sectoprat | 8b3dcbc8862553bd18ae5f181f192bb76a5fe20dec5184383574a7e24701d8d8

Analysis

max time kernel
118s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wEotIbaw.txt.ps1
Size

14.7MB
MD5

995596f28f9a7d8543795fa3783c5417
SHA1

26bdb7edbc54be02342dc1facb281059ac85d04d
SHA256

8b3dcbc8862553bd18ae5f181f192bb76a5fe20dec5184383574a7e24701d8d8
SHA512

daa12601f414d8f1d25d5ec32c9a3f4885a6aba35f60e72e6d414898e29ab6c378b175c3960261474641d6344475439dfc93e590274fc7fb79094ca093931a94
SSDEEP

768:QbcXWHsPosaVp9Im/mwYljpGBQfANhIqnzK3edX7j8ASEz5pOgApo1n0aE1R74XL:QQ9kR

Score

10^/10

sectoprat credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1364-145-0x0000000000A00000-0x0000000000AD4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1468	chrome.exe
2032	chrome.exe
4388	chrome.exe
2540	chrome.exe
4728	msedge.exe
1844	msedge.exe
4904	msedge.exe
4120	msedge.exe
4748	chrome.exe
2244	msedge.exe
1680	msedge.exe
2200	chrome.exe

Executes dropped EXE 8 IoCs

pid	Process
1204	kato.exe
1388	kato.exe
4948	kato.exe
2748	TiVoDiag.exe
4840	TiVoDiag.exe
4024	kato.exe
4332	TiVoDiag.exe
2448	TiVoDiag.exe

Loads dropped DLL 14 IoCs

pid	Process
4948	kato.exe
2748	TiVoDiag.exe
2748	TiVoDiag.exe
2748	TiVoDiag.exe
4840	TiVoDiag.exe
4840	TiVoDiag.exe
4840	TiVoDiag.exe
4024	kato.exe
4332	TiVoDiag.exe
4332	TiVoDiag.exe
4332	TiVoDiag.exe
2448	TiVoDiag.exe
2448	TiVoDiag.exe
2448	TiVoDiag.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kato.exe = "C:\\Users\\Admin\\AppData\\Roaming\\KD8Y0n1n\\kato.exe"	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 2044	4840	TiVoDiag.exe	104
PID 2448 set thread context of 1092	2448	TiVoDiag.exe	111
PID 2044 set thread context of 3480	2044	cmd.exe	115
PID 1092 set thread context of 1364	1092	cmd.exe	116

