amadey | 0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc

Analysis

max time kernel
40s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Size

2.9MB
MD5

46c3863c4f153d69dbf4d5bfbbc90a73
SHA1

4fa6468cd70687385c225f1500ae570102a4e370
SHA256

0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc
SHA512

2d09b274468cf1b6c289c94721b94699c81584763d378769473b14395da8492e853eaa971d94ffeb2988ca582ec347ed3c9fea9c74188a230a344c44eca88f36
SSDEEP

49152:hqfRikf1mVQKq9GM/4qQlc6eBhwMPsy1YtXA:hq5ikf1mVPq9J/ga6eBhwMP8

Score

10^/10

amadey cryptbot lumma stealc 9c9aa5 stok discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

cryptbot

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	98064b0e41.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98064b0e41.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6257b4efb0.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98064b0e41.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98064b0e41.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 5 IoCs

pid	Process
448	skotes.exe
544	IQ7ux2z.exe
4124	sUSFJjY.exe
3196	98064b0e41.exe
5380	6257b4efb0.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	98064b0e41.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	6257b4efb0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3068	powercfg.exe
2940	powercfg.exe
6088	powercfg.exe
224	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cea-11140.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
448	skotes.exe
3196	98064b0e41.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5284	5752	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98064b0e41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6257b4efb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IQ7ux2z.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1436	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4020	taskkill.exe
2208	taskkill.exe
4800	taskkill.exe
6116	taskkill.exe
5704	taskkill.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
448	skotes.exe
448	skotes.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe
3196	98064b0e41.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	IQ7ux2z.exe
Token: SeDebugPrivilege	4124	sUSFJjY.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 448	4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe	82
PID 4824 wrote to memory of 448	4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe	82
PID 4824 wrote to memory of 448	4824	0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe	82
PID 448 wrote to memory of 544	448	skotes.exe	87
PID 448 wrote to memory of 544	448	skotes.exe	87
PID 448 wrote to memory of 544	448	skotes.exe	87
PID 448 wrote to memory of 4124	448	skotes.exe	90
PID 448 wrote to memory of 4124	448	skotes.exe	90
PID 448 wrote to memory of 3196	448	skotes.exe	92
PID 448 wrote to memory of 3196	448	skotes.exe	92
PID 448 wrote to memory of 3196	448	skotes.exe	92
PID 448 wrote to memory of 5380	448	skotes.exe	94
PID 448 wrote to memory of 5380	448	skotes.exe	94
PID 448 wrote to memory of 5380	448	skotes.exe	94

C:\Users\Admin\AppData\Local\Temp\0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe
"C:\Users\Admin\AppData\Local\Temp\0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
    "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
      "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
      4⤵
      PID:5520
- - C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe
    "C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUA
      4⤵
      PID:4384
- - C:\Users\Admin\AppData\Local\Temp\1015867001\98064b0e41.exe
    "C:\Users\Admin\AppData\Local\Temp\1015867001\98064b0e41.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3196
- - C:\Users\Admin\AppData\Local\Temp\1015868001\6257b4efb0.exe
    "C:\Users\Admin\AppData\Local\Temp\1015868001\6257b4efb0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - System Location Discovery: System Language Discovery
    PID:5380
- - C:\Users\Admin\AppData\Local\Temp\1015869001\481b6c16dd.exe
    "C:\Users\Admin\AppData\Local\Temp\1015869001\481b6c16dd.exe"
    3⤵
    PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015869001\481b6c16dd.exe" & rd /s /q "C:\ProgramData\XTRIWBAS0ZUA" & exit
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 1892
      4⤵
      Program crash
      PID:5284
- - C:\Users\Admin\AppData\Local\Temp\1015870001\8c571a0daf.exe
    "C:\Users\Admin\AppData\Local\Temp\1015870001\8c571a0daf.exe"
    3⤵
    PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\RSWFAI97HANHDVTGGISEB0OUMZQCD.exe
      "C:\Users\Admin\AppData\Local\Temp\RSWFAI97HANHDVTGGISEB0OUMZQCD.exe"
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\PZQS6TBDRZA3WZNEKNS.exe
      "C:\Users\Admin\AppData\Local\Temp\PZQS6TBDRZA3WZNEKNS.exe"
      4⤵
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\1015871001\f2b00199bb.exe
    "C:\Users\Admin\AppData\Local\Temp\1015871001\f2b00199bb.exe"
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\1015872001\f616a49a11.exe
    "C:\Users\Admin\AppData\Local\Temp\1015872001\f616a49a11.exe"
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:5704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:4320
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:5160
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {164ecc9f-cb05-45bd-9bf1-431144b5a90b} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" gpu
        6⤵
        
