amadey | 7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
Size

2.5MB
MD5

91020e5674626296b45de52989d97be3
SHA1

e1c95086cdfe8525c673fa45d8c1310efb45ff4a
SHA256

7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5
SHA512

22731558082adda43effe24732d9b4fb1fa5978a564cece18cc430eff9a4b0b5fa04424ac0027b0d3a09e21c12c531b44647e0b70e73372a1eb3b4b8ff00ba27
SSDEEP

49152:0yj4+45+Lf+4nClgIi23U8Qgy4RqX6vkJ2D/Z8n1oUDc8s0vXwV2x:0b+4wLf+4nCgMU8/y4Rm6vkJ2lK1jkap

Score

10^/10

amadey lumma discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://185.172.128.125

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
a70b05054314f381be1ab9a5cdc8b250
url_paths
/u6vhSc3PPq/index.php

rc4.plain

Extracted

Family

lumma

http://athwartchannelly.pw/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

gmlubiuxvfccctaxtk.exe

description	pid	process	target process
PID 1180 created 688	1180	gmlubiuxvfccctaxtk.exe	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

XRJNZC.exeUtsysc.exeUtsysc.exeluruvkwgqrotrdonpg.exeeeqjttxvijgjgu.exeUtsysc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XRJNZC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Utsysc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Utsysc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	luruvkwgqrotrdonpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eeqjttxvijgjgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Utsysc.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eeqjttxvijgjgu.exeUtsysc.exeXRJNZC.exeUtsysc.exeluruvkwgqrotrdonpg.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eeqjttxvijgjgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eeqjttxvijgjgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XRJNZC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XRJNZC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	luruvkwgqrotrdonpg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	luruvkwgqrotrdonpg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Utsysc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Utsysc.exeluruvkwgqrotrdonpg.exeeeqjttxvijgjgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	luruvkwgqrotrdonpg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	eeqjttxvijgjgu.exe

Executes dropped EXE 8 IoCs

Processes:

gmlubiuxvfccctaxtk.exeliveupdate.exeluruvkwgqrotrdonpg.exeeeqjttxvijgjgu.exeUtsysc.exeXRJNZC.exeUtsysc.exeUtsysc.exe

pid	process
1180	gmlubiuxvfccctaxtk.exe
1136	liveupdate.exe
2324	luruvkwgqrotrdonpg.exe
4348	eeqjttxvijgjgu.exe
4004	Utsysc.exe
4236	XRJNZC.exe
4996	Utsysc.exe
3036	Utsysc.exe

Loads dropped DLL 1 IoCs

Processes:

liveupdate.exe

pid process

1136 liveupdate.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1136	liveupdate.exe

Themida packer 51 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\luruvkwgqrotrdonpg.exe	themida
behavioral2/memory/2324-30-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
behavioral2/memory/2324-31-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
behavioral2/memory/2324-42-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
behavioral2/memory/2324-45-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
behavioral2/memory/2324-48-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
behavioral2/memory/2324-49-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
behavioral2/memory/2324-50-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\luruvkwgqrotrdonpg.exe	themida
behavioral2/memory/2324-57-0x0000000000B50000-0x0000000001B99000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\eeqjttxvijgjgu.exe	themida
behavioral2/memory/4348-63-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-64-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-75-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-77-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-79-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-80-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-81-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-82-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-83-0x0000000000890000-0x0000000001913000-memory.dmp	themida
behavioral2/memory/4348-84-0x0000000000890000-0x0000000001913000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe	themida
C:\Users\Admin\AppData\Local\Temp\eeqjttxvijgjgu.exe	themida
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe	themida
behavioral2/memory/4004-99-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4348-98-0x0000000000890000-0x0000000001913000-memory.dmp	themida
C:\ProgramData\pinterests\XRJNZC.exe	themida
C:\ProgramData\pinterests\XRJNZC.exe	themida
behavioral2/memory/4236-103-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4004-104-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4236-108-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4004-120-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4004-123-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4236-125-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4004-127-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4236-129-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4236-133-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4004-135-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4236-137-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4004-139-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4236-141-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
C:\ProgramData\pinterests\XRJNZC.exe	themida
behavioral2/memory/4004-142-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4004-131-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe	themida
behavioral2/memory/4236-147-0x0000000000BC0000-0x0000000001C09000-memory.dmp	themida
behavioral2/memory/4004-159-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe	themida
behavioral2/memory/4996-176-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
behavioral2/memory/4996-220-0x0000000000B50000-0x0000000001BD3000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

