amadey | ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Size

3.1MB
MD5

2b3dca9f3f8f7b379021a041b731aed3
SHA1

e8fc7d977c0a76e25b1e69f4398a10fef83918d0
SHA256

ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24
SHA512

ce65473353253347788ed1d0641a6c6a3be815c50bd1046c1aa8bf827f48c0f09b61560f3aa3eeb8f641afa6d7a870dd68834615b3fe81b6f62a9ffee946f98a
SSDEEP

49152:QGzTfwucejjjsjgACxGnlEaX+IWYxR8SJe2cC9/1+F0U:Bzb20jIjgACxNyWCR8S42cC9/1+z

Score

10^/10

amadey dcrat lumma stealc 9c9aa5 stok discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0006000000016b86-1296.dat	family_dcrat_v2
behavioral1/memory/2908-1304-0x0000000000A50000-0x0000000000BF8000-memory.dmp	family_dcrat_v2
behavioral1/memory/3844-1354-0x0000000000960000-0x0000000000B08000-memory.dmp	family_dcrat_v2

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0tClIDb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	066a25ce02.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0tClIDb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0tClIDb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	066a25ce02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	066a25ce02.exe

Executes dropped EXE 13 IoCs

pid	Process
2752	skotes.exe
2188	B3vKvPi.exe
3060	callmobile.exe
4824	0tClIDb.exe
2356	wTMEVe8.exe
1972	wTMEVe8.exe
592	csLDEIrSiA.exe
2908	LG4h0ZkkiE.exe
3844	lsass.exe
4584	ntRoEwh.exe
4640	callmobile.exe
4028	066a25ce02.exe
560	397bf02ed6.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	0tClIDb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	066a25ce02.exe

Loads dropped DLL 18 IoCs

pid	Process
2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2356	wTMEVe8.exe
1972	wTMEVe8.exe
1972	wTMEVe8.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\397bf02ed6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013242001\\397bf02ed6.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	B3vKvPi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ntRoEwh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\066a25ce02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013241001\\066a25ce02.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000017570-2611.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2752	skotes.exe
4824	0tClIDb.exe
4028	066a25ce02.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 1972	2356	wTMEVe8.exe	39