        PID:3068
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31293075-ed38-4a82-9cbf-313827e3b0c6} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" socket
        6⤵
        
        PID:548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3328 -prefMapHandle 3152 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fa517f5-39a6-4af8-a43c-2dcc7a36f2e9} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" tab
        6⤵
        
        PID:1356
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be13fb77-791b-4725-bbe8-17145e7e6838} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" tab
        6⤵
        
        PID:1340
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4308 -prefMapHandle 4428 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d577b407-e845-4d98-8506-5c525ed61fb8} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" utility
        6⤵
        
        PID:6048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 4956 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8f184f9-f11d-43c8-8929-f6d4c0fa60d1} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" tab
        6⤵
        
        PID:2284
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5268 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa31ea25-1224-485a-8195-9f04a637988b} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" tab
        6⤵
        
        PID:3180
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71baa308-f22e-4dc4-819d-dffbc3b0c561} 5160 "\\.\pipe\gecko-crash-server-pipe.5160" tab
        6⤵
        
        PID:1728
- - C:\Users\Admin\AppData\Local\Temp\1015873001\202bd256a9.exe
    "C:\Users\Admin\AppData\Local\Temp\1015873001\202bd256a9.exe"
    3⤵
    PID:5428
- - C:\Users\Admin\AppData\Local\Temp\1015874001\3abc3f191b.exe
    "C:\Users\Admin\AppData\Local\Temp\1015874001\3abc3f191b.exe"
    3⤵
    PID:5400
- - C:\Users\Admin\AppData\Local\Temp\1015875001\d605c55e84.exe
    "C:\Users\Admin\AppData\Local\Temp\1015875001\d605c55e84.exe"
    3⤵
    PID:2904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:3352
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        
        PID:5776
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        
        PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        
        PID:4372
- - C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe
    "C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe
      "C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe"
      4⤵
      PID:860
  - - C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe
      "C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe"
      4⤵
      PID:1384

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
1⤵
PID:5672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2940
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3068
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:6088
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5752 -ip 5752
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IQ7ux2z.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
9c4bf4e3ff3fc94920f49be2b9b5cdd7

SHA1
05c07ef2d589814b8367120c5d9d264e4e803d57

SHA256
5762fbd335354abed71e1a36e11c0fca84b819be8a2b83ad67fbcb58b75956ed

SHA512
548eb4af82e1616e3483504ddc392a665aa8cbca5f9d9502771f4338c9ef5d6e5e052c2dd4e51a2c3a771ce2cf8f3a12f88a744e594b34498fa11c6f7b9ddc77

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe

Filesize
2.8MB

MD5
0dad190f420a0a09ed8c262ca18b1097

SHA1
b97535bf2960278b19bda8cad9e885b8eefbdc85

SHA256
29e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a

SHA512
8ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe

Filesize
87KB

MD5
3c104350cc2661c345673e91ed672c4c

SHA1
d205e94d47949cf3bc3f5226978f6d370c3d3b94

SHA256
1fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4

SHA512
9c02bde2d096e181f00e906f4e242905d0e54dd207f309764805c7444c9f43073106812ade97fca9fc2363f59ed071371276880ce85e9a307fcdb03d3250cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015867001\98064b0e41.exe

Filesize
4.2MB

MD5
3617bfad36063c68a129b7e2bd89ceef

SHA1
6621e1f1403b9fa874124c374021034a3c86421e

SHA256
e5637e64459e1868bf6318ea3b48b76ecf3f5669992ba882a7ddab2567af8b24

SHA512
fdf2d08361b48faccf5ee0e2f04104f07f4677a0299a80d49cf50aabd952a6bb23332f51b12102d87c01ee3291bf1bc3833035e42d613e4c35e657dc06044c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015868001\6257b4efb0.exe

Filesize
4.3MB

MD5
c5f945671aec219fd0af66f72065a536

SHA1
7956212b4272158ebf29243e79067cc73066fee6

SHA256
7fdc637cd02ad95b233c17569424fe28b53228f5d7dc853dc1449527ad2fd05d

SHA512
1cf363e35bbdaa90af47ff79e59a3175559b81d6ec63b296534793b1b406b883dd0b89412b0115be4a42041d27c15e97e494b284e092397d1878b8dfb544144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015869001\481b6c16dd.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015870001\8c571a0daf.exe

