8defea02f7f1b1f79c94f

Download Submit
C:\Users\Admin\AppData\Roaming\7b3Zcx8cIC.exe

Filesize
1.6MB

MD5
579fd24f4cacc972f63f47214f9c3c34

SHA1
20be9c6e9aa29d57b670d6809ffad1786a8508e5

SHA256
f80bd8eb42194df565e3152d35bad6a40fdae70e221e9e66873587bffb73d64b

SHA512
1a8f7918b931fa10cbc4b47a88405c0b28255360ac27e1d44ba00554186ed20139fbaaa278a362c34a20083f4fff30dc83876c3f382397f831f781fb6a9aab91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

Filesize
6KB

MD5
d71f7cfdf7850bbbb3d55b02d20d021c

SHA1
4eb3f10543d2904ec8f46a4529f0745b586244b9

SHA256
01431af8c693b730a248d5f4aae12a0cc01e8846733835c71b680e8cea80511e

SHA512
efbf8e9ecda4ad8e4c13b2b6b792510e98df4b1c9ddcf612fe7ec85096e5398fff4ec5370756ac12add46df6e82ef51ac812bb3a184ca2135672b8843ea0c012

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

Filesize
6KB

MD5
3525f8e6e62f4415d8c5108dae40872f

SHA1
9609a319552d8ad837b7c319ddbdca9f5984b2a4

SHA256
25adac89b9c708467f3acc0efefbc1ca273bc8215b0a841fca8737471e210f04

SHA512
c26f3ded9deb5a58769bd9daf94e6fbf6990a3815d942df23e1d722c4490ef18a0e1df26fb5c249fb4f70f067acf7f7f9f11b970319e91f3c39f95e66a6a0b70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5dd180178334ebd7f53c5442115dcb93

SHA1
8e36d5fb723e8ea74f649ff4c19cef9b2e4fd02a

SHA256
62291e1371d4a3945a8c451f0f3f292cd1dc3eff208a69a9961d4f4434dc0afe

SHA512
314ad55fe6785bd071fef610a5d488bd9c70d7cf9eb288fd3dcf5ce6ff489801a25a2cd0f430355d4d1c5835f42d2dcc97c9c6d94c2c60d71d65655c80993a63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\a0cf0e69-ddd6-4773-8fea-2916ff65fcd0

Filesize
26KB

MD5
000c9859f27080d342e78942afbb2b59

SHA1
9f3d68c8ac12999d942ded1b4aea9349171b9b7a

SHA256
acbb191905fa1ab68016de2379be17bb89d5816d337170201522c0efade59611

SHA512
9bacae5919c0d38bf6e91b2d0bc95cd0ccb660568c07b7e9d36053f49c8d1c60eeee048c8a5039b9b0b37056f2032f350c64fd8056dba5ef3ff8af7e1db42149

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\d2bc3f11-db5c-46da-a15e-d787618b1643

Filesize
671B

MD5
ae951725c19b783db42c03b30cd9d088

SHA1
022aad7263e4d1c95d3bde30c3e0a4b3260d9416

SHA256
173c57a305c2b0e2dd1aaacb0163f0bdcd1905fbbc9d6ffa9cebfb587959befc

SHA512
ebe22ba5083f9eef9040a58bcb2a0546a8e3fb05d0e0a4ad4c0e180392c8df1378af0e1104444236169e9e67895d8c403f816f5584abf376f9c57ea72a707251

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\d67917a5-450d-42e0-bb00-1790b64ba962

Filesize
982B

MD5
219b3057bfb4f2f6619fa6597cad3e61

SHA1
2fcd72205f8e28f086cc99ca97258f1824908eb2

SHA256
83a762a1cbeed697dfd6691f2bfec4fc352d653dca58079f5b0f06e366423cdf

SHA512
1f683dc04effd1c71e048a03c9bee7d4d856f570007cc581aabe4674aa43c7f34be599daa18969c43b0d78b6ff48167991f1659503d1fc8949c29c69d8f27f86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
10KB

MD5
f7b2a85877e29f01687fab99be7b6512

SHA1
9735c6a6a466ebcaeebc44d950ec07872a22cf7e

SHA256
da20e9588899bed2531bf9c4cc71347c51479913db17f33d05e7b88e1d31a220

SHA512
59599c6768a8a546d16a256b40c4e5ff95921cf54329c8bfb6480218c978bde5e8c8a842427427b0d70916f5882b353bc7311afcade44dde7037648fc9abf958

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
11KB

MD5
d9a5d63137f7179c947a0b8e07621009

SHA1
e8c49056fe89e356692956fc7eebde331430b9e2

SHA256
d9aa8d846d91074849f5e9b8aa1444f2f3dc753adee9480d9faa111b8d16a09c

SHA512
0b431607cf428945ab0fc7333a923c866443e5c0694ccd448feed082690b24df5ccd7fab24a84305d273fe9feccb8214d8e4eb60ef75b846e09396eb9f0642db