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3688	3060	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wTMEVe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	397bf02ed6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	397bf02ed6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	397bf02ed6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	callmobile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0tClIDb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wTMEVe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	066a25ce02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	callmobile.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3428	PING.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4820	taskkill.exe
4904	taskkill.exe
2100	taskkill.exe
4716	taskkill.exe
3012	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3428	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2752	skotes.exe
4824	0tClIDb.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe
2908	LG4h0ZkkiE.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	callmobile.exe
Token: SeDebugPrivilege	2908	LG4h0ZkkiE.exe
Token: SeDebugPrivilege	3060	callmobile.exe
Token: SeDebugPrivilege	3844	lsass.exe
Token: SeDebugPrivilege	4640	callmobile.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2576	firefox.exe
Token: SeDebugPrivilege	2576	firefox.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
560	397bf02ed6.exe
560	397bf02ed6.exe
560	397bf02ed6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2752	2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 2684 wrote to memory of 2752	2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 2684 wrote to memory of 2752	2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 2684 wrote to memory of 2752	2684	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 2752 wrote to memory of 2188	2752	skotes.exe	33
PID 2752 wrote to memory of 2188	2752	skotes.exe	33
PID 2752 wrote to memory of 2188	2752	skotes.exe	33
PID 2752 wrote to memory of 2188	2752	skotes.exe	33
PID 2188 wrote to memory of 3060	2188	B3vKvPi.exe	34
PID 2188 wrote to memory of 3060	2188	B3vKvPi.exe	34
PID 2188 wrote to memory of 3060	2188	B3vKvPi.exe	34
PID 2188 wrote to memory of 3060	2188	B3vKvPi.exe	34
PID 2752 wrote to memory of 4824	2752	skotes.exe	35
PID 2752 wrote to memory of 4824	2752	skotes.exe	35
PID 2752 wrote to memory of 4824	2752	skotes.exe	35
PID 2752 wrote to memory of 4824	2752	skotes.exe	35
PID 2752 wrote to memory of 2356	2752	skotes.exe	37
PID 2752 wrote to memory of 2356	2752	skotes.exe	37
PID 2752 wrote to memory of 2356	2752	skotes.exe	37
PID 2752 wrote to memory of 2356	2752	skotes.exe	37
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 2356 wrote to memory of 1972	2356	wTMEVe8.exe	39
PID 1972 wrote to memory of 2908	1972	wTMEVe8.exe	41
PID 1972 wrote to memory of 2908	1972	wTMEVe8.exe	41
PID 1972 wrote to memory of 2908	1972	wTMEVe8.exe	41
PID 1972 wrote to memory of 2908	1972	wTMEVe8.exe	41
PID 2908 wrote to memory of 3356	2908	LG4h0ZkkiE.exe	42
PID 2908 wrote to memory of 3356	2908	LG4h0ZkkiE.exe	42
PID 2908 wrote to memory of 3356	2908	LG4h0ZkkiE.exe	42
PID 3356 wrote to memory of 3412	3356	cmd.exe	44
PID 3356 wrote to memory of 3412	3356	cmd.exe	44
PID 3356 wrote to memory of 3412	3356	cmd.exe	44
PID 3356 wrote to memory of 3428	3356	cmd.exe	45
PID 3356 wrote to memory of 3428	3356	cmd.exe	45
PID 3356 wrote to memory of 3428	3356	cmd.exe	45
PID 3060 wrote to memory of 3688	3060	callmobile.exe	46
PID 3060 wrote to memory of 3688	3060	callmobile.exe	46
PID 3060 wrote to memory of 3688	3060	callmobile.exe	46
PID 3060 wrote to memory of 3688	3060	callmobile.exe	46
PID 3356 wrote to memory of 3844	3356	cmd.exe	47
PID 3356 wrote to memory of 3844	3356	cmd.exe	47
PID 3356 wrote to memory of 3844	3356	cmd.exe	47
PID 2752 wrote to memory of 4584	2752	skotes.exe	48
PID 2752 wrote to memory of 4584	2752	skotes.exe	48
PID 2752 wrote to memory of 4584	2752	skotes.exe	48
PID 2752 wrote to memory of 4584	2752	skotes.exe	48
PID 4584 wrote to memory of 4640	4584	ntRoEwh.exe	49
PID 4584 wrote to memory of 4640	4584	ntRoEwh.exe	49
PID 4584 wrote to memory of 4640	4584	ntRoEwh.exe	49
PID 4584 wrote to memory of 4640	4584	ntRoEwh.exe	49
PID 2752 wrote to memory of 4028	2752	skotes.exe	50
PID 2752 wrote to memory of 4028	2752	skotes.exe	50
PID 2752 wrote to memory of 4028	2752	skotes.exe	50
PID 2752 wrote to memory of 4028	2752	skotes.exe	50
PID 2752 wrote to memory of 560	2752	skotes.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
"C:\Users\Admin\AppData\Local\Temp\ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe
    "C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 616
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3688
- - C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe
    "C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe
    "C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe
      "C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Roaming\csLDEIrSiA.exe
        
        "C:\Users\Admin\AppData\Roaming\csLDEIrSiA.exe"
        5⤵
        Executes dropped EXE
        
        PID:592
    - - C:\Users\Admin\AppData\Roaming\LG4h0ZkkiE.exe
        
        "C:\Users\Admin\AppData\Roaming\LG4h0ZkkiE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cfdfvnVfF0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3428
        
        C:\Users\Default\lsass.exe
        
        "C:\Users\Default\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
- - C:\Users\Admin\AppData\Local\Temp\1013239001\ntRoEwh.exe
    "C:\Users\Admin\AppData\Local\Temp\1013239001\ntRoEwh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\1013241001\066a25ce02.exe
    "C:\Users\Admin\AppData\Local\Temp\1013241001\066a25ce02.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\1013242001\397bf02ed6.exe
    "C:\Users\Admin\AppData\Local\Temp\1013242001\397bf02ed6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5080
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2576
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.0.1339387803\355300554" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1168 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f68d4486-6fc3-4a19-9724-29a385054efd} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 1312 89f1758 gpu
        6⤵
        
        PID:1032
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.1.297647941\1800845845" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59eee39f-2244-4cb2-9503-bf050f61fdc5} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 1516 84fc258 socket
        6⤵
        
