amadey | 4fb84272045fc39952401061f10a2ba439d2f2a7c6e30f2448b757caf731df19

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.9MB
MD5

f45da90410f7d099ab3bd1589a039a79
SHA1

a7effa8c1fc9b88eea3498ed50011d7a14a7e617
SHA256

4fb84272045fc39952401061f10a2ba439d2f2a7c6e30f2448b757caf731df19
SHA512

577ae3d2c9f46c57ba71a9437fdf47deac865605b31f0a0a2a2caef90a4346bfa12c0894fe9c3a8dc7a602516bde33d58d483a8c5547452397f15a824c07a864
SSDEEP

49152:LcjBVZDZYhTklsZHUwGemMSwvMGKuFk2PGHqv:aBVZD+NklXwG5Mf73eTHqv

Score

10^/10

amadey lumma stealc 9c9aa5 stok discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

https://tacitglibbr.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	skotes.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	upqy7OCVA6wLIpLA.exe

Executes dropped EXE 7 IoCs

pid	Process
4044	skotes.exe
2980	skotes.exe
3440	ShtrayEasy35.exe
4028	upqy7OCVA6wLIpLA.exe
4272	IQ7ux2z.exe
4984	sUSFJjY.exe
2900	aeb50e1a85.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hs6OKdxY\\upqy7OCVA6wLIpLA.exe"	upqy7OCVA6wLIpLA.exe

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4944	powercfg.exe
5820	powercfg.exe
2880	powercfg.exe
4456	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023c3f-11670.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4224	file.exe
4044	skotes.exe
2980	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5928	3556	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShtrayEasy35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upqy7OCVA6wLIpLA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IQ7ux2z.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5584	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5028	taskkill.exe
1872	taskkill.exe
2704	taskkill.exe
3716	taskkill.exe
1688	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4224	file.exe
4224	file.exe
4044	skotes.exe
4044	skotes.exe
3440	ShtrayEasy35.exe
3440	ShtrayEasy35.exe
4028	upqy7OCVA6wLIpLA.exe
4028	upqy7OCVA6wLIpLA.exe
2980	skotes.exe
2980	skotes.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	IQ7ux2z.exe
Token: SeDebugPrivilege	4984	sUSFJjY.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4224	file.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4044	4224	file.exe	82
PID 4224 wrote to memory of 4044	4224	file.exe	82
PID 4224 wrote to memory of 4044	4224	file.exe	82
PID 4044 wrote to memory of 3440	4044	skotes.exe	84
PID 4044 wrote to memory of 3440	4044	skotes.exe	84
PID 4044 wrote to memory of 3440	4044	skotes.exe	84
PID 3440 wrote to memory of 4028	3440	ShtrayEasy35.exe	85
PID 3440 wrote to memory of 4028	3440	ShtrayEasy35.exe	85
PID 3440 wrote to memory of 4028	3440	ShtrayEasy35.exe	85
PID 4044 wrote to memory of 4272	4044	skotes.exe	86
PID 4044 wrote to memory of 4272	4044	skotes.exe	86
PID 4044 wrote to memory of 4272	4044	skotes.exe	86
PID 4044 wrote to memory of 4984	4044	skotes.exe	87
PID 4044 wrote to memory of 4984	4044	skotes.exe	87
PID 4044 wrote to memory of 2900	4044	skotes.exe	88
PID 4044 wrote to memory of 2900	4044	skotes.exe	88
PID 4044 wrote to memory of 2900	4044	skotes.exe	88

