amadey | 250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-07-2023 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e34cg.exe
Size

4.6MB
MD5

341e2e0fbcc88e262ed896ee11c06532
SHA1

60cd85254f5faeb3ba526650daf85b773b458b90
SHA256

250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97
SHA512

ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850
SSDEEP

49152:rOjkgSYGuvkNaJ/b0GYmsmf/sAa8hdCQB2xrajUVNY36pMK6CrOIvYApvSzZQljF:rXuvPZwAcQBVjUzgiMC02Xv+E

Score

10^/10

amadey sectoprat discovery evasion persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1824-173-0x0000000000400000-0x0000000000966000-memory.dmp	family_sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

bstyoops.exea3e34cg.exebstyoops.exebstyoops.exeBRR.exeBRR.exebstyoops.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bstyoops.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a3e34cg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bstyoops.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bstyoops.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bstyoops.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

14 2428 rundll32.exe
15 1632 rundll32.exe
Downloads MZ/PE file

flow	pid	process
14	2428	rundll32.exe
15	1632	rundll32.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a3e34cg.exebstyoops.exebstyoops.exebstyoops.exeBRR.exebstyoops.exeBRR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a3e34cg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a3e34cg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRR.exe

Executes dropped EXE 6 IoCs

Processes:

bstyoops.exebstyoops.exeBRR.exeBRR.exebstyoops.exebstyoops.exe

pid process

2164 bstyoops.exe
2700 bstyoops.exe
1824 BRR.exe
1916 BRR.exe
2824 bstyoops.exe
1992 bstyoops.exe

pid	process
2164	bstyoops.exe
2700	bstyoops.exe
1824	BRR.exe
1916	BRR.exe
2824	bstyoops.exe
1992	bstyoops.exe

Loads dropped DLL 19 IoCs

Processes:

a3e34cg.exebstyoops.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2156	a3e34cg.exe
2164	bstyoops.exe
2164	bstyoops.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1324	rundll32.exe
1324	rundll32.exe
1324	rundll32.exe
1324	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 33 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2156-54-0x0000000000940000-0x0000000000E0D000-memory.dmp	themida
behavioral1/memory/2156-64-0x0000000000940000-0x0000000000E0D000-memory.dmp	themida
behavioral1/memory/2156-65-0x0000000000940000-0x0000000000E0D000-memory.dmp	themida
behavioral1/memory/2156-66-0x0000000000940000-0x0000000000E0D000-memory.dmp	themida
behavioral1/memory/2156-67-0x0000000000940000-0x0000000000E0D000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida
behavioral1/memory/2156-75-0x0000000000940000-0x0000000000E0D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida
behavioral1/memory/2164-88-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2164-90-0x0000000000040000-0x000000000050D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida
behavioral1/memory/2164-91-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2164-92-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2164-93-0x0000000000040000-0x000000000050D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida
behavioral1/memory/2700-96-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2700-103-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2700-104-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2700-105-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2700-106-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/2700-107-0x0000000000040000-0x000000000050D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
behavioral1/memory/2164-144-0x0000000000040000-0x000000000050D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
behavioral1/memory/2164-168-0x0000000000040000-0x000000000050D000-memory.dmp	themida
behavioral1/memory/1824-173-0x0000000000400000-0x0000000000966000-memory.dmp	themida
behavioral1/memory/2164-209-0x0000000000040000-0x000000000050D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bstyoops.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRR.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000057051\\BRR.exe"	bstyoops.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\s64com.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\s64com.dll, rundll"	bstyoops.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BRR.exeBRR.exebstyoops.exebstyoops.exea3e34cg.exebstyoops.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a3e34cg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bstyoops.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bstyoops.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

a3e34cg.exebstyoops.exebstyoops.exeBRR.exeBRR.exebstyoops.exebstyoops.exe

pid process

2156 a3e34cg.exe
2164 bstyoops.exe
2700 bstyoops.exe
1824 BRR.exe
1916 BRR.exe
2824 bstyoops.exe
1992 bstyoops.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2812 schtasks.exe

pid	process
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

a3e34cg.exebstyoops.exebstyoops.exeBRR.exeBRR.exerundll32.exerundll32.exebstyoops.exebstyoops.exe

pid	process
2156	a3e34cg.exe
2164	bstyoops.exe
2700	bstyoops.exe
1824	BRR.exe
1916	BRR.exe
1632	rundll32.exe
2428	rundll32.exe
2824	bstyoops.exe
1916	BRR.exe
1992	bstyoops.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BRR.exe

description pid process

Token: SeDebugPrivilege 1916 BRR.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a3e34cg.exe