        PID:3208
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.2.994209207\87366932" -childID 1 -isForBrowser -prefsHandle 2180 -prefMapHandle 1996 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {746a648c-be06-4fa1-a426-608bdc3dfd89} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 2192 1b18c858 tab
        6⤵
        
        PID:956
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.3.1126933662\1406546735" -childID 2 -isForBrowser -prefsHandle 2760 -prefMapHandle 2792 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {887bb7bd-4ff5-4243-8c5e-5e857a1b9d7a} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 2804 e64558 tab
        6⤵
        
        PID:3548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.4.628396663\1595108076" -childID 3 -isForBrowser -prefsHandle 3644 -prefMapHandle 3668 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8246e1-efd9-4ea1-9f83-74e05b702e81} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3692 89f3558 tab
        6⤵
        
        PID:4368
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.5.1377080228\1550302915" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d4a9c4f-3b64-4f9e-8456-e6de141051fa} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3788 1c076758 tab
        6⤵
        
        PID:4440
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.6.146082498\824236411" -childID 5 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43585ac-464a-4b53-8f5f-d78ac2b32902} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3900 1c078258 tab
        6⤵
        
        PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
ed1bc87dbdc1ac77a129e14e127479b4

SHA1
798e2e95437e689a19e859575d0f944fa344e180

SHA256
927b684929510211e9c6b6f7ab44c0d5aa275f8c288acbaee87981f4c9d74514

SHA512
65e7a3a750c47a5e9ab1d517c18f5f155f067994b7645ca535d5d8cae2e944d58e149dbb7096354e30939efe29e0279fc816d35063acaf4406173ef91d36f1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe

Filesize
2.2MB

MD5
3541c1ac26eb5bbb87f01c20fd9f8824

SHA1
bf5d136c911491f59bdeb3bf37b8f1a155fd3a97

SHA256
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1

SHA512
babc17723d2389919acd96f977821d57bdd737f01a9598209efafa72ae0418e914a5d229f196d80cb5ba70ce82b0f340b18aa255bbe4ed77d821a432d5794a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe

Filesize
1.8MB

MD5
6367fb8a64f997be8d65536534bdd057

SHA1
3ee062142dde2330881566a63a92957037a0e6b3

SHA256
bdae46a5cb1f1b6b9864b5e944ed5b2e24622d7385a196e0293f7b9da59bda5e

SHA512
ace2dbba313180a64f70f49c7763fb9da23ef76b82548c8fa54a7d1e8d4810cad83726fe532459660e12e4f6a9210df09dd836ea28f1cc5a791a4873b95a274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe

Filesize
3.9MB

MD5
5db95c4de9b6e98c653ac3dec5dce83d

SHA1
c3e1cb98b5450d21c8e9e975148c282afcf4ccae

SHA256
8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7

SHA512
42e5504904f0db4e62d56c03c8e7e302df0eba488a966259aa686e7d952db8a25eb56b5ac72731400cfd2541b6429d82e95e3bb8e87565bdf0cbe2b488c47368

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013241001\066a25ce02.exe

Filesize
1.7MB

MD5
7dcf4c4df2997ccd8c4a0fd2398b784a

SHA1
7f623f31d30a0d45058eeaa38f12ecf43f54fd33

SHA256
4c2d2f9f76daff7560ac8bf55c348f7051216db171fba2a25f7ac939410b7cff

SHA512
697dbc4f0cda3affdfcf0639b53de8a67273cd4ff3e356236277cb2851c6c24be67c4b6ed51bc1229a842ddbd53231b07d2b9dba2d484447240066ad32845d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013242001\397bf02ed6.exe

Filesize
948KB

MD5
ea332702c8adf6f8be3dd834363924bd

SHA1
eaf972aeb4a0eebeede9b2a53c48670965af4d17

SHA256
3b609f119a3ac3d881d7e2e7bf637618500e6d5afe0b65f9087b6653cbbc42eb

SHA512
02662320d09805f2a09fd7431576a7b70c83fdc2ea6a139e53c23509705659b4a9034f135383166b0c0d0f3777f0220a53d2e7a02a2a1642af96eb0030cb44fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe

