amadey | 30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c

Analysis

max time kernel
27s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
Size

3.1MB
MD5

52844852230f99e02891a15b601571f2
SHA1

53bfe041262404913af4764d56fe3afb6bea2616
SHA256

30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c
SHA512

d170f9d5b161712e60032a0534f7f71f4d3667d8466b6530f23f529ec48c98d98aa74661d65e6ef33a1f7469dcf776f6edfe51817b462ba9bc2476252439f54f
SSDEEP

49152:WCoRWAr2yYRQSDa1qnj5n4VstosYqP8VwOzxUM2:PxQSqqnj5n4RsYq0yOzxUz

Score

10^/10

amadey gcleaner lumma stealc 9c9aa5 stok discovery evasion loader stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://drive-connect.cyou/api

https://ratiomun.cyou/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://immureprech.biz/api

https://deafeninggeh.biz/api

https://wrathful-jammy.cyou/api

https://drive-connect.cyou/api

https://awake-weaves.cyou/api

https://sordid-snaked.cyou/api

https://covery-mover.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Executes dropped EXE 10 IoCs

pid	Process
2484	skotes.exe
1968	IGEaNGi.exe
2828	IGEaNGi.exe
2776	IGEaNGi.exe
2932	IGEaNGi.exe
1744	1d6f93fab7.exe
480	1d6f93fab7.exe
660	M5iFR20.exe
2112	TdDkUco.exe
2356	pcrndBC.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	skotes.exe

Loads dropped DLL 15 IoCs

pid	Process
2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
2484	skotes.exe
2484	skotes.exe
1968	IGEaNGi.exe
1968	IGEaNGi.exe
1968	IGEaNGi.exe
2484	skotes.exe
2484	skotes.exe
1744	1d6f93fab7.exe
2484	skotes.exe
2484	skotes.exe
2484	skotes.exe
2484	skotes.exe
2484	skotes.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000016f45-112.dat	autoit_exe
behavioral1/files/0x000b000000017355-523.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
2484	skotes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 2932	1968	IGEaNGi.exe	37
PID 1744 set thread context of 480	1744	1d6f93fab7.exe	40

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d6f93fab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d6f93fab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M5iFR20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TdDkUco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IGEaNGi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IGEaNGi.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2540	timeout.exe
1440	timeout.exe
3700	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1212	taskkill.exe
2056	taskkill.exe
2168	taskkill.exe
1956	taskkill.exe
1564	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TdDkUco.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TdDkUco.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TdDkUco.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TdDkUco.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
2484	skotes.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
660	M5iFR20.exe
660	M5iFR20.exe
660	M5iFR20.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
660	M5iFR20.exe
660	M5iFR20.exe
660	M5iFR20.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2484	2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe	30
PID 2520 wrote to memory of 2484	2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe	30
PID 2520 wrote to memory of 2484	2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe	30
PID 2520 wrote to memory of 2484	2520	30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe	30
PID 2484 wrote to memory of 1968	2484	skotes.exe	33
PID 2484 wrote to memory of 1968	2484	skotes.exe	33
PID 2484 wrote to memory of 1968	2484	skotes.exe	33
PID 2484 wrote to memory of 1968	2484	skotes.exe	33
PID 1968 wrote to memory of 2828	1968	IGEaNGi.exe	35
PID 1968 wrote to memory of 2828	1968	IGEaNGi.exe	35
PID 1968 wrote to memory of 2828	1968	IGEaNGi.exe	35
PID 1968 wrote to memory of 2828	1968	IGEaNGi.exe	35
PID 1968 wrote to memory of 2776	1968	IGEaNGi.exe	36
PID 1968 wrote to memory of 2776	1968	IGEaNGi.exe	36
PID 1968 wrote to memory of 2776	1968	IGEaNGi.exe	36
PID 1968 wrote to memory of 2776	1968	IGEaNGi.exe	36
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 1968 wrote to memory of 2932	1968	IGEaNGi.exe	37
PID 2484 wrote to memory of 1744	2484	skotes.exe	38
PID 2484 wrote to memory of 1744	2484	skotes.exe	38
PID 2484 wrote to memory of 1744	2484	skotes.exe	38
PID 2484 wrote to memory of 1744	2484	skotes.exe	38
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 1744 wrote to memory of 480	1744	1d6f93fab7.exe	40
PID 2484 wrote to memory of 660	2484	skotes.exe	41
PID 2484 wrote to memory of 660	2484	skotes.exe	41
PID 2484 wrote to memory of 660	2484	skotes.exe	41
PID 2484 wrote to memory of 660	2484	skotes.exe	41
PID 2484 wrote to memory of 2112	2484	skotes.exe	42
PID 2484 wrote to memory of 2112	2484	skotes.exe	42
PID 2484 wrote to memory of 2112	2484	skotes.exe	42
PID 2484 wrote to memory of 2112	2484	skotes.exe	42
PID 2484 wrote to memory of 2356	2484	skotes.exe	44
PID 2484 wrote to memory of 2356	2484	skotes.exe	44
PID 2484 wrote to memory of 2356	2484	skotes.exe	44
PID 2484 wrote to memory of 2356	2484	skotes.exe	44