luruvkwgqrotrdonpg.exeeeqjttxvijgjgu.exeUtsysc.exeXRJNZC.exeUtsysc.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	luruvkwgqrotrdonpg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eeqjttxvijgjgu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XRJNZC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utsysc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

luruvkwgqrotrdonpg.exeeeqjttxvijgjgu.exeUtsysc.exeXRJNZC.exeUtsysc.exeUtsysc.exe

pid process

2324 luruvkwgqrotrdonpg.exe
4348 eeqjttxvijgjgu.exe
4004 Utsysc.exe
4236 XRJNZC.exe
4996 Utsysc.exe
3036 Utsysc.exe

pid	process
2324	luruvkwgqrotrdonpg.exe
4348	eeqjttxvijgjgu.exe
4004	Utsysc.exe
4236	XRJNZC.exe
4996	Utsysc.exe
3036	Utsysc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

liveupdate.execertutil.exe

description	pid	process	target process
PID 1136 set thread context of 1660	1136	liveupdate.exe	cmd.exe
PID 4736 set thread context of 1140	4736	certutil.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4756 4236 WerFault.exe XRJNZC.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4968 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3792 timeout.exe

pid	pid_target	process	target process
4756	4236	WerFault.exe	XRJNZC.exe

pid	process
4968	schtasks.exe

pid	process
3792	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exegmlubiuxvfccctaxtk.exeliveupdate.exeluruvkwgqrotrdonpg.exeeeqjttxvijgjgu.exeUtsysc.exeXRJNZC.execmd.execertutil.exeUtsysc.exeexplorer.exe

pid	process
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
1180	gmlubiuxvfccctaxtk.exe
1180	gmlubiuxvfccctaxtk.exe
1136	liveupdate.exe
2324	luruvkwgqrotrdonpg.exe
2324	luruvkwgqrotrdonpg.exe
4348	eeqjttxvijgjgu.exe
4348	eeqjttxvijgjgu.exe
4004	Utsysc.exe
4004	Utsysc.exe
4236	XRJNZC.exe
4236	XRJNZC.exe
1660	cmd.exe
1660	cmd.exe
4736	certutil.exe
4996	Utsysc.exe
4996	Utsysc.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

liveupdate.execmd.exe

pid process

1136 liveupdate.exe
1660 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeLockMemoryPrivilege 1140 explorer.exe
Token: SeLockMemoryPrivilege 1140 explorer.exe

pid	process
1136	liveupdate.exe
1660	cmd.exe

description	pid	process
Token: SeLockMemoryPrivilege	1140	explorer.exe
Token: SeLockMemoryPrivilege	1140	explorer.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exegmlubiuxvfccctaxtk.exeliveupdate.exeluruvkwgqrotrdonpg.execmd.exeeeqjttxvijgjgu.exeUtsysc.execmd.execertutil.exe