Filesize
2.3MB

MD5
ffabcc262fb699998b6191d7656c8805

SHA1
fd3ea79a8550b14e9cc75fb831fd7a141964a714

SHA256
f46e4a7de978baceec5f64cbc9fa1f1e772e864fa3310045cd19d77264698cde

SHA512
79b2e21a9111b16b0f67ae5d1cc40a25773b847d3f4cf78711a8dfd8b67c30beec332ed65ac008c9dca62c84de891eff20d7c6050bc868bce77a17fe56da61ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.1MB

MD5
2b3dca9f3f8f7b379021a041b731aed3

SHA1
e8fc7d977c0a76e25b1e69f4398a10fef83918d0

SHA256
ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24

SHA512
ce65473353253347788ed1d0641a6c6a3be815c50bd1046c1aa8bf827f48c0f09b61560f3aa3eeb8f641afa6d7a870dd68834615b3fe81b6f62a9ffee946f98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfdfvnVfF0.bat

Filesize
154B

MD5
999f411a9f26d33d047cfd6e37ba37f9

SHA1
1ebff19c0b0ce6095c28398c7820be1b9c1723fc

SHA256
bdd62287f5c16724aef801fd5ebe315f226580a004640008174c9d36ca41f6ab

SHA512
6e8c57d81bb541dbc3492a5923b525d5d0c73f1a9ec1c89087d9afde52ec8cf2e7bd40a9e2a3a65197cf0ec7d32c8682b0ec0cf477b02574791bbe5d0c93c712

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

Filesize
1KB

MD5
8dd74d72875420d6113e640a81475474

SHA1
ee5fc4cb94c22aedc33cb8933293cc2693e19bc7

SHA256
10129b8c80689d37c086ec6b01a6cc418f432d0f0aeb9165807c4a46e4aed371

SHA512
2bd1f0cc94367750135461d93c3285f744e7e48f4b2c9d86590081e0a9b54b0d71e0f63146352b3d64a6f6712d56661a911d569e4f837910b72874299ee206d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
776c4de9d64b63afd9c808cfea7ecba5

SHA1
ec80b6694c661537b00a77eb10b0fbffb9bba44b

SHA256
35fbc1fabcf74d6a65506facba1b57981010dc2c3de3374c7c73e0353c4a0eaf

SHA512
cf8955072994eeb74a5fa7b9b46531a873b29f4619eb28635d63b1b4ad333890d0fbb47c10af73fc6a80dfc9a4004ca4cc268d2807534df87eae1fbb592f7257

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\5f392875-3910-4dbd-be06-dc442a26c4f7

Filesize
745B

MD5
67db734d58722210b204e9a8ac5f6e41

SHA1
6d7460f2bf65bf5f02faf4879c07afbecd920ba3

SHA256
f4362cea82e4d60e8f8b80f5b0a4f43e84acec64c950f3fca1de0ee7f39eb67d

SHA512
5e1d8e58815d82a2cdaee22f8ae451d10a514ea314ff8264bda5ee00cbfa4958bf2ba662866023d2789027e470ce58148df64e1101dc2959d09046d92fc7bbae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\9b123593-03bf-45d3-b401-bd812c23b99e

Filesize
12KB

MD5
2b2372b860ee6055fe6d150b2167a6d4

SHA1
dbe3a7aa24ded848f228a718709cbe33b73a756d

SHA256
18bb0be00265d0ff7549159179b5c93d1fa724c71a09b7e41728f6000e284e8c

SHA512
3017fffc8a0d6d28eea062b3f2c6bc8473da0b40d99497eefaa90d460ba55ea471edcd63954bf4ad8e48ae9d67193d813507e69109db5bc7272e09b2ba2b630a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
6KB

MD5
f1af95c378f444896d23053331bdee29

SHA1
c37192dabe1c39e3d33d8a829844e9bbe81253d1

SHA256
2a4b02f37ff1b311f03a88486a14dca25110cc5326d210f2af20a0e503d3c62a

SHA512
719ec46da59640ebdbaf0b790c6e7594159eaa55ac5bdd5aac4668b497150bc763fe1b6be937bf96a00a978f8087b63904eb79ca84ccff7284a41298f8a7ac9d

Download Submit
C:\Users\Admin\AppData\Roaming\csLDEIrSiA.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
\Users\Admin\AppData\Roaming\LG4h0ZkkiE.exe