C:\Users\Admin\AppData\Local\Temp\30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe
"C:\Users\Admin\AppData\Local\Temp\30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe
    "C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe
      "C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"
      4⤵
      Executes dropped EXE
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe
      "C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"
      4⤵
      Executes dropped EXE
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe
      "C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2932
- - C:\Users\Admin\AppData\Local\Temp\1014060001\1d6f93fab7.exe
    "C:\Users\Admin\AppData\Local\Temp\1014060001\1d6f93fab7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\1014060001\1d6f93fab7.exe
      "C:\Users\Admin\AppData\Local\Temp\1014060001\1d6f93fab7.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:480
- - C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe
    "C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:660
- - C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe
    "C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe" & rd /s /q "C:\ProgramData\LN79ZCTRI58Y" & exit
      4⤵
      PID:3036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\1014323001\pcrndBC.exe
    "C:\Users\Admin\AppData\Local\Temp\1014323001\pcrndBC.exe"
    3⤵
    - Executes dropped EXE
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014323001\pcrndBC.exe" & rd /s /q "C:\ProgramData\XT2DBS0R1N7Y" & exit
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:1440
- - C:\Users\Admin\AppData\Local\Temp\1014349001\a185b3c8da.exe
    "C:\Users\Admin\AppData\Local\Temp\1014349001\a185b3c8da.exe"
    3⤵
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\1014350001\2e1710ea06.exe
    "C:\Users\Admin\AppData\Local\Temp\1014350001\2e1710ea06.exe"
    3⤵
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\1014351001\d6a89a8e54.exe
    "C:\Users\Admin\AppData\Local\Temp\1014351001\d6a89a8e54.exe"
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:1564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:1212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2884
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:2380
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.1820383774\2061009323" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1232 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5c933a-28ef-4816-88fb-37b54df043ef} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1304 81db458 gpu
        6⤵
        
        PID:2912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.1624084769\1391026318" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6d51894-74c6-40ed-bf5c-b624064d01ea} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1520 e74b58 socket
        6⤵
        
        PID:2812
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.66375091\578023958" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21733 -prefMapSize 233414 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a204af6b-a907-4003-9fea-584e6229d002} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1708 19cc9a58 tab
        6⤵
        
        PID:2540
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.1089059597\893221873" -childID 2 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f720b13-2f96-474e-898b-c47c54e1d013} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2940 1cbe9758 tab
        6⤵
        
        PID:1828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.1062534357\1158465041" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a278ae8-2045-4625-bcb9-3ae18f0d4f42} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3744 1eec5058 tab
        6⤵
        
        PID:1860
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.1025234180\2067435339" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3856 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a848ca-65a6-4a2e-8ff5-bee7d2e92548} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3756 1f57d858 tab
        6⤵
        
        PID:2884
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.692294672\1818264211" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fef52ecc-e8ab-462a-ae4d-8d45e56d179b} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 4012 1f580858 tab
        6⤵
        