description	pid	process	target process
PID 688 wrote to memory of 1180	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	gmlubiuxvfccctaxtk.exe
PID 688 wrote to memory of 1180	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	gmlubiuxvfccctaxtk.exe
PID 688 wrote to memory of 1180	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	gmlubiuxvfccctaxtk.exe
PID 1180 wrote to memory of 1136	1180	gmlubiuxvfccctaxtk.exe	liveupdate.exe
PID 1180 wrote to memory of 1136	1180	gmlubiuxvfccctaxtk.exe	liveupdate.exe
PID 1180 wrote to memory of 1136	1180	gmlubiuxvfccctaxtk.exe	liveupdate.exe
PID 1136 wrote to memory of 1660	1136	liveupdate.exe	cmd.exe
PID 1136 wrote to memory of 1660	1136	liveupdate.exe	cmd.exe
PID 1136 wrote to memory of 1660	1136	liveupdate.exe	cmd.exe
PID 688 wrote to memory of 2324	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	luruvkwgqrotrdonpg.exe
PID 688 wrote to memory of 2324	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	luruvkwgqrotrdonpg.exe
PID 688 wrote to memory of 2324	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	luruvkwgqrotrdonpg.exe
PID 2324 wrote to memory of 3356	2324	luruvkwgqrotrdonpg.exe	cmd.exe
PID 2324 wrote to memory of 3356	2324	luruvkwgqrotrdonpg.exe	cmd.exe
PID 2324 wrote to memory of 3356	2324	luruvkwgqrotrdonpg.exe	cmd.exe
PID 3356 wrote to memory of 3792	3356	cmd.exe	timeout.exe
PID 3356 wrote to memory of 3792	3356	cmd.exe	timeout.exe
PID 3356 wrote to memory of 3792	3356	cmd.exe	timeout.exe
PID 688 wrote to memory of 4348	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	eeqjttxvijgjgu.exe
PID 688 wrote to memory of 4348	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	eeqjttxvijgjgu.exe
PID 688 wrote to memory of 4348	688	7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe	eeqjttxvijgjgu.exe
PID 4348 wrote to memory of 4004	4348	eeqjttxvijgjgu.exe	Utsysc.exe
PID 4348 wrote to memory of 4004	4348	eeqjttxvijgjgu.exe	Utsysc.exe
PID 4348 wrote to memory of 4004	4348	eeqjttxvijgjgu.exe	Utsysc.exe
PID 3356 wrote to memory of 4236	3356	cmd.exe	XRJNZC.exe
PID 3356 wrote to memory of 4236	3356	cmd.exe	XRJNZC.exe
PID 3356 wrote to memory of 4236	3356	cmd.exe	XRJNZC.exe
PID 4004 wrote to memory of 4968	4004	Utsysc.exe	schtasks.exe
PID 4004 wrote to memory of 4968	4004	Utsysc.exe	schtasks.exe
PID 4004 wrote to memory of 4968	4004	Utsysc.exe	schtasks.exe
PID 1136 wrote to memory of 1660	1136	liveupdate.exe	cmd.exe
PID 1660 wrote to memory of 4736	1660	cmd.exe	certutil.exe
PID 1660 wrote to memory of 4736	1660	cmd.exe	certutil.exe
PID 1660 wrote to memory of 4736	1660	cmd.exe	certutil.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe
PID 4736 wrote to memory of 1140	4736	certutil.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe
"C:\Users\Admin\AppData\Local\Temp\7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\gmlubiuxvfccctaxtk.exe
"C:\Users\Admin\AppData\Local\Temp\gmlubiuxvfccctaxtk.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\certutil.exe
C:\Windows\System32\certutil.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\explorer.exe
explorer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Local\Temp\luruvkwgqrotrdonpg.exe
"C:\Users\Admin\AppData\Local\Temp\luruvkwgqrotrdonpg.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1sk.0.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3792

C:\ProgramData\pinterests\XRJNZC.exe
"C:\ProgramData\pinterests\XRJNZC.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 500
5⤵
- Program crash
PID:4756

C:\Users\Admin\AppData\Local\Temp\eeqjttxvijgjgu.exe
"C:\Users\Admin\AppData\Local\Temp\eeqjttxvijgjgu.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
4⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4236 -ip 4236
1⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.9MB

MD5
286a068ad573c5dcec2d0cf9c00a0bad

SHA1
eb65d83fea63209de491d219fc49f8df3a5d60d0

SHA256
986bd8368c4788a406507a3bef55b382ec7d95ddb55b6a4377a9fbf5b96e160d

SHA512
078ae6b65a6b2d72dbafe7ac8f73416b26e4f8cfe51781079de8034d775a9914f43041c7bc65fa9c62bc615779930e8b67ed0bddfbdf1b3c5ec56a76ac496799

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.9MB

MD5
286a068ad573c5dcec2d0cf9c00a0bad

SHA1
eb65d83fea63209de491d219fc49f8df3a5d60d0

SHA256
986bd8368c4788a406507a3bef55b382ec7d95ddb55b6a4377a9fbf5b96e160d

SHA512
078ae6b65a6b2d72dbafe7ac8f73416b26e4f8cfe51781079de8034d775a9914f43041c7bc65fa9c62bc615779930e8b67ed0bddfbdf1b3c5ec56a76ac496799