Filesize
1.6MB

MD5
579fd24f4cacc972f63f47214f9c3c34

SHA1
20be9c6e9aa29d57b670d6809ffad1786a8508e5

SHA256
f80bd8eb42194df565e3152d35bad6a40fdae70e221e9e66873587bffb73d64b

SHA512
1a8f7918b931fa10cbc4b47a88405c0b28255360ac27e1d44ba00554186ed20139fbaaa278a362c34a20083f4fff30dc83876c3f382397f831f781fb6a9aab91

Download Submit
memory/2684-22-0x0000000006BB0000-0x0000000006EC4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-18-0x0000000000990000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-1-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/2684-2-0x0000000000991000-0x00000000009F9000-memory.dmp

Filesize
416KB

Download
memory/2684-3-0x0000000000990000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-0-0x0000000000990000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-4-0x0000000000990000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-5-0x0000000000990000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-19-0x0000000000991000-0x00000000009F9000-memory.dmp

Filesize
416KB

Download
memory/2684-23-0x0000000006BB0000-0x0000000006EC4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-21-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-28-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-25-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-24-0x00000000003A1000-0x0000000000409000-memory.dmp

Filesize
416KB

Download
memory/2752-26-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-2605-0x0000000006780000-0x0000000006E0B000-memory.dmp

Filesize
6.5MB

Download
memory/2752-2575-0x0000000006780000-0x0000000006E0B000-memory.dmp

Filesize
6.5MB

Download
memory/2752-30-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-29-0x00000000003A1000-0x0000000000409000-memory.dmp

Filesize
416KB

Download
memory/2752-34-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-33-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-32-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-31-0x00000000003A0000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/2752-1245-0x0000000006780000-0x0000000006C2C000-memory.dmp

Filesize
4.7MB

Download
memory/2908-1311-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2908-1304-0x0000000000A50000-0x0000000000BF8000-memory.dmp

Filesize
1.7MB

Download
memory/2908-1329-0x0000000002160000-0x0000000002178000-memory.dmp

Filesize
96KB

Download
memory/2908-1327-0x00000000023A0000-0x00000000023FA000-memory.dmp

Filesize
360KB

Download
memory/2908-1325-0x00000000020C0000-0x00000000020D6000-memory.dmp

Filesize
88KB

Download
memory/2908-1323-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/2908-1321-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2908-1319-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/2908-1317-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2908-1315-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2908-1313-0x0000000002070000-0x0000000002088000-memory.dmp

Filesize
96KB

Download
memory/2908-1309-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2908-1308-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2908-1306-0x00000000005E0000-0x0000000000606000-memory.dmp

Filesize
152KB

Download
memory/3060-84-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-94-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-80-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-78-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-74-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-112-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-114-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-53-0x0000000000B50000-0x0000000000DAE000-memory.dmp

Filesize
2.4MB

Download
memory/3060-108-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-55-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-76-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-110-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-1232-0x0000000005260000-0x00000000053CE000-memory.dmp

Filesize
1.4MB

Download
memory/3060-1233-0x0000000000A40000-0x0000000000A8C000-memory.dmp

Filesize
304KB

Download
memory/3060-86-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-56-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-88-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-90-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-92-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-82-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-98-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-100-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-102-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-104-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-106-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-96-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-1345-0x00000000021B0000-0x0000000002204000-memory.dmp

Filesize
336KB

Download
memory/3060-54-0x0000000004C90000-0x0000000004E8E000-memory.dmp

Filesize
2.0MB

Download
memory/3060-72-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-58-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-60-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-70-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-62-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-64-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-66-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3060-68-0x0000000004C90000-0x0000000004E88000-memory.dmp

Filesize
2.0MB

Download
memory/3844-1354-0x0000000000960000-0x0000000000B08000-memory.dmp

Filesize
1.7MB

Download
memory/4028-2583-0x0000000000D40000-0x00000000013CB000-memory.dmp

Filesize
6.5MB

Download
memory/4640-1386-0x0000000000260000-0x00000000004BE000-memory.dmp

Filesize
2.4MB

Download
memory/4824-1251-0x0000000000D50000-0x00000000011FC000-memory.dmp

Filesize
4.7MB

Download