        PID:1560
- - C:\Users\Admin\AppData\Local\Temp\1014352001\de40754c62.exe
    "C:\Users\Admin\AppData\Local\Temp\1014352001\de40754c62.exe"
    3⤵
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\1014353001\cf9a169d8e.exe
    "C:\Users\Admin\AppData\Local\Temp\1014353001\cf9a169d8e.exe"
    3⤵
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\1014354001\2a5bda7c01.exe
    "C:\Users\Admin\AppData\Local\Temp\1014354001\2a5bda7c01.exe"
    3⤵
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\1014355001\35488ebf99.exe
    "C:\Users\Admin\AppData\Local\Temp\1014355001\35488ebf99.exe"
    3⤵
    PID:3564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014355001\35488ebf99.exe" & rd /s /q "C:\ProgramData\89R1NGVKNGVA" & exit
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:3700
- - C:\Users\Admin\AppData\Local\Temp\1014356001\457ee93788.exe
    "C:\Users\Admin\AppData\Local\Temp\1014356001\457ee93788.exe"
    3⤵
    PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35cbef1a16cbc90fa3ceb5ab0d8ae354

SHA1
dc5b57fddd580c2a0d59ca23fe4013606fff5198

SHA256
58fd3607699d8106aaf813c36b108dd7cc47dfa0242225cd67e1eb58fde7efd2

SHA512
66e16d54d3ea934426be468e6da1547d0aa74ba39ed2fb85d6d079d307f9b35eaaff7d4684dd74e5b7d1665204e4c4078a62c2ef749c42aa30d9e91d3506d4b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fb8b8dc0f9ddeca8feec0e904dda590

SHA1
f08086f01d17ef9a42e1a7f02932ab0bf5d1228a

SHA256
d66cecd1e9e893d5aa51f6f39faef54aee3101b1a8a1e2c266ddb9b44d09fbbe

SHA512
1526e58fb72b59285afb5a9495b20d8d3b79ead843c131606fa6d7c8998811bce9d531e956b458a311d5c2605304c067b675d16f80d4a7707a48b6e8459f9330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cb6a93e653e48c5c964a142e0023724

SHA1
c61147307371ee69562d17e78a30cc062b49953f

SHA256
ce7003eae1efe621ff8b7182c61caa281f6f4e01d2fcc0551acb2642664e6ead

SHA512
b97d10a7d45c9f94e355ab05d3324777dd7c5620849aa537cf9f63e30f69c748fb53bb7c27672fbce13b5e54d4497f3442024f79333817d3e8c9f0d23a03ff59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\76561199807592927[1].htm

Filesize
34KB

MD5
fdce19d17171c6504be9e3e85e01fc4c

SHA1
80b11925b3304f581d2771892d6a0b8dc3a66c50

SHA256
9acb3f819ef9147c2389f74632b18cb861e710728b79d6bf364c829d3a59e3fb

SHA512
acd93f4376590f20e45ce6ff98bdd346580c0996266e9115d4b5efeb4bb7e03cf8a73bc441870654d34e73ead6edf5ab0b888214f431ce6da5b20f0d8ceaf7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\76561199807592927[1].htm

Filesize
34KB

MD5
bb807f2b027200ada21329c0b1757e56

SHA1
dfae9c90fc2b6b93809636ba6404855e9d64d5bc

SHA256
76d24fe997eb93b1932b15dd1b8deba68d52ee6f4eb39d2059b4d7254f48db68

SHA512
94f3e36cbefafabf3d608962bda300860165a21e93d173888dd458609f39ef0f2a8834efaa8d92a724d30fecb26f6d1368e5b43525c20d3f07d68e3cf10f52f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
815578c9403e277c8ed80d58e49974d0

SHA1
ab7607503e20c40ede96fd60ddb26d930eeaaab9

SHA256
d9badb4be52d9fc66ce73b20774187d75d9bb11c75eded9242c11fd050f138e3

SHA512
f13b29469e1e20dfecf292d2bfc45c5ee2e6e0ef17b3b7c7d94d2bd506b0a13c427de901e836d96ff262dfdbea7212c9473c7824f87d24cf4bd96f24db59784c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe

Filesize
419KB

MD5
ec5e3bc0d1d207a45d0f7e27e8f111c7

SHA1
2de3cb791c7e3aa0826c59b2f85fdb4335d9b84f

SHA256
4d0126ee20144c065da90de50807354877e8015c020a99a1d3f7cf3e051b5817

SHA512
cb660188329b067b69dc0e7d291b9fe545688c79ce9b0f117a63d0596e6a27f8cd7a1b199abc6f07284077213ac2a42ce0ad18376824fabbdd4437a5e10b5a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014060001\1d6f93fab7.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe