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\Hs6OKdxY\upqy7OCVA6wLIpLA.exe
      C:\Users\Admin\AppData\Local\Temp\Hs6OKdxY\upqy7OCVA6wLIpLA.exe 3440
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4028
- - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
    "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
      "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
      4⤵
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe
    "C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Users\Admin\AppData\Local\Temp\1015783001\aeb50e1a85.exe
    "C:\Users\Admin\AppData\Local\Temp\1015783001\aeb50e1a85.exe"
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\1015784001\89bc2f79f3.exe
    "C:\Users\Admin\AppData\Local\Temp\1015784001\89bc2f79f3.exe"
    3⤵
    PID:3556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015784001\89bc2f79f3.exe" & rd /s /q "C:\ProgramData\KXL68GLF3EKN" & exit
      4⤵
      PID:6100
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1644
      4⤵
      Program crash
      PID:5928
- - C:\Users\Admin\AppData\Local\Temp\1015785001\2b62c136d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1015785001\2b62c136d4.exe"
    3⤵
    PID:4408
- - C:\Users\Admin\AppData\Local\Temp\1015786001\4071d7d8e0.exe
    "C:\Users\Admin\AppData\Local\Temp\1015786001\4071d7d8e0.exe"
    3⤵
    PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\SSBZ8IZ3JQ0QZOZERHFA7K2TKSMWBAU.exe
      "C:\Users\Admin\AppData\Local\Temp\SSBZ8IZ3JQ0QZOZERHFA7K2TKSMWBAU.exe"
      4⤵
      PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\5MLYTFH54GTE9GWDWXU.exe
      "C:\Users\Admin\AppData\Local\Temp\5MLYTFH54GTE9GWDWXU.exe"
      4⤵
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\1015787001\b8d292706f.exe
    "C:\Users\Admin\AppData\Local\Temp\1015787001\b8d292706f.exe"
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\1015788001\ff44c4e79c.exe
    "C:\Users\Admin\AppData\Local\Temp\1015788001\ff44c4e79c.exe"
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:5028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:1872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:1688
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5908
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:4972
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea2e7f7-99be-4252-ba3c-e904241b05e9} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" gpu
        6⤵
        
        PID:3592
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b6c8f92-9a3c-4fd2-80f5-1af8606ae845} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" socket
        6⤵
        
        PID:5136
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcdb97b6-890b-4878-819b-e43c6540736c} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab
        6⤵
        
        PID:5828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3408 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a55a7ea1-fc4d-4f6c-8395-7626669aa2b5} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab
        6⤵
        
        PID:2436
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f2d4a68-03be-484e-a3fe-0eeb45d12810} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" utility
        6⤵
        
        PID:5168
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 1600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {141c9459-08d3-4ea7-8bd8-a1e8f97ec215} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab
        6⤵
        
        PID:5268
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e85b828-7ea4-4aac-b3b5-71c3475188d5} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab
        6⤵
        
        PID:528
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a7d1ca8-f516-48ff-a015-063e06d58a72} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab
        6⤵
        
        PID:5952
- - C:\Users\Admin\AppData\Local\Temp\1015789001\0befe7dba1.exe
    "C:\Users\Admin\AppData\Local\Temp\1015789001\0befe7dba1.exe"
    3⤵
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\1015790001\4f9e31821b.exe
    "C:\Users\Admin\AppData\Local\Temp\1015790001\4f9e31821b.exe"
    3⤵
    PID:5764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:6080
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:352
- - C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe
    "C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe"
    3⤵
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe
      "C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe"
      4⤵
      PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe
      "C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe"
      4⤵
      PID:3148

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
1⤵
PID:708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2880
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5820
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4944
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4860

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3556 -ip 3556
1⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
20KB

MD5
a295ed7210652ac299c322ee640d5459

SHA1
2e4be347f80505b37c96a831429fe3a180f33388

SHA256
515771636fca08a2bac59e8527907bcf69e783adae014674e7300fb8fdc83ad0

SHA512
b5a63fdaa4d805ae1c9dcf8817c64de18c2d2e3970c0aff49923ed5c9395f68aa9e62765b2e8cbbae02445e89f8dc756bb98c6330fa1db438af7037596654bdc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe