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2760	powershell.exe
2760	powershell.exe
2748	TiVoDiag.exe
4840	TiVoDiag.exe
4840	TiVoDiag.exe
4840	TiVoDiag.exe
4332	TiVoDiag.exe
2448	TiVoDiag.exe
2448	TiVoDiag.exe
2448	TiVoDiag.exe
2044	cmd.exe
2044	cmd.exe
2044	cmd.exe
1092	cmd.exe
1092	cmd.exe
1092	cmd.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1468	chrome.exe
1468	chrome.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe
1364	MSBuild.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4840	TiVoDiag.exe
2448	TiVoDiag.exe
2044	cmd.exe
2044	cmd.exe
1092	cmd.exe
1092	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1364	MSBuild.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1204	2744	cmd.exe	99
PID 2744 wrote to memory of 1204	2744	cmd.exe	99
PID 2760 wrote to memory of 1388	2760	powershell.exe	100
PID 2760 wrote to memory of 1388	2760	powershell.exe	100
PID 1204 wrote to memory of 4948	1204	kato.exe	101
PID 1204 wrote to memory of 4948	1204	kato.exe	101
PID 4948 wrote to memory of 2748	4948	kato.exe	102
PID 4948 wrote to memory of 2748	4948	kato.exe	102
PID 4948 wrote to memory of 2748	4948	kato.exe	102
PID 2748 wrote to memory of 4840	2748	TiVoDiag.exe	103
PID 2748 wrote to memory of 4840	2748	TiVoDiag.exe	103
PID 2748 wrote to memory of 4840	2748	TiVoDiag.exe	103
PID 4840 wrote to memory of 2044	4840	TiVoDiag.exe	104
PID 4840 wrote to memory of 2044	4840	TiVoDiag.exe	104
PID 4840 wrote to memory of 2044	4840	TiVoDiag.exe	104
PID 1388 wrote to memory of 4024	1388	kato.exe	107
PID 1388 wrote to memory of 4024	1388	kato.exe	107
PID 4024 wrote to memory of 4332	4024	kato.exe	109
PID 4024 wrote to memory of 4332	4024	kato.exe	109
PID 4024 wrote to memory of 4332	4024	kato.exe	109
PID 4332 wrote to memory of 2448	4332	TiVoDiag.exe	110
PID 4332 wrote to memory of 2448	4332	TiVoDiag.exe	110
PID 4332 wrote to memory of 2448	4332	TiVoDiag.exe	110
PID 2448 wrote to memory of 1092	2448	TiVoDiag.exe	111
PID 2448 wrote to memory of 1092	2448	TiVoDiag.exe	111
PID 2448 wrote to memory of 1092	2448	TiVoDiag.exe	111
PID 4840 wrote to memory of 2044	4840	TiVoDiag.exe	104
PID 2448 wrote to memory of 1092	2448	TiVoDiag.exe	111
PID 2044 wrote to memory of 3480	2044	cmd.exe	115
PID 2044 wrote to memory of 3480	2044	cmd.exe	115
PID 2044 wrote to memory of 3480	2044	cmd.exe	115
PID 1092 wrote to memory of 1364	1092	cmd.exe	116
PID 1092 wrote to memory of 1364	1092	cmd.exe	116
PID 1092 wrote to memory of 1364	1092	cmd.exe	116
PID 2044 wrote to memory of 3480	2044	cmd.exe	115
PID 2044 wrote to memory of 3480	2044	cmd.exe	115
PID 1092 wrote to memory of 1364	1092	cmd.exe	116
PID 1092 wrote to memory of 1364	1092	cmd.exe	116
PID 1364 wrote to memory of 1468	1364	MSBuild.exe	123
PID 1364 wrote to memory of 1468	1364	MSBuild.exe	123
PID 1468 wrote to memory of 1764	1468	chrome.exe	124
PID 1468 wrote to memory of 1764	1468	chrome.exe	124
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125
PID 1468 wrote to memory of 1872	1468	chrome.exe	125

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\wEotIbaw.txt.ps1
1⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe
  "C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\TEMP\{B9B4771F-44F6-4A1E-9C09-DB9176E2EB25}\.cr\kato.exe
    "C:\Windows\TEMP\{B9B4771F-44F6-4A1E-9C09-DB9176E2EB25}\.cr\kato.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe" -burn.filehandle.attached=656 -burn.filehandle.self=660
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\TEMP\{BFB979E1-71FF-40EB-8EB0-645C1E8FC052}\.ba\TiVoDiag.exe
      C:\Windows\TEMP\{BFB979E1-71FF-40EB-8EB0-645C1E8FC052}\.ba\TiVoDiag.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        
        C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9014 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff844c0dcf8,0x7ff844c0dd04,0x7ff844c0dd10
        9⤵
        
        PID:1764
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1820,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1812 /prefetch:2
        9⤵
        
        PID:1872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1588,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2268 /prefetch:3
        9⤵
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2464 /prefetch:8
        9⤵
        
        PID:2748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9014 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3296 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9014 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9014 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4448 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:2540
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9014 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4484,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4496 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:4388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9014 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4824,i,4326676537214723440,9778910065563144488,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4932 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8358 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x250,0x254,0x258,0x24c,0x260,0x7ff83597f208,0x7ff83597f214,0x7ff83597f220
        9⤵
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:2
        9⤵
        
        PID:3016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2016,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:3
        9⤵
        
        PID:3668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2576,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=2756 /prefetch:8
        9⤵
        
