94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Size

5.8MB
MD5

6d6bb922a210e712b996824df9c340f2
SHA1

fe93c4ccc29144b4f0cb0c9734eb00dbbdf5c5c0
SHA256

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03
SHA512

33ea02cc143e5578e90c114282b9472c623c67a43bb2bc0c4ad0d6dabb8ae9e8169e1e52629689844ce5c644f7af6f068284622cd4b5613d01b887eb39a684fd
SSDEEP

98304:Odix1DBHi52kgkPaP4t18frP3wbzWFimaI7dlot3:YUHi52k5MgbzWFimaI7dle

Score

9^/10

adware persistence spyware stealer upx

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1916-9-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1916-95-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1916-98-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1916-154-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1916-156-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1916-163-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1916-9-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1916-95-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1916-98-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1916-154-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1916-156-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1916-163-0x0000000000F30000-0x00000000014F8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	UPX
behavioral2/memory/1916-3-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/1916-10-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/1916-55-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/1916-96-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/1916-126-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

C:\Program Files\Common Files\System\symsrv.dll acprotect

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Loads dropped DLL 1 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid process

1916 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	upx
behavioral2/memory/1916-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1916-10-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1916-55-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1916-96-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1916-126-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe /onboot"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description ioc process

File opened (read-only) \??\e: 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
File opened (read-only)	\??\e:	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Drops file in Program Files directory 1 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description ioc process

File created C:\Program Files\Common Files\System\symsrv.dll 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Modifies registry class 17 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "180"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Token: SeRestorePrivilege	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid process

2984 firefox.exe
2984 firefox.exe
2984 firefox.exe
2984 firefox.exe
1916 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.exe94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid process

2984 firefox.exe
2984 firefox.exe
2984 firefox.exe
1916 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exe

pid	process
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2984	firefox.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1916 wrote to memory of 3596	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 1916 wrote to memory of 3596	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 1916 wrote to memory of 3596	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 1916 wrote to memory of 3980	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	firefox.exe
PID 1916 wrote to memory of 3980	1916	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 1300	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 4800	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 4800	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 4800	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 4800	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 4800	2984	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
"C:\Users\Admin\AppData\Local\Temp\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
2⤵
PID:3596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.0.606387771\1671932625" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60756754-aea3-4e41-9a8b-341daaf5e29e} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 1868 2306a8fbc58 gpu
4⤵
PID:1300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.1.514883396\204675761" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6803b8-9a6f-4ba5-8c05-3951a4505889} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 2460 23057588d58 socket
4⤵
PID:4800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.2.986187268\73139141" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {664eb2d9-6b40-48f2-9308-02d39f19e369} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 3016 2306e924558 tab
4⤵
PID:2076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.3.948640827\1185424327" -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18f0f760-65f1-48c5-b05e-2fcfc562223d} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 3876 2305757ae58 tab
4⤵
PID:3000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.4.456918046\557017447" -childID 3 -isForBrowser -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b704a643-68eb-49f9-b841-da4b932ab9b7} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 4800 230720b1a58 tab
4⤵
PID:428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.5.66826116\630849115" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5172 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a56e5a-2b8e-4c50-9e70-9963a8692ea7} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 5156 230720b2058 tab
4⤵
PID:4548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.6.1567390405\1921124618" -childID 5 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb91ee46-3ff4-41fb-9a28-caa4dee97f07} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 5344 230720b3e58 tab
4⤵
PID:2396

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
2⤵
PID:3348

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
2⤵
PID:4488

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
2⤵
PID:388

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
2⤵
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll
Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
003473f5b1310023c548a6f38d1e2483

SHA1
c5c8bcbf9acc2629039b95aa5f076b7dcee2dca5

SHA256
7b5344691fa369a19fe21fad4755c11e09c8823f7deed6528f30597fecbc9b93

SHA512
a47a7dbd4670c5ba88d875c74e8ef2050c7cf0580bcbf80ae91fbb69a109312088d4fb8b12a616d48eaa6bef3a50245bc59c4de16fa51373c4ef7d25665d9963

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
5e1c69f134936c9af9fb23ee36681dea

SHA1
22fd3bba773c88363d8a7caf6e8f81c4be75642e

SHA256
cbc4c840421c201eabc98bedec82a3295f1e6c0a4ae58fee885deecd2be80dcb

SHA512
f139f806c295135f2df6c5d808927a78141372fa9da2ae5588e88d5c1430582989781698b602a008960d40b8744b5bc45012aa82b9af973fb7330d7d370d0fca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
4f2cc640dc479646ae8bf0f0e166cbb2

SHA1
a560a2a690caf60714cd5caadd2deb6b6d82b84c

SHA256
ea4b6cb69b1153e5b218474a5b2b02325dfd117699694dc91b652652c29b2e90

SHA512
c71e747d5fa0558f2f0e28c384fb1e5dbf4d55a383ef7e09a5e43b4ba333184d3329b444b259f8f9ac0e9a188b54581be54bebb85afea11bdcb6950f43eecc0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
6KB

MD5
2c1085d62f62c2d0d783efeeaae0f5b0

SHA1
62021c0a1429d222ff31ffa70955e2cc965bcac7

SHA256
f4a894a905f425f22f7ee3fa57310be4d1a8c0ade322375ede56a0371d8fc4d8

SHA512
7ad4bbc8a20a5213a254a59d41ae06943179fef31c6c50fc72b3cb22fd9aac70d8a8e3e9195dd801a6f8551e728a8aae7f7bc29c927816512420d49ef5045b04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
ad29f98b2ea715b4553a2e3bc3ca4b57

SHA1
edb8849242824bd472a5fccff9f48b726886c850

SHA256
09efbaed2cbe07eaf9170c01602dccd767afb2f5cdc820d288a9fbd31822f48f

SHA512
8079370dc9cc92dbfdb438dbb07cda979d4ced27bb8559239964ae388c8ef458b234b3afb4d218f85d2c9007fafe7b06c2daf5a203bdcbf2751ff9bdbbc0b1a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e20fc333930ef4aef73dba80c09f188c

SHA1
c61f8eb927afa56a5fb1a02861b0572e0a85cd7f

SHA256
02626d6e922ba5a700ef701c8095508efcf62a6ae6309d23da68b96ecc31fa58

SHA512
da42fdcb10a970fd528402ea28f13b4d06479d25849894e50b8887a6e2f18fa6ccaed4912eeb36eb3dfbc1bca31f92efe83ec3acd5bd900ddbf3b26841aee22a

Download Submit
memory/1916-98-0x0000000000F30000-0x00000000014F8000-memory.dmp

Filesize
5.8MB

Download
memory/1916-10-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1916-96-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1916-95-0x0000000000F30000-0x00000000014F8000-memory.dmp

Filesize
5.8MB

Download
memory/1916-9-0x0000000000F30000-0x00000000014F8000-memory.dmp

Filesize
5.8MB

Download
memory/1916-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1916-55-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1916-126-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1916-154-0x0000000000F30000-0x00000000014F8000-memory.dmp

Filesize
5.8MB

Download
memory/1916-156-0x0000000000F30000-0x00000000014F8000-memory.dmp

Filesize
5.8MB

Download
memory/1916-163-0x0000000000F30000-0x00000000014F8000-memory.dmp

Filesize
5.8MB

Download