Download Submit
C:\Users\Admin\AppData\Roaming\Wihnup.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Roaming\aH5dIifHpA.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
memory/648-2685-0x0000000000B20000-0x00000000011AB000-memory.dmp

Filesize
6.5MB

Download
memory/648-2661-0x0000000000B20000-0x00000000011AB000-memory.dmp

Filesize
6.5MB

Download
memory/876-27-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-26-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-25-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-24-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-23-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-22-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-21-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-20-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/876-19-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/1016-53-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/1016-69-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-67-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-65-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-59-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-57-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-1231-0x0000000005970000-0x0000000005ADE000-memory.dmp

Filesize
1.4MB

Download
memory/1016-1232-0x00000000057A0000-0x00000000057EC000-memory.dmp

Filesize
304KB

Download
memory/1016-73-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-75-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-78-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-71-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-79-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-1259-0x00000000058B0000-0x0000000005904000-memory.dmp

Filesize
336KB

Download
memory/1016-81-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-83-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-85-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-87-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-91-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-95-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-97-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-99-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-101-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-103-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-105-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-107-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-109-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-111-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-113-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-115-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-93-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-89-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-63-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-61-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-54-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-55-0x0000000005420000-0x0000000005618000-memory.dmp

Filesize
2.0MB

Download
memory/1016-52-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/1016-51-0x0000000005420000-0x000000000561E000-memory.dmp

Filesize
2.0MB

Download
memory/1016-50-0x00000000007B0000-0x0000000000A0E000-memory.dmp

Filesize
2.4MB

Download
memory/2340-2606-0x0000000000BC0000-0x0000000001068000-memory.dmp

Filesize
4.7MB

Download
memory/2340-2602-0x0000000000BC0000-0x0000000001068000-memory.dmp

Filesize
4.7MB

Download
memory/3100-18-0x00000000001F1000-0x0000000000259000-memory.dmp

Filesize
416KB

Download
memory/3100-3-0x00000000001F0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/3100-17-0x00000000001F0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/3100-4-0x00000000001F0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/3100-2-0x00000000001F1000-0x0000000000259000-memory.dmp

Filesize
416KB

Download
memory/3100-1-0x0000000077BD4000-0x0000000077BD6000-memory.dmp

Filesize
8KB

Download
memory/3100-0-0x00000000001F0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/3264-3108-0x0000000005F40000-0x0000000005F94000-memory.dmp

Filesize
336KB

Download
memory/3428-2644-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/3428-1364-0x0000000004F90000-0x0000000004FAA000-memory.dmp

Filesize
104KB

Download
memory/3428-1363-0x00000000007B0000-0x00000000007F0000-memory.dmp

Filesize
256KB

Download
memory/3428-1365-0x0000000005110000-0x000000000526A000-memory.dmp

Filesize
1.4MB

Download
memory/4284-1249-0x0000000000BF0000-0x000000000109C000-memory.dmp

Filesize
4.7MB

Download
memory/4284-1252-0x0000000000BF0000-0x000000000109C000-memory.dmp

Filesize
4.7MB

Download
memory/4460-1255-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/4460-1257-0x0000000000140000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/4540-1338-0x000000001B910000-0x000000001B926000-memory.dmp

Filesize
88KB

Download
memory/4540-1324-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/4540-1321-0x0000000001370000-0x000000000138C000-memory.dmp

Filesize
112KB

Download
memory/4540-1318-0x0000000002C70000-0x0000000002C96000-memory.dmp

Filesize
152KB

Download
memory/4540-1316-0x0000000000B20000-0x0000000000CC8000-memory.dmp

Filesize
1.7MB

Download
memory/4540-1342-0x000000001B930000-0x000000001B948000-memory.dmp

Filesize
96KB

Download
memory/4540-1322-0x0000000002D70000-0x0000000002DC0000-memory.dmp

Filesize
320KB

Download
memory/4540-1320-0x0000000002C40000-0x0000000002C5C000-memory.dmp

Filesize
112KB

Download
memory/4540-1326-0x000000001B8C0000-0x000000001B8D8000-memory.dmp

Filesize
96KB

Download
memory/4540-1328-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4540-1330-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

Filesize
64KB

Download
memory/4540-1332-0x000000001B8A0000-0x000000001B8AE000-memory.dmp

Filesize
56KB

Download
memory/4540-1334-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

Filesize
48KB

Download
memory/4540-1336-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/4540-1340-0x000000001B990000-0x000000001B9EA000-memory.dmp

Filesize
360KB

Download
memory/4596-1265-0x0000000000910000-0x0000000000C14000-memory.dmp

Filesize
3.0MB

Download