Filesize
1.8MB

MD5
f9694cb15c258cf8125cf0c317c77479

SHA1
ad7ab004164e247a32fb8eb4187103a1eaf73657

SHA256
37aafa95a96bdc9144593c820466f3f063cd0e9fb3c6d2bcfab4c1bf0b61e51b

SHA512
41504ae13f21e126508b91cdacc3d993790b7ce6001a0d58353860ad4eccb76858f553f4dd49d1960fae09a777160493932c0bb9acebd3bad3aae6e0dc2e2351

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015871001\f2b00199bb.exe

Filesize
1.7MB

MD5
f660a7ff99befe7ae52d2636a0e8db46

SHA1
41b7e90dbf2ce54bd4e3048d0dc1b7e9d59d81ee

SHA256
526d8ce745c14bac28de547ee616d66bec13517e558da772982b41cb9d6dda62

SHA512
4f13dc0b5c8003b3dc7a5f3faa02c4e103da106722d53494a74e419756d1ce8c35b308641e7690bb932002b0d16411caedb60e63138d33cbfe78520ca8bd0240

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015872001\f616a49a11.exe

Filesize
946KB

MD5
6bf59db9dafe72201466700ea8cb334d

SHA1
e3649b55eb5141245e634374aa4a6385dba214e6

SHA256
acdc360a0c9680c407d43df48f143af92d99d5c034a152e78b5da5220dbeb249

SHA512
f44354e412d85b7025c486d2582976f684a57216267c37dbc2fea2b6ba5e9808a098f663258569a5a998d849e97b15a15d617f834e9b768e01391daf0ff261bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015873001\202bd256a9.exe

Filesize
2.6MB

MD5
e5cfad81f5397d7eeed2e7251b7e6e7a

SHA1
84184161e1b542773e5c74909ce37bb1f8f2238e

SHA256
46cb31f14f15b4f13d203fe4138401adccf3163cf405fe907e7ee86bbd1c2387

SHA512
fad966d925810d75be01d20b2b2bbf45755a30d385754878764fec0f1d45100490ba8c4ea279429f91c627cfa8f6b0e2abc70abdb8b645dddf1abd4cf021656a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015874001\3abc3f191b.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015875001\d605c55e84.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015876001\5df5a0220a.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dp5qinuf.p5y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
46c3863c4f153d69dbf4d5bfbbc90a73

SHA1
4fa6468cd70687385c225f1500ae570102a4e370

SHA256
0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc

SHA512
2d09b274468cf1b6c289c94721b94699c81584763d378769473b14395da8492e853eaa971d94ffeb2988ca582ec347ed3c9fea9c74188a230a344c44eca88f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.7MB

MD5
0dc4014facf82aa027904c1be1d403c1

SHA1
5e6d6c020bfc2e6f24f3d237946b0103fe9b1831

SHA256
a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7

SHA512
cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
3.3MB

MD5
cea368fc334a9aec1ecff4b15612e5b0

SHA1
493d23f72731bb570d904014ffdacbba2334ce26

SHA256
07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541

SHA512
bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.3MB

MD5
045b0a3d5be6f10ddf19ae6d92dfdd70

SHA1
0387715b6681d7097d372cd0005b664f76c933c7

SHA256
94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

SHA512
58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
7KB

MD5
d4057307703b62430fd7300c7f49347b

SHA1
6e6e7753d87190b4aa388f3235a33f4416476abd

SHA256
34aae3ba26f7934d11896289ab1d4c0ea886b41a3001da983a1ee45cf410910e

SHA512
59d3759315d2522a04f6c793d823c7377e573edefd218761b97bdc40698db98383dc01331200b11e0f5aeff17adcef70de73bcf9c3327d4db9d82f70a2fe4ed1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
7KB

MD5
b2d07b335a9ada1ef8ffe37c7ba1a8cf

SHA1
30b5cb715f1251e64178a94563234098f9c131df

SHA256
82d226181fd20d403aa14e5da831c961a9c521ba2ae6cb0dd35ace71c7d0d4cd

SHA512
f2d7229803e774f67fe063b940a3e7703cbd2a6dd88ab4f5bfd76b0004d5044b5ab5a41dcda6f88f31f80843203e2bfac9e83ff0819ad16f647759e5d0f2a956

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cert9.db

Filesize
224KB

MD5
108dd51c3dcda4b761e03de7f9c8e7f3

SHA1
c03952c3158a0f5e36a087e7d7b27d9edbf7f608

SHA256
7a4c803352e831ab6aa59d6c722ea058dbac8fa207eac4289b40a336352f85e7

SHA512
fd5793608d72d3ed4cfdfa956da9dd7aae42e3c7679349c48faa3baec72610a9279169334ba5b4a5eb62822d8898114c86111f4b8145bb76c7d42fdb483cb8ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
20KB