        PID:4844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=8358 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3612,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=8358 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3620,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=8358 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4252,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=8358 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4268,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=8358 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5200,i,1919162216540743866,11784550305788622846,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe
  C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\TEMP\{0BBEBBBA-E611-4EFA-93D5-19A4DDB99CA9}\.cr\kato.exe
    "C:\Windows\TEMP\{0BBEBBBA-E611-4EFA-93D5-19A4DDB99CA9}\.cr\kato.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe" -burn.filehandle.attached=596 -burn.filehandle.self=592
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\TEMP\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\TiVoDiag.exe
      C:\Windows\TEMP\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\TiVoDiag.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        
        C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3480

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
3460ae67841083a58564ea467981451e

SHA1
4533e2c096292a9779c9e416830a2d01ae1378b9

SHA256
1ee47adcaa5a7b84a59c907e5a32167a6ef0d53deb284c59d32ac729d35e3543

SHA512
8e24f8c257b4587d22ccd685e5c7ad5430ce8a5cc86109668c30ae4a46e0db7e5d98d12143f7e7512b3f2686cecbe3a2e4ba059a56be734f3346af64855f1392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
ccbf83f3fc161e5001131fdfa309742c

SHA1
f6bd40269026292c1abe2f0bac8bcd414be00041

SHA256
7630eb76e7587259ec7acda685270f5164b652d3ebeb1647889ef8a30874be35

SHA512
e0b15ea8a08c8592fd020bef7df9b23b593c6b13c0db3772b7d6971b010eb026409ae880a51dbf6964fdb137891cdba8bd5eb541a5c6a15bee391089b3e8b6e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
cae08f4fda05958563e692b2800f4f97

SHA1
d925c605329c14fea110fcd18721d75102d3f4ec

SHA256
e6fbebdae9dddf3100e64b3bd333f454522686b4bfefbf94edf1fedbccdfa785

SHA512
4a7096ccfbfb30e0ee53dca7b7533071f0253b02408ce9b47122fa49840bb19112fa8bb27c4e7888b3957f5104b26ddc303b41017b28929611240a39b4fa6cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
488fb3f60723feeae12c71917ec3aa1e

SHA1
921d50201537847bfe6d5ec39e1fc445ad2563a1

SHA256
fcb066d48c221da32e500e626969be3ca893eb88a9331c40e274298e1b5f9ec5

SHA512
68b61337d2e89f1ec2cf5264cf235e454337ffd98b6e327b6abedbe8a47894c44fab85ce62d356e39945c4537becb8e5867bf0adc2e40c3b6cfc3d88baba340f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
01368032c11bdbbbc9b4c51c6f14fc7b

SHA1
493285fb9b0daf66fcfb72e4988cc2f865f797e7

SHA256
9da703cd674a5918434d204f8db81fc42ba24a30ce18980dcdebae36a83a6a05

SHA512
85aeb7783ac88c4f2b30bb5841e4981cb37c809ef28cd217b8b5dff8432709325ca1ad7508dd3bdc61f04ede5e485d8ed25100dffa7cad4b23832646ad51ac59

Download Submit
C:\Users\Admin\AppData\Local\Temp\4deb23bd

Filesize
1.6MB

MD5
4ff305dcbcb6785f56f1e7b83e5d4d32

SHA1
09da44ca642bff8b00c06d45d46854d6a64941f7

SHA256
1ab3cf9e4641baa835ce0c3f08768659bf461ee05a130720f4f11b472f9a8e40

SHA512
78e29a89bd5c3ca7d18932147f09c1884fb007667b85ac8e36b66e039cb4c669d53b1926932f096afa21d189acfdac07df35e04a1c194848f7b6fa968b060ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\616cd9f4

Filesize
1.6MB

MD5
0834e43ed6d213bf24ddbeae31f57271

SHA1
21616eab7e9ca22692271baf4b3c681404aec768

SHA256
4e4ece23e7f0e95f10fb0ba84bc9af4c2dc34d387ba091aa8665ed5e7d003af3

SHA512
60126c7185f3b4a8f7cb14d81b3a9cb7a383f673471f4bd81d101f67fe6ea6b451d9c7ecfc2016d1416a880b426327a0bd5766b5053b05a773f019fb5d0c391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2re0zdh.gn3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
b578ed2d04d3ec90118c1ca676e3e0c9