Filesize
898KB

MD5
5950611ed70f90b758610609e2aee8e6

SHA1
798588341c108850c79da309be33495faf2f3246

SHA256
5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4

SHA512
7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014349001\a185b3c8da.exe

Filesize
1.8MB

MD5
9d09272ac982d62d77946b1f957b6112

SHA1
f431d0c1aeed11eaa7a51d97a1a00e0c1f0530c2

SHA256
33b1f3d3f016753911b3e9efeb89ad133c855cd6e4850c0b43b1842ee90ad7fc

SHA512
33c1299c43775a31f27dd2b9747734efc8825b74f8237b489d334126917d0202a3477b4677ea674237a65ba475faac4a24b3a5e6b568d3e1eca9367b34767f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014350001\2e1710ea06.exe

Filesize
1.9MB

MD5
6b388916c9f72353cbd4799ed242d4f4

SHA1
64b382ca1909b0ae89f26d49652f19fceaf33a48

SHA256
83cc25a9b6c72190cd8886758cc9afa6625be19579a7532faa97f3feb5e6a7fd

SHA512
90e42d22d3c2f87daa6703312dab91c00f6026f17325434f75520852d96d31969c4ebca0f94947626c372b18b57cc7e8af11d637cda68c2526d3971d44f7e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014351001\d6a89a8e54.exe

Filesize
946KB

MD5
2f31d29ec74040cc7ce4b9cc341cce0b

SHA1
3a122771d15a91371c31b06f705d7e0a07774935

SHA256
17b8d14a92e07b825cf03f14b0fb4718f706872fc1a31172a525706e2f69c4d2

SHA512
a88970d65f00755926ac77846fbe51b26a0aac781e1b51c0c2ce4f40805581bdd6278f2a6570a2237aff4e353278aa45b8ebb133efe00db378b7b820c2eec3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014352001\de40754c62.exe

Filesize
1.7MB

MD5
807a67da4cfbc1cf70de9fecfea9fb09

SHA1
e2c37f774fe4daf510961d6ed7239d8b03d83036

SHA256
c85b9fda965fb5d13142b0ef3369e46abbc5f4bfb948fd2179d6d160123c0689

SHA512
65c46a8585e0b87c53d242a18dab0ed9d83c1378347ac0209bf5522b93c34051ae1aa7e0b63829980f1cb156d54bab3060c39152d27ff694a79876aabcd78561

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014353001\cf9a169d8e.exe

Filesize
2.7MB

MD5
d6160b483577667b6a0056f5f3325103

SHA1
811c2a568c756389939ad598e379d48a5be37789

SHA256
cf9ded7b486e8bcddc5ac55f90b4b7e2eb2af62f86c4790476a7033087ba9a3b

SHA512
43d9b20a2461c13afbf35b021786adca1bed0b7e3024987853242dfbbf5d73b3e24f85847dd873b27cac7a4be7aa168f47f7fad0d59087f2f0f710583d85236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014356001\457ee93788.exe

Filesize
2.5MB

MD5
2a78ce9f3872f5e591d643459cabe476

SHA1
9ac947dfc71a868bc9c2eb2bd78dfb433067682e

SHA256
21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae

SHA512
03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF144.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF166.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e4bf3f3004aaf2bb565d135a4c15182a

SHA1
8c50ff5ba3d7290218f5addaacafe7fbf4b3a674

SHA256
9ed4451ff09f15c1688a03e2b7c4b294f3d64febaf6d92ace6902fa49424ce15

SHA512
2d18e7d4915bcd9702e8f2d52f91093c8c473437dbb42ba92eecdf5b997083a4c45809fb67e25569658ee52ef0e01c834ae9c373162eb82e176c81c52674469d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\167dff71-0e69-4515-af42-4e838681449e

