amadey | 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096

Analysis

max time kernel
37s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Size

1.8MB
MD5

880d50b201c9a9c42ad4dc0d4eece5a3
SHA1

3e71ad87d7184de4b6f1892d06bd74bb89b1f305
SHA256

763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096
SHA512

16cee76e2cb07814363b5c5e8fdbb27f84654d6ab04fda94c1a57b0ba7ce3f2cc9819276193b39dd19572417d016cdafb54013785558dc69bb28cf2df984a068
SSDEEP

24576:AiozOM/ROuY6v535CcLbAjjUFoJ0FQuvvBnRPwroDKSVpvhBgdHSqapQsFSWWNfc:EZROuPvznHAfX06uBRfhhSdIn9+fzwB

Score

10^/10

amadey lumma stealc 9c9aa5 drum discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://atten-supporse.biz/api

https://se-blurry.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a696251d1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5c703508dc.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a696251d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5c703508dc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a696251d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5c703508dc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe

Executes dropped EXE 9 IoCs

pid	Process
3160	skotes.exe
3504	i1A5m12.exe
4516	i1A5m12.tmp
4156	rafencoder.exe
2912	wL3EGdM.exe
3136	6a696251d1.exe
3208	skotes.exe
5940	5c703508dc.exe
5568	838e3987ee.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	6a696251d1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	5c703508dc.exe

Loads dropped DLL 2 IoCs

pid	Process
4516	i1A5m12.tmp
4156	rafencoder.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a696251d1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012543001\\6a696251d1.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c703508dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012544001\\5c703508dc.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023c7e-6313.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
3160	skotes.exe
3136	6a696251d1.exe
3208	skotes.exe
5940	5c703508dc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6108	3136	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1A5m12.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a696251d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c703508dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1A5m12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wL3EGdM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	838e3987ee.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
5880	taskkill.exe
3648	taskkill.exe
5588	taskkill.exe
5188	taskkill.exe
3440	taskkill.exe
5512	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
3160	skotes.exe
3160	skotes.exe
4516	i1A5m12.tmp
4516	i1A5m12.tmp
3136	6a696251d1.exe
3136	6a696251d1.exe
3208	skotes.exe
3208	skotes.exe
5940	5c703508dc.exe
5940	5c703508dc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	wL3EGdM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
4516	i1A5m12.tmp

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3160	4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe	83
PID 4620 wrote to memory of 3160	4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe	83
PID 4620 wrote to memory of 3160	4620	763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe	83
PID 3160 wrote to memory of 3504	3160	skotes.exe	87
PID 3160 wrote to memory of 3504	3160	skotes.exe	87
PID 3160 wrote to memory of 3504	3160	skotes.exe	87
PID 3504 wrote to memory of 4516	3504	i1A5m12.exe	88
PID 3504 wrote to memory of 4516	3504	i1A5m12.exe	88
PID 3504 wrote to memory of 4516	3504	i1A5m12.exe	88
PID 4516 wrote to memory of 4652	4516	i1A5m12.tmp	92
PID 4516 wrote to memory of 4652	4516	i1A5m12.tmp	92
PID 4516 wrote to memory of 4652	4516	i1A5m12.tmp	92
PID 4516 wrote to memory of 4156	4516	i1A5m12.tmp	93
PID 4516 wrote to memory of 4156	4516	i1A5m12.tmp	93
PID 4516 wrote to memory of 4156	4516	i1A5m12.tmp	93
PID 4652 wrote to memory of 3532	4652	net.exe	95
PID 4652 wrote to memory of 3532	4652	net.exe	95
PID 4652 wrote to memory of 3532	4652	net.exe	95
PID 3160 wrote to memory of 2912	3160	skotes.exe	98
PID 3160 wrote to memory of 2912	3160	skotes.exe	98
PID 3160 wrote to memory of 2912	3160	skotes.exe	98
PID 3160 wrote to memory of 3136	3160	skotes.exe	102
PID 3160 wrote to memory of 3136	3160	skotes.exe	102
PID 3160 wrote to memory of 3136	3160	skotes.exe	102
PID 3160 wrote to memory of 5940	3160	skotes.exe	104
PID 3160 wrote to memory of 5940	3160	skotes.exe	104
PID 3160 wrote to memory of 5940	3160	skotes.exe	104
PID 3160 wrote to memory of 5568	3160	skotes.exe	106
PID 3160 wrote to memory of 5568	3160	skotes.exe	106
PID 3160 wrote to memory of 5568	3160	skotes.exe	106