MD5
2b95c7d296037d612611c7f3cacd7464

SHA1
162bffdf922abc465e4f2e88d59631a23ae9554a

SHA256
27cb233dd5da8911ec8c48234053bfb1095131dba4d96c2d814cabbb1695088b

SHA512
ed503dfb633c47544a87f11c8f3687119ce2bb7228df7e8c340c34e3f88fe02d4443d58396700e3d586f6d901ec0c6c12a62caaed86296bdb9c283cc57ddb863

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
3cbf804eed4a555c8b9175394b6e08fb

SHA1
6d65e79d147131767529c49b930350143c10e2d8

SHA256
304be425bac682280558225e1facd5a5ddef3ba82e55d1d3be0ba7c0fa6a568c

SHA512
8446b4f3e60224d6d6dc8bea256c126ea5e6139948be05adf5bb6eadcf0e7a77be1b50cc5af766b9cd76324fb88153ad5900171571e0dca68225afed0a89946c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\210ff32c-70de-4356-af00-993e7a7a2b78

Filesize
659B

MD5
f6fe20bad740c89da394e42c210951ad

SHA1
5dded8b3af48f1326102f49328e14f619934d6dc

SHA256
ef21b2eb39c581a8f42cb43cda97024dfa3b18259cf1fecc88a51c187302928f

SHA512
cf0c9586001880bb413878239a57bf3460ec59b004e8d0f1b540a8f4f1abb506a9e94445447be5ab8f453c595b4679eb7675570e66b9206891872e191201379f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\e75460e3-e0f7-466e-8927-ca9b2f58714f

Filesize
982B

MD5
ffffcdb68c166f80eaff9c9e0b332d87

SHA1
0fcc868c00a4f2790b77aa7f0e352373728b573b

SHA256
ba1d59522c81c34e3e6340fd7700715df32e98bae220a89400f02b664618b7ce

SHA512
20e1715ded04d7c91a528aba33f35147ce3f44c1a75b331518b5787539f377620721d5cf94d4bcf341a928c1eb9eb33144d30eb2e5b5685fcc6f8b09966778c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
10KB

MD5
8c5cc3571600e8c962fc2534bfc4c7f6

SHA1
c29db3da7301cf5ea0602f4924f861578f841dee

SHA256
0effaf3f7519195cd78e59938c8d643f73bce1821073654863500109618d5b43

SHA512
546a828cd6db03b6bc857b974a2ea7affb72f1b43b915995d0381077d95358f07dfbd72f47dca4081a3090241c915b3b8c39ea8e180e03a10299c82c72e98826

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

Filesize
11KB

MD5
42c948ba44375a13c7fc9c4d01a2a1a9

SHA1
0b3adf6c1b7762b1d6e3250152143b14d88d81bc

SHA256
5b718872efc32e7e034de605d331f7c6dd90fd280353925bd8b0cec1c757cd8e

SHA512
2522d4e2109f6ca152c7fa3e1df47246dd0e7205196a3d7dbff35ebe04b8ad04987ae5030b6cedb9397c7e83d0147be1e16d15bd3220a3b1647c625f31117351

Download Submit
memory/448-20-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-67-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-88-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-19-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-16-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-21-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-30-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/448-43-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/544-91-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-110-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-66-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/544-74-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-64-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-62-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-60-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-56-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-54-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-52-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-50-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-48-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-46-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-45-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-30836-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/544-41-0x000000007316E000-0x000000007316F000-memory.dmp

Filesize
4KB

Download
memory/544-70-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-2862-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/544-2861-0x000000007316E000-0x000000007316F000-memory.dmp

Filesize
4KB

Download
memory/544-42-0x0000000000120000-0x00000000003FC000-memory.dmp

Filesize
2.9MB

Download
memory/544-44-0x0000000004FE0000-0x000000000519E000-memory.dmp

Filesize
1.7MB

Download
memory/544-72-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-58-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-76-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-86-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-95-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-103-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-78-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-68-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-108-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-105-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-106-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/544-101-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-80-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-99-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-82-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-97-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-93-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-89-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/544-84-0x0000000004FE0000-0x0000000005198000-memory.dmp