Filesize
745B

MD5
9ef7fde8fed773e651e0a364f62d6fc6

SHA1
14568a5da6c06e3759292347848829575f8a3fcb

SHA256
82ab80e4de556f2f90f09903653d6bdba24fe50a01eb97e993178b29b7801c6b

SHA512
fdbd2e1d629ee2a3cbf69c613247ee18e19dfb43bc394da87e296b19955b6ee5f12d37c5bd3336069b9fc09b91a0a6d537cdfa6755cb6699b5b18cee421adebb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\d1791d71-2f4c-487e-84ca-fbd23c0aa5a0

Filesize
13KB

MD5
1bdfa1a08bb8c6147f273c6311f32177

SHA1
18770f894883e6659d709669e14ac1a2fab4dcc4

SHA256
8647a659f374d612932af75d1fd5121407c8211e063368d6b266590804e902bf

SHA512
d803e9b46e61d1cf8542b36b1a63b9e121b35af67c4b6cf78e13c791c76af4325c32b1eccb39a2f56c4c0f8daf798402eb25edfdc112e604bebc7028e6e74501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
b16cc2275fb4171e483bd2a805f25dd1

SHA1
1fb9beb8cf559d6548d90d9efb74a4a284c27ff5

SHA256
965fffa5206c1149558e8cdf411c6b51dfdae57c8c40a11d32da8b850c9d633d

SHA512
f2f28dd81dea71e7c6e8ee1ff2c7d5710a48d1d4e1804d7b3cdd7811a9baf8859acfa3c3f6123e471540fe885eb64b1274759e201a84febbd5dcf09a013beebc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
7KB

MD5
75f8dcb509f65a0580f47a89d00d9fb6

SHA1
0e921fc4e3d4927527f6ad6d9abc13f6b6994ca7

SHA256
a7d5343eea7c245881e9992f70332f50d3dcaae2f6b785144b6100246224a7a9

SHA512
0884797ff4aeefb6ae94546f08fbccfde075c3b17b48176501d7b76f23904c6d45afceece04c8a91c5f5d0b16493951d5097b7250991180f60ea311d1ea78718

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
d9b8a29a20df9232327fcd974c20c483

SHA1
ded6f1ad10eb76e038e9baa2dce7ad70423d0f76

SHA256
4ee2de316ae9f3ccaf8e4602a713e6480aeacabbaee0f3c38264805afbf4cfe9

SHA512
537df7e389683fa676f9153d67fdb0a0a3fd7227b14d4e665e7f1ea1e77620372801c84936191ea3e4ecba4442655953f5f7e333f11a8c35b20f9140b4d70d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c9d60a353aa101615bfb22531d45a70a

SHA1
44ab74755d2dc5785c9e2a455bd5a276ecf4bb01

SHA256
db9fb0c9c291ffd68f30f44dc22b4b814bb62dbba037d119c968abe1a0dbb5e2

SHA512
b5791762a483cb006b7775214244e3cf03eda537f74bc0d48b9fdae2a79bcb3dd92c786e1d7491aaf72341013d82900ac03f34cf64114e33d78fff45c983dab0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3dc733f51b6c47c0e57ae7035b9abacf

SHA1
d4c28a6f9d4bae9e297440a46726a2cb3e2504ba

SHA256
aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1

SHA512
e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

Download Submit
\Users\Admin\AppData\Local\Temp\DR6S9ww248C3drK4fwFFD\Y-Cleaner.exe

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.1MB

MD5
52844852230f99e02891a15b601571f2

SHA1
53bfe041262404913af4764d56fe3afb6bea2616

SHA256
30254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c

SHA512
d170f9d5b161712e60032a0534f7f71f4d3667d8466b6530f23f529ec48c98d98aa74661d65e6ef33a1f7469dcf776f6edfe51817b462ba9bc2476252439f54f

Download Submit
memory/480-87-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-96-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-89-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-98-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-91-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-93-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-100-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/480-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1632-697-0x0000000000170000-0x000000000060A000-memory.dmp

Filesize
4.6MB

Download
memory/1632-536-0x0000000000170000-0x000000000060A000-memory.dmp

Filesize
4.6MB

Download
memory/1632-517-0x0000000000170000-0x000000000060A000-memory.dmp

Filesize
4.6MB

Download
memory/1632-383-0x0000000000170000-0x000000000060A000-memory.dmp

Filesize
4.6MB

Download
memory/2112-326-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2356-502-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2356-457-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2484-513-0x0000000006870000-0x00000000070FD000-memory.dmp