C:\Users\Admin\AppData\Local\Temp\763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
"C:\Users\Admin\AppData\Local\Temp\763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
    "C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\is-7F9OM.tmp\i1A5m12.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7F9OM.tmp\i1A5m12.tmp" /SL5="$701C2,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause raf_encoder_1252
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause raf_encoder_1252
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
    - - C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
        
        "C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4156
- - C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
    "C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\1012543001\6a696251d1.exe
    "C:\Users\Admin\AppData\Local\Temp\1012543001\6a696251d1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1576
      4⤵
      Program crash
      PID:6108
- - C:\Users\Admin\AppData\Local\Temp\1012544001\5c703508dc.exe
    "C:\Users\Admin\AppData\Local\Temp\1012544001\5c703508dc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5940
- - C:\Users\Admin\AppData\Local\Temp\1012545001\838e3987ee.exe
    "C:\Users\Admin\AppData\Local\Temp\1012545001\838e3987ee.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:5588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:5188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:3440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5212
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:116
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb6f9046-f707-4f35-9247-bfd0b4c948a6} 116 "\\.\pipe\gecko-crash-server-pipe.116" gpu
        6⤵
        
        PID:4052
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {483db461-c591-4236-83da-825b2142ee02} 116 "\\.\pipe\gecko-crash-server-pipe.116" socket
        6⤵
        
        PID:6084
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3096 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00669bb7-31c8-4a6c-a93a-921067632be7} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
        6⤵
        
        PID:5776
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8d8c2ea-1177-4698-bea2-9dd1a8c8a4df} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
        6⤵
        
        PID:1200
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4320 -prefMapHandle 4316 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75b7cda-7027-448a-829f-20fc69ea0907} 116 "\\.\pipe\gecko-crash-server-pipe.116" utility
        6⤵
        
        PID:556
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -childID 3 -isForBrowser -prefsHandle 4984 -prefMapHandle 4972 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebde8dca-8665-416b-a77e-dde8e0b4d4da} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
        6⤵
        
        PID:7036
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 4988 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9aabff9-5685-417c-82db-c59146f29e74} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
        6⤵
        
        PID:7076
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6fb1f7-d949-49ec-bf6d-ee370279d95e} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
        6⤵
        
        PID:3016
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -parentBuildID 20240401114208 -prefsHandle 2052 -prefMapHandle 3224 -prefsLen 29278 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {969b75ef-b636-4b11-8fb7-6b2320d29f62} 116 "\\.\pipe\gecko-crash-server-pipe.116" gpu
        6⤵
        
        PID:5108
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -childID 6 -isForBrowser -prefsHandle 2528 -prefMapHandle 3664 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b929e11-83d8-4b68-b283-99e61d895a5b} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
        6⤵
        
        PID:6272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:3648
- - C:\Users\Admin\AppData\Local\Temp\1012546001\41d2c2cd77.exe
    "C:\Users\Admin\AppData\Local\Temp\1012546001\41d2c2cd77.exe"
    3⤵
    PID:5264
- - C:\Users\Admin\AppData\Local\Temp\1012547001\46fc8c32f6.exe
    "C:\Users\Admin\AppData\Local\Temp\1012547001\46fc8c32f6.exe"
    3⤵
    PID:5500

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3136 -ip 3136
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3136 -ip 3136
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
676c8391c9c8b4ea01b757c00ef55b51

SHA1
6b95b3695e33fc076118cec8476a42d7482ff421

SHA256
5e5d02ee7634727617219d9126b06578630a09529829256f15e722b90010b9a7

SHA512
cde6f295a367faf8b67902365673d6dc3f3f76c10c1bd7b64f43f95c96da7eae827937a0aed9762e4bb8ef107c9275815a12d5dcda6dcab748f7e9929897bd1c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