SHA1
82becab63524db9c9d6b1582966d48b43f0208dc

SHA256
80df1ce574377653cfe93dd632f12f7535cc3f9607886d44fbdc5d4e01afea37

SHA512
5612a404de4999e557eb04dcdc0d6cedd910499298ae1032c37d051ebd06b1bf11985941e1d4127f861420318301eaa74172b87ef610f30d16323a1950599b0c

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe

Filesize
3.0MB

MD5
e5f6219b54266957ab0da8224f0fd830

SHA1
cb5d9bc8901daea8fcc4ed4b97aaaa1651ead30c

SHA256
a4c67af2f732b249f2879a3334006713a8f0aa07f771a80065cbfa6b4637a403

SHA512
83fbef2bdc90e61f622769f0f28936388dad7cf321f1df67af9819724de1d65a4d5624b885bbda80ac8a372e5408585adbef34860e43d54fc12e456182e5564e

Download Submit
C:\Users\Admin\AppData\Roaming\debugDemo\wspconfig.dll

Filesize
535KB

MD5
b86ca5c4e56fedb923332528bf09ef48

SHA1
251ba312b1461270d866510fb7fc9b8dd42740d3

SHA256
08f820cffb07375c795ab336dc248be94457e44f6b2fabd3c6d27230a41d98d2

SHA512
c6d71ff960dc288931443cbfb9a3786b317f19206359d4842f7e3d1c304a4cd61a177ed058899da678bc2ba50b4235e4267889762cd98c46e4d0a35d0523cfc8

Download Submit
C:\Windows\TEMP\{0BBEBBBA-E611-4EFA-93D5-19A4DDB99CA9}\.cr\kato.exe

Filesize
2.9MB

MD5
ee5d43fee47f62dc57e5e509fd6a9056

SHA1
0dafc5b4458d61986988dcf7e90c4ab5c13d15de

SHA256
1c331c776a850d970d39be136659746c0729c393b6e6c934f1ab1c9075f76973

SHA512
e2180ca5d43b87723705bb9a4a4e1c13bea2f8bf12aa7bb798cdbf68b5acc6c731d8c07b839b2e1749c8c6135899201a2389bc75669301337ec7da46b0827ec5

Download Submit
C:\Windows\TEMP\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\rendzina.yml

Filesize
1.3MB

MD5
7b0a2c7dcbaf47949428b8f82570fa89

SHA1
c85af70092b1d97d28aef786e97507c748359724

SHA256
f3b12aa0fa6d27a0c9401d0c0b7a564b342a7e1d65f0827a139ac505db0d4e85

SHA512
7377ebe6e2fc625718c8a94b190b5ec211307a4dbb672dcbc1efc95cc57a26138ebc150b52aea06cc26002ad0bdd876eb8bb6cbe8303b9fd51646fe29f4d1f08

Download Submit
C:\Windows\Temp\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\Knockwurst.dll

Filesize
1.3MB

MD5
9882ac3b1c5d3f27475cdcf2edd6694f

SHA1
3a01679cab83c493ed0bcd946c50c2c675a0a270

SHA256
6a73fb33a020f62b03ba576d4627ec87f1d7af73066a16a5290b4db0042c0b3c

SHA512
7a35ed2179b479afebbf386b7cbd5c2d301cc2778708dfcebb5ac2c658d86578b1161149a66623f18dd0b193da5acc819f27d14ef2f703567ee84a7b67f4d992

Download Submit
C:\Windows\Temp\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\MindClient.dll

Filesize
467KB

MD5
c058b36fb6b007c2920604229b1fa0a3

SHA1
1377c5c47f08ffabb6a3359cdc2c3b5c8df958bb

SHA256
37cc3ebff3b7b7e55e8a8cc8785449152c6b119d25bacc6671b089dca7998ca2

SHA512
a53f211cae71d083bb3fd6c2918384ed00a5b35cf67f28544303111e05abbc464b8033d649957a0665ff32c2180b594e3fbd66f90c4f783e2e8ee5d6865108c3

Download Submit
C:\Windows\Temp\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\TiVoDiag.exe