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.9MB

MD5
286a068ad573c5dcec2d0cf9c00a0bad

SHA1
eb65d83fea63209de491d219fc49f8df3a5d60d0

SHA256
986bd8368c4788a406507a3bef55b382ec7d95ddb55b6a4377a9fbf5b96e160d

SHA512
078ae6b65a6b2d72dbafe7ac8f73416b26e4f8cfe51781079de8034d775a9914f43041c7bc65fa9c62bc615779930e8b67ed0bddfbdf1b3c5ec56a76ac496799

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1bb69d

Filesize
7.5MB

MD5
ce18eebe306f2d606e36bfebb5c1c3d1

SHA1
bda6d8ca4eb9fcbd7285ae5ea0dc23f358fa85dd

SHA256
d9e637005ca925ba26247de7d6db71672c414fda47bb8b6aa288471a7695b59c

SHA512
279923110ea836e9314023d0a87de58364747bcc17248964748e811f86216f7cb80da036df62a5c36f3e925e8cb2144b5ea6aa6002fac22c38d4714f575bbef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeqjttxvijgjgu.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeqjttxvijgjgu.exe

Filesize
6.0MB

MD5
17071b3a50aba05045c9cc758ad42598

SHA1
10ed87b56c28f2a8c4a1e90b136b1f6c1df93374

SHA256
ffbd15e4b7e0a3b083cecd06950832b2e1471a8320d8b09dbddf9f99c2875d2a

SHA512
7aec7566821b062debe988b1beb616da9c2e4da97607f30c909c77b102cba43b1ceacca7df4450c2224f90d37f2f1a4e0d22711072234bfcf4d40569c78db2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmlubiuxvfccctaxtk.exe

Filesize
9.7MB

MD5
58d28558b5e2ffbb0238ed852b0fccf4

SHA1
88ce8d1c7a152d5b1095d0ace8815c597111454e

SHA256
ab636afce7424bcbdc93485835088b2594011df6a55346cde38fb6d3423eb820

SHA512
4607a9b40e0878bc06e5bc3c925e434b31ff3d70fa3257555b3a44b51bb011cd6e6aef9eae61cc472c33b3593a54f784c999ef8df71e452ae666b85d3e57b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmlubiuxvfccctaxtk.exe

Filesize
9.7MB

MD5
58d28558b5e2ffbb0238ed852b0fccf4

SHA1
88ce8d1c7a152d5b1095d0ace8815c597111454e

SHA256
ab636afce7424bcbdc93485835088b2594011df6a55346cde38fb6d3423eb820

SHA512
4607a9b40e0878bc06e5bc3c925e434b31ff3d70fa3257555b3a44b51bb011cd6e6aef9eae61cc472c33b3593a54f784c999ef8df71e452ae666b85d3e57b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\luruvkwgqrotrdonpg.exe

Filesize
5.9MB

MD5
286a068ad573c5dcec2d0cf9c00a0bad

SHA1
eb65d83fea63209de491d219fc49f8df3a5d60d0

SHA256
986bd8368c4788a406507a3bef55b382ec7d95ddb55b6a4377a9fbf5b96e160d

SHA512
078ae6b65a6b2d72dbafe7ac8f73416b26e4f8cfe51781079de8034d775a9914f43041c7bc65fa9c62bc615779930e8b67ed0bddfbdf1b3c5ec56a76ac496799

Download Submit
C:\Users\Admin\AppData\Local\Temp\luruvkwgqrotrdonpg.exe

Filesize
5.9MB

MD5
286a068ad573c5dcec2d0cf9c00a0bad

SHA1
eb65d83fea63209de491d219fc49f8df3a5d60d0

SHA256
986bd8368c4788a406507a3bef55b382ec7d95ddb55b6a4377a9fbf5b96e160d

SHA512
078ae6b65a6b2d72dbafe7ac8f73416b26e4f8cfe51781079de8034d775a9914f43041c7bc65fa9c62bc615779930e8b67ed0bddfbdf1b3c5ec56a76ac496799

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1sk.0.bat

Filesize
176B

MD5
ecec4017574eebf9814508868439acf6

SHA1
3b71fdc47a7acac567df9d1cafcbb0464131f8b2

SHA256
ca1221bdfd9366d0193b9daf86b0adf7ea05b73df3ad954fa66bd6de3cabaf71

SHA512
369b25a44fa1851d72befb15429e75ad1071cf369fa7ddd311293726677e21a29eb006bc4590d2d1185c24a1fca25d8f3854dc5792703c9ddcd84928050d49b8