Filesize
256KB

MD5
c37a981bc24c4aba6454da4eecb7acbe

SHA1
2bffdf27d0d4f7c810e323c1671a87ed2d6b644f

SHA256
d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361

SHA512
2f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe

Filesize
2.8MB

MD5
0dad190f420a0a09ed8c262ca18b1097

SHA1
b97535bf2960278b19bda8cad9e885b8eefbdc85

SHA256
29e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a

SHA512
8ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe

Filesize
87KB

MD5
65ca33d1c759d3d8eb1d015d26479271

SHA1
2b0992769c879e7e22f9e3a18f3d1fb15e0870aa

SHA256
69bdb80ed6cbffe24e06d5bccea27aa1f6fbca4540e2bc191c85f7a2e91400ea

SHA512
d18f975b4e1d387f88ef1e490ac6456ff19c8138bcde522ccf3302fe6d2199ccfc99ab894ad968af8c76ca412caf9d2b069f6444960c26a057cddb44449be2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015783001\aeb50e1a85.exe

Filesize
4.2MB

MD5
6a94a20c20e2a75fa16041e1175793e7

SHA1
40d8df3d0bdfef2eaccb7b14d62f78c9eff5c989

SHA256
102d2c6aa1e5b2a0d91df5f7dcdf0c8a0393595578ecb714669ef85e1319104d

SHA512
24250549fc70ffcbccb64eb5a1634005084bdfdccaeff892b6460ef10837d622bcbc817983c922516324b868c935f7d6277b8d919f2abeaf41b4156f948997c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015784001\89bc2f79f3.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015785001\2b62c136d4.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015786001\4071d7d8e0.exe

Filesize
1.8MB

MD5
1d13d83ba0b9e54307060da3ad2c16bf

SHA1
45fe957170c36b1704c25ff65d59dd8bbe6894cd

SHA256
cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0

SHA512
803e1b9587fc7aab36c96d52fe901fa6dbe0523aa46da23afb0bd50f7ebcbe5bfd9793ac61cbdd4d228159786d240d5161ff80a5e445eaa00fc77cdf455eb526

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015787001\b8d292706f.exe

Filesize
1.7MB

MD5
228bc900c337f34da99576e917296e62

SHA1
0f6393c99373b170166bf3e563d3380914d8afe3

SHA256
9b4a6a847a0e8ea430a26136519ab7bf301f6b6c3a162d8443300d5e6f50cb86

SHA512
7c5a8bd94c9cca5267aafd0284573843e77d8cb9294131396a6b434af8d8e489ca33374d718fc45edb7e412c0f8d6832f8a936374a4f6612f2e9395377cd4382

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015788001\ff44c4e79c.exe

Filesize
950KB

MD5
a0b7a28c8ae27509d5fdfe9e6582705c

SHA1
3bcf1aa52032034e3a4968fd2633cabd3b2c2e08

SHA256
696495731d4eb0f28bc4678f8ea8c20a9c1caf16a460405fea538893a792fd05

SHA512
f197738e61660e4497bd1cc3f3c1b70ebfc403948208cb570b292d3fba78d0ca27487b4784f6680bf219678e861d5b489bc2858f5d99f349c65b6e568dc3c63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015789001\0befe7dba1.exe

Filesize
2.6MB

MD5
1e79d4fce2c654ed8d56747616ec0746

SHA1
73d8717f19ac08c494ef7a533dbdec599c9a644d

SHA256
29425b85ecbb9a2009dfe1f482d1a29d65d991eec1f69f7386c782bbc54980d0

SHA512
bc44178b2ae8f8d185f800bd05247080bbd9b7f4c7da587f0c9d2e205358d47e57cb5b4fc03b08f17115bf89fa33cbff5d137f8b82230d4d694f16016cec4ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015790001\4f9e31821b.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015791001\0d5c69dc2d.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
f45da90410f7d099ab3bd1589a039a79