Filesize
815KB

MD5
379ba636ef26aa22b2636bb0ba2876d2

SHA1
5d1b53d63b9de9138e1a679a928d9cf34413711f

SHA256
70ea7dcb7e15202e806cf8e3d3f250c1432c1af01c25a440f55fd07eec4913ad

SHA512
066a456cc7ae9b16e5293cf979d5f0bae2ad095b76925a7f9aa1ab184d468b40bbe6d81655fb97766d786fa1bc7174f3c5b76f6e0de3205f60e09a4e69f992f5

Download Submit
C:\Windows\Temp\{389697ED-4ADE-4D39-8ADF-FCA06A3E3EEB}\.ba\shieldfern.doc

Filesize
55KB

MD5
df4f621ea64bac21c2051ef4a2e9cb30

SHA1
03cc13749b9b73223df4820d9568b262488aacab

SHA256
e2f35cd3969c76969aca8720d6bd3bdc4b2d77785c797c2b51ff9646aea7e3e6

SHA512
c3efe090cb9f0363c80c60e1f1b4e8a0688a26ed6062aaa9df0afbaa6700227fe8527e21dcb03442ff99f4a8c1a02e021c5520102f55311a7a56798708f37158

Download Submit
memory/1092-132-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/1204-150-0x00007FF84EF50000-0x00007FF84F6E0000-memory.dmp

Filesize
7.6MB

Download
memory/1364-164-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/1364-145-0x0000000000A00000-0x0000000000AD4000-memory.dmp

Filesize
848KB

Download
memory/1364-155-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/1364-154-0x0000000005E50000-0x0000000005E6E000-memory.dmp

Filesize
120KB

Download
memory/1364-153-0x0000000006380000-0x00000000068AC000-memory.dmp

Filesize
5.2MB

Download
memory/1364-152-0x0000000005810000-0x0000000005886000-memory.dmp

Filesize
472KB

Download
memory/1364-166-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/1364-151-0x00000000054C0000-0x0000000005682000-memory.dmp

Filesize
1.8MB

Download
memory/1364-149-0x00000000051B0000-0x0000000005200000-memory.dmp

Filesize
320KB

Download
memory/1364-167-0x0000000005370000-0x00000000053AC000-memory.dmp

Filesize
240KB

Download
memory/1364-147-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/1364-146-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/1364-142-0x0000000074850000-0x0000000074AE1000-memory.dmp

Filesize
2.6MB

Download
memory/2044-129-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/2044-135-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/2044-130-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/2448-122-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/2448-118-0x0000000000640000-0x00000000006B9000-memory.dmp

Filesize
484KB

Download
memory/2448-121-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/2448-126-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/2748-64-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/2748-63-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/2748-59-0x0000000000A80000-0x0000000000AF9000-memory.dmp

Filesize
484KB

Download
memory/2760-11-0x00007FF835540000-0x00007FF836001000-memory.dmp

Filesize
10.8MB

Download
memory/2760-84-0x00007FF835540000-0x00007FF836001000-memory.dmp

Filesize
10.8MB

Download
memory/2760-17-0x000001B51F780000-0x000001B51F792000-memory.dmp

Filesize
72KB

Download
memory/2760-6-0x000001B521070000-0x000001B521092000-memory.dmp

Filesize
136KB

Download
memory/2760-12-0x00007FF835540000-0x00007FF836001000-memory.dmp

Filesize
10.8MB

Download
memory/2760-13-0x00007FF835543000-0x00007FF835545000-memory.dmp

Filesize
8KB

Download
memory/2760-14-0x00007FF835540000-0x00007FF836001000-memory.dmp

Filesize
10.8MB

Download
memory/2760-16-0x000001B51F750000-0x000001B51F75A000-memory.dmp

Filesize
40KB

Download
memory/2760-0-0x00007FF835543000-0x00007FF835545000-memory.dmp

Filesize
8KB

Download
memory/3480-138-0x0000000074850000-0x0000000074AE1000-memory.dmp

Filesize
2.6MB

Download
memory/4332-111-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/4332-112-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/4332-107-0x0000000000990000-0x0000000000A09000-memory.dmp

Filesize
484KB

Download
memory/4840-82-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/4840-83-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/4840-78-0x00000000008A0000-0x0000000000919000-memory.dmp

Filesize
484KB

Download
memory/4840-123-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download