pid process

2156 a3e34cg.exe

description	pid	process
Token: SeDebugPrivilege	1916	BRR.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a3e34cg.exebstyoops.execmd.exetaskeng.exerundll32.exe

description	pid	process	target process
PID 2156 wrote to memory of 2164	2156	a3e34cg.exe	bstyoops.exe
PID 2156 wrote to memory of 2164	2156	a3e34cg.exe	bstyoops.exe
PID 2156 wrote to memory of 2164	2156	a3e34cg.exe	bstyoops.exe
PID 2156 wrote to memory of 2164	2156	a3e34cg.exe	bstyoops.exe
PID 2164 wrote to memory of 2812	2164	bstyoops.exe	schtasks.exe
PID 2164 wrote to memory of 2812	2164	bstyoops.exe	schtasks.exe
PID 2164 wrote to memory of 2812	2164	bstyoops.exe	schtasks.exe
PID 2164 wrote to memory of 2812	2164	bstyoops.exe	schtasks.exe
PID 2164 wrote to memory of 2920	2164	bstyoops.exe	cmd.exe
PID 2164 wrote to memory of 2920	2164	bstyoops.exe	cmd.exe
PID 2164 wrote to memory of 2920	2164	bstyoops.exe	cmd.exe
PID 2164 wrote to memory of 2920	2164	bstyoops.exe	cmd.exe
PID 2920 wrote to memory of 2924	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2924	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2924	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2924	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2860	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2860	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2860	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2860	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2808	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2808	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2808	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2808	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2900	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2900	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2900	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2900	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2904	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2904	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2904	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 2904	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 916	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 916	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 916	2920	cmd.exe	cacls.exe
PID 2920 wrote to memory of 916	2920	cmd.exe	cacls.exe
PID 2868 wrote to memory of 2700	2868	taskeng.exe	bstyoops.exe
PID 2868 wrote to memory of 2700	2868	taskeng.exe	bstyoops.exe
PID 2868 wrote to memory of 2700	2868	taskeng.exe	bstyoops.exe
PID 2868 wrote to memory of 2700	2868	taskeng.exe	bstyoops.exe
PID 2164 wrote to memory of 1916	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1916	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1916	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1916	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1824	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1824	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1824	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1824	2164	bstyoops.exe	BRR.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1064	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 2164 wrote to memory of 1324	2164	bstyoops.exe	rundll32.exe
PID 1064 wrote to memory of 1632	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 1632	1064	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a3e34cg.exe
"C:\Users\Admin\AppData\Local\Temp\a3e34cg.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
3⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2924

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
4⤵
PID:2860

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
4⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2900

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
4⤵
PID:2904

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
4⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll, rundll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll, rundll
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll, rundll
3⤵
- Loads dropped DLL
PID:1324

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll, rundll
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\system32\taskeng.exe
taskeng.exe {E8E011CF-3453-49B8-AD07-4EBEB937C0D8} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.8MB

MD5
013a5e128ecd7d261ebb0cd57f659990

SHA1
9aed3eca1616d73cc757057e999ba5e2be40a0cd

SHA256
85a441a8192d90196dc71aea38dd40f892d94f9868f082f3f7bb6957782bd61f

SHA512
db5c695a886d9e28154fc998f9cce3eb7d363a7adf40ae4d023b4702c16ab8556d96044bdf51c1d0772319b1d1503d3b6fd55f6d38cd9588058ad30a34dad36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.8MB

MD5
013a5e128ecd7d261ebb0cd57f659990

SHA1
9aed3eca1616d73cc757057e999ba5e2be40a0cd

SHA256
85a441a8192d90196dc71aea38dd40f892d94f9868f082f3f7bb6957782bd61f

SHA512
db5c695a886d9e28154fc998f9cce3eb7d363a7adf40ae4d023b4702c16ab8556d96044bdf51c1d0772319b1d1503d3b6fd55f6d38cd9588058ad30a34dad36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.8MB

MD5
013a5e128ecd7d261ebb0cd57f659990

SHA1
9aed3eca1616d73cc757057e999ba5e2be40a0cd

SHA256
85a441a8192d90196dc71aea38dd40f892d94f9868f082f3f7bb6957782bd61f

SHA512
db5c695a886d9e28154fc998f9cce3eb7d363a7adf40ae4d023b4702c16ab8556d96044bdf51c1d0772319b1d1503d3b6fd55f6d38cd9588058ad30a34dad36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.8MB

MD5
013a5e128ecd7d261ebb0cd57f659990

SHA1
9aed3eca1616d73cc757057e999ba5e2be40a0cd

SHA256
85a441a8192d90196dc71aea38dd40f892d94f9868f082f3f7bb6957782bd61f

SHA512
db5c695a886d9e28154fc998f9cce3eb7d363a7adf40ae4d023b4702c16ab8556d96044bdf51c1d0772319b1d1503d3b6fd55f6d38cd9588058ad30a34dad36a