SHA1
a7effa8c1fc9b88eea3498ed50011d7a14a7e617

SHA256
4fb84272045fc39952401061f10a2ba439d2f2a7c6e30f2448b757caf731df19

SHA512
577ae3d2c9f46c57ba71a9437fdf47deac865605b31f0a0a2a2caef90a4346bfa12c0894fe9c3a8dc7a602516bde33d58d483a8c5547452397f15a824c07a864

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Filesize
1KB

MD5
1e010dbb71e82f3e0b226ec766141256

SHA1
2ee73fff9739ef8a1c55514ef6b854d1af581860

SHA256
858578da9cf84f58a36119c6b834ccc8d51c6530752297c30bc4e7a5be0cf6e4

SHA512
39319272a0368e42013a019f205cc350a2d4f2d958f13555b49cd2139804865e69ec4d08fd8a3dbd51090189dbb117577a5cae75c226d7ab73a7cd875006480f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
7KB

MD5
e225f07178b5628a8c34ad950265ecb0

SHA1
37794357a3f92b3cde77116fbf50d2b16cd1f6b3

SHA256
181c5c8fadc41f3bb2488c85be1de204588c12e57647c1e0b658de8b8178d52c

SHA512
8b45a56933c384e8171ab70d3ccbd5a682fd92fd0122e7b610eec7d7f76f7c425826b4417ca7e44e654c36ba8da5cd84bdf77fcfbd7026ee84eac5f6ad015f36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
8KB

MD5
081864e150ff3cb0dbcc364452928aef

SHA1
186c2b28112a41ea45f046170cc249c12642c80a

SHA256
764cdf9b1db4ed558958b0d7eef4b6cba70765ce2c1a9a978fbe123f448b4c8b

SHA512
8dd4286681426e370f879679faec2fd5731ec721fb2e6fa13c7269adeeebd8e65d7c4251b2e7fb70cb507cde28d0236ae90b314eb6c9ce94ba3b07e7f51ee66f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b78657b201438c85069bae20d63b8b9d

SHA1
fa11b43923e2870835faf054ebe6034dc235a8f8

SHA256
efc2d8beadd2d81e0e22b3c98dd03fae2dc4fb37d90b0d1efb9d90ad5a108a15

SHA512
c20b862eeee8741fded545d65c516e3b1af8d75ea9e5d55759b66634c046e9eb33147ab3e80cceb085d22b651918d2a34df7a7dde9d24f1b914a731b2224d7de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
81c7bde57ea3de31a1cbfead1ec90502

SHA1
cb2d94b1f49fcfdf67b4672aea91044bb02990b0

SHA256
b4cdc60375e1d418c5e23917b64df1501d80ddf07ceb837508c515eedf3aa6a3

SHA512
8cd867860cdd46cee3e902c7cf7dbe9d89b78e7ff31a57bf75ba29dbf90d9a93259ff4411abf7d1cb91e48f9fc4bee55ef9f8aae348d1145c989df60d26cc675

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
32fab533729e74a8227d1c70a9b3aaa2

SHA1
027cdf14118ac0127d140d09dd8769477f133b41

SHA256
a8c6894d78fde89d675c6fb21e9b3eb2af31f0cccc7c856be01fb46a13e7338c

SHA512
ce9c3812e16ef510bf26ff4a44c7941e26d542aee1f3a9158a45a0ce635d3b18b35c2afea96b5cf2faf3e18ba6023f7ce5c9ce1907f43edc9240780356264bd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\2d402689-8b30-4032-bf31-4e7f93ab14ab

Filesize
28KB

MD5
ade1711030b0d79bf24a19756ff63945

SHA1
af040fea77c01e26825238aee37b557dc934e8c6

SHA256
de759f7ede3023feff5f77df83129c86fc8bcab189949f4513c7cf8fa3e600d3

SHA512
c06bc6889c4f987071f0d3739e0cd6c8a413fd3b26d18a85e806831d99b41440c8c6994d3445319e5f99836b8fb6e63e2925048dcf7c207d8a901b1be297c17c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\bbcb88ea-ba5f-48f6-abb3-3c94f0c34ffe