Filesize
8.6MB

Download
memory/2484-691-0x0000000006870000-0x00000000070FD000-memory.dmp

Filesize
8.6MB

Download
memory/2484-511-0x0000000006870000-0x00000000070FD000-memory.dmp

Filesize
8.6MB

Download
memory/2484-512-0x0000000006870000-0x0000000006D0A000-memory.dmp

Filesize
4.6MB

Download
memory/2484-1143-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-1142-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-380-0x0000000006870000-0x0000000006D0A000-memory.dmp

Filesize
4.6MB

Download
memory/2484-516-0x0000000006870000-0x0000000006D0A000-memory.dmp

Filesize
4.6MB

Download
memory/2484-329-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-527-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-149-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-1141-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-66-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-1140-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-65-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-1129-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-1122-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-650-0x0000000006870000-0x00000000070FD000-memory.dmp

Filesize
8.6MB

Download
memory/2484-1121-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-806-0x0000000006870000-0x0000000006F0B000-memory.dmp

Filesize
6.6MB

Download
memory/2484-21-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-381-0x0000000006870000-0x0000000006D0A000-memory.dmp

Filesize
4.6MB

Download
memory/2484-1053-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-22-0x0000000001221000-0x0000000001289000-memory.dmp

Filesize
416KB

Download
memory/2484-23-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-718-0x0000000006870000-0x0000000006F0B000-memory.dmp

Filesize
6.6MB

Download
memory/2484-24-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-720-0x0000000006870000-0x0000000006F0B000-memory.dmp

Filesize
6.6MB

Download
memory/2484-26-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-44-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-734-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-45-0x0000000001221000-0x0000000001289000-memory.dmp

Filesize
416KB

Download
memory/2484-802-0x0000000006870000-0x0000000006F0B000-memory.dmp

Filesize
6.6MB

Download
memory/2484-801-0x0000000006200000-0x00000000064BE000-memory.dmp

Filesize
2.7MB

Download
memory/2484-799-0x0000000006200000-0x00000000064BE000-memory.dmp

Filesize
2.7MB

Download
memory/2484-49-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2484-834-0x0000000001220000-0x0000000001542000-memory.dmp

Filesize
3.1MB

Download
memory/2520-19-0x0000000000FA1000-0x0000000001009000-memory.dmp

Filesize
416KB

Download
memory/2520-3-0x0000000000FA0000-0x00000000012C2000-memory.dmp

Filesize
3.1MB

Download
memory/2520-20-0x0000000006A30000-0x0000000006D52000-memory.dmp

Filesize
3.1MB

Download
memory/2520-0-0x0000000000FA0000-0x00000000012C2000-memory.dmp

Filesize
3.1MB

Download
memory/2520-17-0x0000000000FA0000-0x00000000012C2000-memory.dmp

Filesize
3.1MB

Download
memory/2520-1-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/2520-2-0x0000000000FA1000-0x0000000001009000-memory.dmp

Filesize
416KB

Download
memory/2520-5-0x0000000000FA0000-0x00000000012C2000-memory.dmp

Filesize
3.1MB

Download
memory/2660-538-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2660-1019-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2660-830-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2660-694-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2660-514-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2660-690-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2660-1048-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2932-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-54-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-57-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-63-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-64-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-52-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-60-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-56-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3108-916-0x0000000001160000-0x000000000141E000-memory.dmp

Filesize
2.7MB

Download
memory/3108-803-0x0000000001160000-0x000000000141E000-memory.dmp

Filesize
2.7MB

Download
memory/3108-804-0x0000000001160000-0x000000000141E000-memory.dmp

Filesize
2.7MB

Download
memory/3200-1123-0x00000000000F0000-0x0000000000147000-memory.dmp

Filesize
348KB

Download
memory/3564-1036-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/3592-722-0x0000000000B30000-0x00000000011CB000-memory.dmp

Filesize
6.6MB

Download
memory/3592-719-0x0000000000B30000-0x00000000011CB000-memory.dmp

Filesize
6.6MB

Download