Filesize
2.8MB

MD5
b466bf1dc60388a22cb73be01ca6bf57

SHA1
21eb9665e42d6c4a8d9e764627049b2a6e3a69a4

SHA256
e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad

SHA512
6cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2

Download Submit
C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

Filesize
3.4MB

MD5
3a16d0e4e4522073da3c8a5a9f9e790b

SHA1
7a42a21a348d2e49c67b426d333a5c354ed2c83e

SHA256
ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e

SHA512
1213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

Filesize
3.3MB

MD5
7823e902900881094372948957825fe1

SHA1
297a663f3b64fb9863164d10ac698bef03dd3a0f

SHA256
92d36e5fb3fdbf10ad10c7880c40013c2e21b8a49e20720137d2b4851681233f

SHA512
60d4ea35cfec5154cfa3cb767de7c839ca8b3987b27599ea218ec1c47f1d111a59f193cd3cfd1266ae384434ae653f1e0a297f7222a2592e529b2b4404dd6238

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012542001\rhnew.exe

Filesize
612B

MD5
e3eb0a1df437f3f97a64aca5952c8ea0

SHA1
7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

SHA256
38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

SHA512
43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012543001\6a696251d1.exe

Filesize
1.8MB

MD5
14553b3e4f83021e14520e0f62f95a24

SHA1
35f37fc3ed8d53920b96b8485e741097cfcd05ba

SHA256
d31671f91056db4b63277269b84841872b047643116fce88f5952393daa22691

SHA512
9f1a23fa7632155407bdbe9eb2a21708b241906d817c9eaa8cfef2ca65acf67135d8b8e7249b580f67685ccec9b487b65ff1c48378af6418bc7976393dbfdc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012544001\5c703508dc.exe

Filesize
4.9MB

MD5
ebe3d112a464bca87d0600558998c287

SHA1
e24f303f33d3d4bd2afc5bc0392de5f14e4bd72a

SHA256
08c78546997ccfbffb833a115f8888ad128e5c4d43bddd9e01e2105132ef0824

SHA512
fcfd10bd5c930ec50bfa011752db8a28526994712ecb3b905d2d892099df69dcc90ff881669f5b323b99ae9a19061cb5c8abb86b18fc31012d9b91b653c24bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012545001\838e3987ee.exe

Filesize
948KB

MD5
9e7ce696dfdb127b028a0610a441047d

SHA1
79a7805f957617896fd16ec5d1db102d9809f667

SHA256
bcb1df1e3ce692f4e284bf91f1873696933a5f2ffd87ac966b719e492b43d1eb

SHA512
b226a736eee638e1ef2dc4dfdb6193b23756b525d665209efc6094ba119ddff3004844b8439034e67d79ded9ddff82369edf6d735f72a0e916763dedfa6d1c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012546001\41d2c2cd77.exe

Filesize
2.6MB

MD5
10f89bc59dd3ebb89c8437a590abbb97

SHA1
cb65670a5597fe2bca2423648b7e8325eedbe112

SHA256
252af078fcf7992ce1afa0449ffa8591725bf9c46219b19d85369fdc657c8b00

SHA512
60d3cedf0b29d9dfdf0eb030ffa817fb102f72bbe6cc5e105d17cd9ddd355c3e9e4374f10bef70919d033f83b3eb1f311bf868bc922633ba8482a9776c84db5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012547001\46fc8c32f6.exe

Filesize
1.9MB

MD5
89109257f23f068de9f04a3c59df2b15

SHA1
03ea7063a9d7b54bcdea8f11a990e668d9346121

SHA256
74567ee5c75fd4a34c44dc8c75e9f4ea1dcf3c60d6d3fff4e8d8526460e49b10

SHA512
b3203b1dbbb28a8f0e69e067c9b48e6a930e05046674f3b7f82a76b4b2ff0f8535150ed46dddbe8421fe4ced283f9edf76e2d15f54c454d43771f4e350655f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
880d50b201c9a9c42ad4dc0d4eece5a3