Filesize
982B

MD5
f29bc569521bf6d6df11501c1e1d8d9b

SHA1
69f3307f44a0569d8e37b4abee2b681870eb18a4

SHA256
d6e5b0ccaa645eabf0f01f7c11325126ba744fed658e9b983222011caf012af3

SHA512
1d1c1653ea3b487acc495eeaa7f17a88065459827b7506f24b45c94f2b4743b8151d7d90df04c59508d8445c944e0e11d2b1d85970adccaac0c41b134fa8f64a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\e3b7bf70-74e7-40c4-ade3-90b953d3b84d

Filesize
671B

MD5
acb0221622ecfdfb87bb3aec10bc7dcd

SHA1
86f355245c82459c663c1a0c44c841e40a7be4af

SHA256
7d7d8884eb3c397486bedd6b3c4acc1873b93a31114ff70c1b12fd0a8d097789

SHA512
021bf4c2a0749a4bf5aed1f56f50feb6f0ec25f0a0c28d6909d3c1900b4190644d1357f4a93e334f88ebb5aa226f79b8c484ac619ec13d3b16bd0b12c915b360

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
10KB

MD5
77d4dd91317df2aa93dd3a10f8c32504

SHA1
4fdcf6a70aaee5d28565b7864556b028bee4ce9a

SHA256
50eecb05746ed350a4d565f943eb82709fc7ebe2eb2a084e1c37116ddc00bd80

SHA512
e7e5f6689888f171f52477ccbad2d995d8aa104fd8751f124ad7abc8014c2d592b5d544f1c2674850b311f1839ac49d1ea6665fa01b37051e94945f84f7448b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
e19be5391ef9dce57f3aca1e2558c8df

SHA1
d02089b3615eed00f89ed4981fce97ee424aad48

SHA256
571a549abf17c06f67eefd936bbeae1c2774d3fb3b681bce48b1f0f53d64b088

SHA512
d9e1e56201ddc1cd5e3144eae0304d96807836184f32f316d402c34766027e097bfe84e9e7cf69df927e3a9243750a1972f49b6010eb45cc9f0946441a739628

Download Submit
memory/1104-27737-0x00000000006F0000-0x0000000000D73000-memory.dmp

Filesize
6.5MB

Download
memory/1104-30480-0x00000000006F0000-0x0000000000D73000-memory.dmp

Filesize
6.5MB

Download
memory/1104-30482-0x00000000006F0000-0x0000000000D73000-memory.dmp

Filesize
6.5MB

Download
memory/2900-7671-0x0000000000930000-0x0000000001568000-memory.dmp

Filesize
12.2MB

Download
memory/2900-6634-0x0000000000930000-0x0000000001568000-memory.dmp

Filesize
12.2MB

Download
memory/2900-3394-0x0000000000930000-0x0000000001568000-memory.dmp

Filesize
12.2MB

Download
memory/2980-54-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/2980-25-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/3436-15025-0x0000000000880000-0x0000000000B2C000-memory.dmp

Filesize
2.7MB

Download
memory/3436-17527-0x0000000000880000-0x0000000000B2C000-memory.dmp

Filesize
2.7MB

Download
memory/3436-15022-0x0000000000880000-0x0000000000B2C000-memory.dmp

Filesize
2.7MB

Download
memory/3436-18905-0x0000000000880000-0x0000000000B2C000-memory.dmp

Filesize
2.7MB

Download
memory/3436-14051-0x0000000000880000-0x0000000000B2C000-memory.dmp

Filesize
2.7MB

Download
memory/4044-155-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-16-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-55-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-22-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-57-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-56-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-21-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-185-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-20-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/4044-19-0x0000000000E91000-0x0000000000EBF000-memory.dmp