Download Submit
\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.8MB

MD5
013a5e128ecd7d261ebb0cd57f659990

SHA1
9aed3eca1616d73cc757057e999ba5e2be40a0cd

SHA256
85a441a8192d90196dc71aea38dd40f892d94f9868f082f3f7bb6957782bd61f

SHA512
db5c695a886d9e28154fc998f9cce3eb7d363a7adf40ae4d023b4702c16ab8556d96044bdf51c1d0772319b1d1503d3b6fd55f6d38cd9588058ad30a34dad36a

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\s64com.dll
Filesize
6.4MB

MD5
cb44d16ebac295a75245dce05a75997b

SHA1
101cc9e8df36e1e7061f449a84109d1d75e6f8ae

SHA256
313e88911d2fc41f7b03e1d35e101b4a9401a11e51abc818a35697c36f86f355

SHA512
a21a09fe60dd4380fdb9fbbeee0e6f0c543a8182aa6b3be5e77306928222c90bdd27b6dc2a1f54f31a5ba3c0322914a36c009773f30f9b94c4246110254bbb4b

Download Submit
\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
341e2e0fbcc88e262ed896ee11c06532

SHA1
60cd85254f5faeb3ba526650daf85b773b458b90

SHA256
250b10e7a4025f8845c9287d86eb1101f18f23e2dd3c50df642cbc40756afa97

SHA512
ea70d5bc2dc264ec92c57edaef2fe343e48c7f6d12d5b5c71432807fe19c536b10139b00040b364c15fc940d1ac9cf0e42f18e6dee1c412acdea17ac9e30d850

Download Submit
memory/1632-278-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1632-274-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1632-250-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1632-248-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1632-246-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1632-276-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1632-252-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1632-242-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1632-238-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/1632-236-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/1632-254-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1632-264-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1632-266-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1632-268-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1824-152-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/1824-155-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-156-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-157-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-150-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/1824-149-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-148-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-173-0x0000000000400000-0x0000000000966000-memory.dmp

Filesize
5.4MB

Download
memory/1824-167-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-143-0x0000000000400000-0x0000000000966000-memory.dmp

Filesize
5.4MB

Download
memory/1824-151-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-153-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1824-154-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/1916-163-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-158-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-160-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/1916-162-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-164-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-165-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-166-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-161-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-159-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/1916-147-0x0000000000400000-0x0000000000966000-memory.dmp

Filesize
5.4MB

Download
memory/2156-62-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-55-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-56-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-54-0x0000000000940000-0x0000000000E0D000-memory.dmp

Filesize
4.8MB

Download
memory/2156-57-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2156-58-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-59-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2156-60-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-61-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-77-0x0000000004210000-0x00000000046DD000-memory.dmp

Filesize
4.8MB

Download
memory/2156-63-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/2156-64-0x0000000000940000-0x0000000000E0D000-memory.dmp

Filesize
4.8MB

Download
memory/2156-65-0x0000000000940000-0x0000000000E0D000-memory.dmp

Filesize
4.8MB

Download
memory/2156-66-0x0000000000940000-0x0000000000E0D000-memory.dmp

Filesize
4.8MB

Download
memory/2156-67-0x0000000000940000-0x0000000000E0D000-memory.dmp

Filesize
4.8MB

Download
memory/2156-75-0x0000000000940000-0x0000000000E0D000-memory.dmp

Filesize
4.8MB

Download
memory/2156-78-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2156-80-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2164-90-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-92-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-168-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-144-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-139-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-209-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-142-0x00000000049E0000-0x0000000004F46000-memory.dmp

Filesize
5.4MB

Download
memory/2164-140-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-141-0x0000000004080000-0x00000000045E6000-memory.dmp

Filesize
5.4MB

Download
memory/2164-138-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-136-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2164-137-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-81-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2164-82-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-84-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2164-85-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-86-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-87-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-83-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-88-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-89-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-79-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-91-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2164-146-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2164-93-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2428-231-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2700-98-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2700-103-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2700-96-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2700-101-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2700-99-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2700-100-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2700-97-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2700-102-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2700-104-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2700-105-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2700-106-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download
memory/2700-109-0x0000000077130000-0x0000000077177000-memory.dmp

Filesize
284KB

Download
memory/2700-108-0x0000000075D20000-0x0000000075E30000-memory.dmp

Filesize
1.1MB

Download
memory/2700-107-0x0000000000040000-0x000000000050D000-memory.dmp

Filesize
4.8MB

Download