SHA1
3e71ad87d7184de4b6f1892d06bd74bb89b1f305

SHA256
763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096

SHA512
16cee76e2cb07814363b5c5e8fdbb27f84654d6ab04fda94c1a57b0ba7ce3f2cc9819276193b39dd19572417d016cdafb54013785558dc69bb28cf2df984a068

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0OQ72.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7F9OM.tmp\i1A5m12.tmp

Filesize
689KB

MD5
e672d5907f1ce471d9784df64d8a306b

SHA1
6d094cae150d72b587c5480c15127d7059e16932

SHA256
9f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5

SHA512
9cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
7KB

MD5
b330e4dd5867eabd16a9240dcedd65ae

SHA1
363f75a8a6031b7c459dae4f73e716ad150873b1

SHA256
4f89734bc1c0d4b93026dd72eb5d2e330866be7aef19a85cdae3a11eac1a5ec1

SHA512
8e24f9300d5ac76ef40d4bc5f00146f7921d419748648ece4733c52a0502255ab2fdb1696128f887d7bc561d2e25514999dc5f0c4499b11203c207d5ecb00ba4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
8KB

MD5
0ad3ee7b89af451e3e57d883769cd997

SHA1
c03363a80d84f4ccca2e8070fe99d05286868e8c

SHA256
3eefe8718e566091b1f7249ab04329d02036f4da7f2d43e46a93ad6d03445204

SHA512
c415d967b673b619e5c7983264332fbc17e35091e1d3bd8ec2948bb4dc6199a3c6d1cbb3d83839e9515fed2f409c0e5cbfc914fdfdf341c0fb33b6dd583c5325

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1deaf62b3f7a40915da5adc004ed0d88

SHA1
3abb19bafc2d259f96284e62102ea6d6645fd839

SHA256
a576ee08db4050c823c6f20990b30f914245f00746f8b36cd63ddb6b2bea19eb

SHA512
480674b8edf6f6bcec0b1a1bd4d1c6fa05ee9cfb924eb8f67ad9e97938254c186930ee866ba01c4c0278589d7d719414eb774d37f9cfb60fe24904d1984c9b56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d6aee0b71549c7ef99504af75d326fbf

SHA1
3f595750e1fd087388308d81d518944fc3ae3c59

SHA256
0f0407586999d1bc11b1ac6e23b7ee79db29a905441de19c2c594c87d6e6017a

SHA512
06e2c57568526449051359c83add23aa5ad4e9c6361847932faf1b1f1d806199f628b41cbe11e2bbf38c197404cd12d7fb0afba5f406db62741522677555e6b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\0fde30ba-0c9f-4bd2-ba6c-230b26790a23

Filesize
671B

MD5
51a1d89624d932d4f2dcdd483b0befa7

SHA1
872bbea135886d95f99e35f88e902184725e3222

SHA256
c8df677d8030d74b75c7f475df76d666fe244358570320f7762b2cf7100111a8

SHA512
c1de65d81fe16763637694a4b7f79e0f6e728d3c50674a457bf405f6793210d99a21f1a322341d2b9a75276635bcfb47e6a0d7564b45aaf07a3f8d4c634383ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\670bee86-4f8c-4bc7-acb2-8b43567937db

Filesize
982B

MD5
627a4d016389f4e930091b2dd210609d

SHA1
db638a584940a02f7a98394b4f4b3ab9c4eefc7a

SHA256
46e6f0077eda76d7fcc29a659252ae764ae62d86d8b34364b6872ba3184f0cf4

SHA512
fa7da5f001a8c4657a329ec147288de36b8d415fd71bed0431bcba9122fa88dc593748ea841ff3a4e9020b76f330c6b7ce1b67563df84a84030adda04aa12363

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\e4e23e7e-db66-4ad6-b7e9-324dfd6e2cc6

Filesize
25KB

MD5
0aa5516598cf2f921926a234619a2d95

SHA1
c28d4289ae4b74ee4094a366fc5a27a827e1f2a2

SHA256
e6baec0ac7ef891e95f0e90b1a11ced81365bca39199e404121e27b4e18c29df

SHA512
6553cff2cb76445cc77035a8c4360392becddde891ef210a25176ed6170b6380aa7034f5b904aa194ceb00c0303f4280293d2f813dd078bb4f365cd85595f4c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
10KB