Filesize
184KB

Download
memory/4224-0-0x0000000000720000-0x0000000000A43000-memory.dmp

Filesize
3.1MB

Download
memory/4224-18-0x0000000000720000-0x0000000000A43000-memory.dmp

Filesize
3.1MB

Download
memory/4224-4-0x0000000000720000-0x0000000000A43000-memory.dmp

Filesize
3.1MB

Download
memory/4224-3-0x0000000000720000-0x0000000000A43000-memory.dmp

Filesize
3.1MB

Download
memory/4224-2-0x0000000000721000-0x000000000074F000-memory.dmp

Filesize
184KB

Download
memory/4224-1-0x00000000778E4000-0x00000000778E6000-memory.dmp

Filesize
8KB

Download
memory/4272-135-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-123-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-78-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-83-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-76-0x0000000000010000-0x00000000002EC000-memory.dmp

Filesize
2.9MB

Download
memory/4272-85-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-77-0x0000000004CD0000-0x0000000004E8E000-memory.dmp

Filesize
1.7MB

Download
memory/4272-87-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-95-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-107-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-81-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-89-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-97-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-93-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-119-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-137-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-139-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-91-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-133-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-131-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-99-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-129-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-127-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-101-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-125-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-79-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-103-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-105-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-110-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-112-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-121-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-117-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-115-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4272-113-0x0000000004CD0000-0x0000000004E88000-memory.dmp

Filesize
1.7MB

Download
memory/4408-25078-0x0000000000FA0000-0x000000000142B000-memory.dmp

Filesize
4.5MB

Download
memory/4408-6311-0x0000000000FA0000-0x000000000142B000-memory.dmp

Filesize
4.5MB

Download
memory/4408-9677-0x0000000000FA0000-0x000000000142B000-memory.dmp

Filesize
4.5MB

Download
memory/4568-10463-0x0000000000530000-0x0000000000BB3000-memory.dmp

Filesize
6.5MB

Download
memory/4568-13351-0x0000000000530000-0x0000000000BB3000-memory.dmp

Filesize
6.5MB

Download
memory/4984-11043-0x000001E1AF590000-0x000001E1AF5E4000-memory.dmp

Filesize
336KB

Download
memory/4984-10137-0x000001E1AEEB0000-0x000001E1AF38E000-memory.dmp

Filesize
4.9MB

Download
memory/4984-4172-0x000001E1AE940000-0x000001E1AEEAE000-memory.dmp

Filesize
5.4MB

Download
memory/4984-10138-0x000001E195FC0000-0x000001E19600C000-memory.dmp

Filesize
304KB

Download
memory/4984-482-0x000001E194610000-0x000001E194616000-memory.dmp

Filesize
24KB

Download
memory/4984-441-0x000001E194230000-0x000001E194248000-memory.dmp

Filesize
96KB

Download
memory/5524-12343-0x0000000000B70000-0x000000000100B000-memory.dmp

Filesize
4.6MB

Download
memory/5524-27736-0x0000000000B70000-0x000000000100B000-memory.dmp

Filesize
4.6MB

Download
memory/5524-8914-0x0000000000B70000-0x000000000100B000-memory.dmp

Filesize
4.6MB

Download
memory/5564-28830-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/5564-28146-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/5644-14308-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/5644-13353-0x0000000000E90000-0x00000000011B3000-memory.dmp

Filesize
3.1MB

Download
memory/5808-28703-0x0000000000100000-0x00000000003AC000-memory.dmp

Filesize
2.7MB

Download
memory/5808-27133-0x0000000000100000-0x00000000003AC000-memory.dmp

Filesize
2.7MB

Download
memory/5808-30237-0x0000000000100000-0x00000000003AC000-memory.dmp

Filesize
2.7MB

Download
memory/5808-27193-0x0000000000100000-0x00000000003AC000-memory.dmp

Filesize
2.7MB

Download
memory/5808-26440-0x0000000000100000-0x00000000003AC000-memory.dmp

Filesize
2.7MB

Download