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\log.dll

Filesize
101KB

MD5
2fa3b395d39fb17762d35042153e9abf

SHA1
a1972168b08a1fa8d6fe75dd493f30119c03514e

SHA256
c12c8759549c64ef3002c0d0c5ce421632e98edb4e99175a2673af2bdcbd966f

SHA512
47566fd4192e93e8cdce2444298a29c37aad09e72ec0393f44549e8b481be135b01a6a6c1caf71f92a54edb9cf72ab3d449a7fe51fd8bb60e9ec2d3710569549

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\log.dll

Filesize
101KB

MD5
2fa3b395d39fb17762d35042153e9abf

SHA1
a1972168b08a1fa8d6fe75dd493f30119c03514e

SHA256
c12c8759549c64ef3002c0d0c5ce421632e98edb4e99175a2673af2bdcbd966f

SHA512
47566fd4192e93e8cdce2444298a29c37aad09e72ec0393f44549e8b481be135b01a6a6c1caf71f92a54edb9cf72ab3d449a7fe51fd8bb60e9ec2d3710569549

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\xeroderma.wav

Filesize
7.3MB

MD5
14e77d438d09d660687208291c5af2f4

SHA1
8ac0a010650253e967688eb73a406b40ca9b2570

SHA256
5ab63c89abee93f6c1e7c93acc51c9419781cc063586ff8312bb9595555447e4

SHA512
f34de0932bc2072de334f801f53abc4c603887e24d8d1eef25550afc1d2ee30a0200bc6d0295a1804cb07c312bdd782e89db19f6c9f51006e11ced359e71c1cd

Download Submit
memory/688-0-0x0000000000D60000-0x000000000114D000-memory.dmp

Filesize
3.9MB

Download
memory/1136-154-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1136-26-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1136-25-0x00007FF927C10000-0x00007FF927E05000-memory.dmp

Filesize
2.0MB

Download
memory/1136-24-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1136-22-0x00000000001A0000-0x0000000000220000-memory.dmp

Filesize
512KB

Download
memory/1140-215-0x0000000002A60000-0x0000000002A80000-memory.dmp

Filesize
128KB

Download
memory/1140-227-0x0000000013510000-0x0000000013530000-memory.dmp

Filesize
128KB

Download
memory/1180-7-0x0000000000740000-0x0000000000FCE000-memory.dmp

Filesize
8.6MB

Download
memory/1180-8-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-9-0x00007FF927C10000-0x00007FF927E05000-memory.dmp

Filesize
2.0MB

Download
memory/1180-11-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-17-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-151-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1660-155-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1660-169-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1660-172-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/2324-39-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-37-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-44-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-38-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-48-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-45-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-58-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-57-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-40-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-42-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-47-0x0000000077084000-0x0000000077086000-memory.dmp

Filesize
8KB

Download
memory/2324-31-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-30-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-50-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-49-0x0000000000B50000-0x0000000001B99000-memory.dmp

Filesize
16.3MB

Download
memory/2324-41-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-43-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/2324-46-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-131-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-135-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-99-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-166-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-161-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-162-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-163-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-165-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-104-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-164-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-117-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-119-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-121-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-118-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-122-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-120-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-159-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-123-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-134-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4004-142-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-127-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4004-139-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4236-124-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-147-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-133-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-138-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-132-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-137-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-129-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-141-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-103-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-125-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-140-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-126-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-136-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-130-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-128-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4236-108-0x0000000000BC0000-0x0000000001C09000-memory.dmp

Filesize
16.3MB

Download
memory/4236-148-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-80-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-73-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-76-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-77-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-74-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-84-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-79-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-81-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-82-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-83-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-98-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-100-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-75-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-78-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-72-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4348-63-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-64-0x0000000000890000-0x0000000001913000-memory.dmp

Filesize
16.5MB

Download
memory/4348-71-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4736-191-0x00007FF6E71A0000-0x00007FF6E733B000-memory.dmp

Filesize
1.6MB

Download
memory/4996-186-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-187-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-188-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-189-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-185-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-221-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-220-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download
memory/4996-184-0x0000000074ED0000-0x0000000074FC0000-memory.dmp

Filesize
960KB

Download
memory/4996-176-0x0000000000B50000-0x0000000001BD3000-memory.dmp

Filesize
16.5MB

Download