MD5
f9af11cb7f5a687f81b5297fc722375b

SHA1
115ee24b005601b4e1f110c57593bd4bb96feaaf

SHA256
fb0d5efdd182106fbdb4c5da4090edc580d476f1a07e58e4e304b8b8461c9870

SHA512
137b4efb928626c31eea777f9da4ff6cbdf9069bed507195777547a13ee768e77b026652f08249e6dc1aef9c77662f37823a8578ab19ffbf0a1d8f2bbc0e6472

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
a4b6c8e652b5d09735907c7ca2d88f74

SHA1
065531fe1233d78cd9d62b0fca578b5b3ae5e3e9

SHA256
83c71405c685e84e55bd3e5de1b4220c4f9925dd5d51affe9de9c3f0371a637d

SHA512
89917d0a4ccf07df514fce34101782433c79dd9995ce3683b4442d42f48c0d9f5cff8043ec1fe422038706e5027529b01387189cf9a91f97d63157fda5f6d8a3

Download Submit
memory/644-24714-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/644-23759-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/2912-153-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-141-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-119-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-127-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-108-0x0000000000E50000-0x00000000011AE000-memory.dmp

Filesize
3.4MB

Download
memory/2912-167-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-165-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-163-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-161-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-159-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-157-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-155-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-151-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-149-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-147-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-145-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-143-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-111-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-139-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-138-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-135-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-131-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-129-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-125-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-123-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-121-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-117-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-115-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-133-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-113-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-110-0x0000000005D50000-0x0000000005F02000-memory.dmp

Filesize
1.7MB

Download
memory/2912-109-0x0000000005D50000-0x0000000005F08000-memory.dmp

Filesize
1.7MB

Download
memory/3136-2822-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download
memory/3136-6455-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download
memory/3136-28703-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download
memory/3160-88-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3160-19-0x0000000000411000-0x000000000043F000-memory.dmp

Filesize
184KB

Download
memory/3160-42-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3160-21-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3160-18-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3160-20-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3160-89-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3160-84-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3208-3208-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3208-4228-0x0000000000410000-0x00000000008C9000-memory.dmp

Filesize
4.7MB

Download
memory/3504-2015-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3504-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3504-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4156-87-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/4156-2423-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/4156-82-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/4620-0-0x0000000000120000-0x00000000005D9000-memory.dmp

Filesize
4.7MB

Download
memory/4620-4-0x0000000000120000-0x00000000005D9000-memory.dmp

Filesize
4.7MB

Download
memory/4620-1-0x0000000077414000-0x0000000077416000-memory.dmp

Filesize
8KB

Download
memory/4620-2-0x0000000000121000-0x000000000014F000-memory.dmp

Filesize
184KB

Download
memory/4620-16-0x0000000000120000-0x00000000005D9000-memory.dmp

Filesize
4.7MB

Download
memory/4620-3-0x0000000000120000-0x00000000005D9000-memory.dmp

Filesize
4.7MB

Download
memory/5264-14771-0x0000000000DC0000-0x0000000001070000-memory.dmp

Filesize
2.7MB

Download
memory/5264-12949-0x0000000000DC0000-0x0000000001070000-memory.dmp

Filesize
2.7MB

Download
memory/5264-10151-0x0000000000DC0000-0x0000000001070000-memory.dmp

Filesize
2.7MB

Download
memory/5264-10152-0x0000000000DC0000-0x0000000001070000-memory.dmp

Filesize
2.7MB

Download
memory/5264-8813-0x0000000000DC0000-0x0000000001070000-memory.dmp

Filesize
2.7MB

Download
memory/5500-10768-0x0000000000400000-0x0000000000C84000-memory.dmp

Filesize
8.5MB

Download
memory/5500-15316-0x0000000000400000-0x0000000000C84000-memory.dmp

Filesize
8.5MB

Download
memory/5940-5326-0x00000000005F0000-0x0000000000AE4000-memory.dmp

Filesize
5.0MB

Download
memory/5940-8027-0x00000000005F0000-0x0000000000AE4000-memory.dmp

Filesize
5.0MB

Download