Filesize
1.7MB

Download
memory/3196-8340-0x0000000000C20000-0x0000000001805000-memory.dmp

Filesize
11.9MB

Download
memory/3196-3469-0x0000000000C20000-0x0000000001805000-memory.dmp

Filesize
11.9MB

Download
memory/3196-6814-0x0000000000C20000-0x0000000001805000-memory.dmp

Filesize
11.9MB

Download
memory/4124-255-0x0000025C0E560000-0x0000025C0E566000-memory.dmp

Filesize
24KB

Download
memory/4124-8617-0x0000025C27650000-0x0000025C27B2E000-memory.dmp

Filesize
4.9MB

Download
memory/4124-3124-0x0000025C27070000-0x0000025C275DE000-memory.dmp

Filesize
5.4MB

Download
memory/4124-8618-0x0000025C0E710000-0x0000025C0E75C000-memory.dmp

Filesize
304KB

Download
memory/4124-237-0x0000025C0C9E0000-0x0000025C0C9F8000-memory.dmp

Filesize
96KB

Download
memory/4124-11551-0x0000025C28FB0000-0x0000025C29004000-memory.dmp

Filesize
336KB

Download
memory/4384-12841-0x000001CFDE8B0000-0x000001CFDE8D2000-memory.dmp

Filesize
136KB

Download
memory/4824-18-0x0000000000EF0000-0x000000000120A000-memory.dmp

Filesize
3.1MB

Download
memory/4824-4-0x0000000000EF0000-0x000000000120A000-memory.dmp

Filesize
3.1MB

Download
memory/4824-3-0x0000000000EF0000-0x000000000120A000-memory.dmp

Filesize
3.1MB

Download
memory/4824-1-0x0000000077554000-0x0000000077556000-memory.dmp

Filesize
8KB

Download
memory/4824-2-0x0000000000EF1000-0x0000000000F1F000-memory.dmp

Filesize
184KB

Download
memory/4824-0-0x0000000000EF0000-0x000000000120A000-memory.dmp

Filesize
3.1MB

Download
memory/5084-8342-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/5084-7149-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/5096-30673-0x0000000000970000-0x0000000001005000-memory.dmp

Filesize
6.6MB

Download
memory/5096-30465-0x0000000000970000-0x0000000001005000-memory.dmp

Filesize
6.6MB

Download
memory/5132-30464-0x0000000000950000-0x0000000000DF3000-memory.dmp

Filesize
4.6MB

Download
memory/5132-8739-0x0000000000950000-0x0000000000DF3000-memory.dmp

Filesize
4.6MB

Download
memory/5132-11957-0x0000000000950000-0x0000000000DF3000-memory.dmp

Filesize
4.6MB

Download
memory/5312-23430-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/5312-24651-0x0000000000C70000-0x0000000000F8A000-memory.dmp

Filesize
3.1MB

Download
memory/5380-6799-0x0000000000B40000-0x0000000001792000-memory.dmp

Filesize
12.3MB

Download
memory/5380-5491-0x0000000000B40000-0x0000000001792000-memory.dmp

Filesize
12.3MB

Download
memory/5400-18859-0x0000000000F90000-0x000000000141B000-memory.dmp

Filesize
4.5MB

Download
memory/5400-30811-0x0000000000F90000-0x000000000141B000-memory.dmp

Filesize
4.5MB

Download
memory/5400-14820-0x0000000000F90000-0x000000000141B000-memory.dmp

Filesize
4.5MB

Download
memory/5428-18714-0x0000000000860000-0x0000000000B08000-memory.dmp

Filesize
2.7MB

Download
memory/5428-16715-0x0000000000860000-0x0000000000B08000-memory.dmp

Filesize
2.7MB

Download
memory/5428-13400-0x0000000000860000-0x0000000000B08000-memory.dmp

Filesize
2.7MB

Download
memory/5428-14578-0x0000000000860000-0x0000000000B08000-memory.dmp

Filesize
2.7MB

Download
memory/5428-14529-0x0000000000860000-0x0000000000B08000-memory.dmp

Filesize
2.7MB

Download
memory/5520-30835-0x0000000005780000-0x0000000005844000-memory.dmp

Filesize
784KB

Download
memory/5520-30834-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5520-30864-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/6060-30453-0x0000000000220000-0x00000000004C8000-memory.dmp

Filesize
2.7MB

Download
memory/6060-30454-0x0000000000220000-0x00000000004C8000-memory.dmp

Filesize
2.7MB

Download
memory/6060-30843-0x0000000000220000-0x00000000004C8000-memory.dmp

Filesize
2.7MB

Download
memory/6060-30849-0x0000000000220000-0x00000000004C8000-memory.dmp

Filesize
2.7MB

Download
memory/6060-30452-0x0000000000220000-0x00000000004C8000-memory.dmp

Filesize
2.7MB

Download
memory/6072-12426-0x0000000000A10000-0x00000000010A5000-memory.dmp

Filesize
6.6MB

Download
memory/6072-10363-0x0000000000A10000-0x00000000010A5000-memory.dmp

Filesize
6.6MB

Download