amadey | ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3

Resubmissions

26-03-2024 19:10

240326-xvpl2acg8y 10

26-03-2024 18:55

240326-xkxvnace4s 10

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
Size

1.8MB
MD5

644930f420117e3d11ac8391a9de30d5
SHA1

8ceea30914eb12ded4e9a3e6fb71723ff041ef58
SHA256

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3
SHA512

92dea7b748d373fc5571e19ea5018ac55fae990e755c9d4c45aa7a2209b62cd8b995564dad2708a4e5725a59e2fc936f9b45a60467e731c3ecf14b794816a1bd
SSDEEP

49152:N1WEzgWZv1PIbxfn7ealgtg8SWp2mjjf8zFmOP0KRS:Nx3p1Qf7eRt1SWl0zwOMKY

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exeexplorha.exe857b8e0eca.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	857b8e0eca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

60 4724 rundll32.exe
78 704 rundll32.exe
100 3692 rundll32.exe
101 1732 rundll32.exe
Downloads MZ/PE file

flow	pid	process
60	4724	rundll32.exe
78	704	rundll32.exe
100	3692	rundll32.exe
101	1732	rundll32.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exe857b8e0eca.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	857b8e0eca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	857b8e0eca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exechrosha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	chrosha.exe

Drops startup file 5 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WVNgYnuBe9sbL0iClKHCq3f5.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hWTmreYBDY0QUHJjmcXHY7HC.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qCNcW2NdXu0dkN4L8hB6mLqH.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tn3H8vLzvBwOvkBBTQkLFuBq.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t9RkErH8vIDPr0svallSwoEr.bat	CasPol.exe

Executes dropped EXE 12 IoCs

Processes:

explorha.exeexplorha.exe857b8e0eca.exelumma21.exeexplorha.exechrosha.exelummalg.exeun300un.exenHymOUq2r0HQOkvV36lOyKuE.exeI3g0lQD3Zsv6SYNXDeN55THe.exemGO8QPCFd4KNeRgk4eqUjnUG.exe6KV22eqGefcYb3e5FgGYJTzI.exe

pid	process
968	explorha.exe
4084	explorha.exe
4008	857b8e0eca.exe
4656	lumma21.exe
2240	explorha.exe
4412	chrosha.exe
3984	lummalg.exe
4356	un300un.exe
1036	nHymOUq2r0HQOkvV36lOyKuE.exe
3472	I3g0lQD3Zsv6SYNXDeN55THe.exe
3500	mGO8QPCFd4KNeRgk4eqUjnUG.exe
4188	6KV22eqGefcYb3e5FgGYJTzI.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exe857b8e0eca.exeexplorha.exeebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	857b8e0eca.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3888 rundll32.exe
4724 rundll32.exe
704 rundll32.exe
508 rundll32.exe
3692 rundll32.exe
1732 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3888	rundll32.exe
4724	rundll32.exe
704	rundll32.exe
508	rundll32.exe
3692	rundll32.exe
1732	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\uss.1.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\857b8e0eca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\857b8e0eca.exe"	explorha.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

102 pastebin.com
104 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exeexplorha.exeexplorha.exe

pid process

3752 ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
968 explorha.exe
4084 explorha.exe
2240 explorha.exe

flow	ioc
102	pastebin.com
104	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

lummalg.exeun300un.exe

description	pid	process	target process
PID 3984 set thread context of 2024	3984	lummalg.exe	RegAsm.exe
PID 4356 set thread context of 2140	4356	un300un.exe	CasPol.exe

Drops file in Windows directory 2 IoCs

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exelumma21.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4828 1036 WerFault.exe nHymOUq2r0HQOkvV36lOyKuE.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2400 schtasks.exe

pid	pid_target	process	target process
4828	1036	WerFault.exe	nHymOUq2r0HQOkvV36lOyKuE.exe

pid	process
2400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exeexplorha.exerundll32.exepowershell.exeexplorha.exerundll32.exepowershell.exe

pid	process
3752	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
3752	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
968	explorha.exe
968	explorha.exe
4084	explorha.exe
4084	explorha.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
2240	explorha.exe
2240	explorha.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeCasPol.exe

description pid process

Token: SeDebugPrivilege 1092 powershell.exe
Token: SeDebugPrivilege 3944 powershell.exe
Token: SeDebugPrivilege 2140 CasPol.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exelumma21.exe

pid process

3752 ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
4656 lumma21.exe

description	pid	process
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	2140	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exeexplorha.exerundll32.exerundll32.exechrosha.exelummalg.exerundll32.exerundll32.exeun300un.exe

description	pid	process	target process
PID 3752 wrote to memory of 968	3752	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe	explorha.exe
PID 3752 wrote to memory of 968	3752	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe	explorha.exe
PID 3752 wrote to memory of 968	3752	ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe	explorha.exe
PID 968 wrote to memory of 3888	968	explorha.exe	rundll32.exe
PID 968 wrote to memory of 3888	968	explorha.exe	rundll32.exe
PID 968 wrote to memory of 3888	968	explorha.exe	rundll32.exe
PID 968 wrote to memory of 4008	968	explorha.exe	857b8e0eca.exe
PID 968 wrote to memory of 4008	968	explorha.exe	857b8e0eca.exe
PID 968 wrote to memory of 4008	968	explorha.exe	857b8e0eca.exe
PID 3888 wrote to memory of 4724	3888	rundll32.exe	rundll32.exe
PID 3888 wrote to memory of 4724	3888	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 3328	4724	rundll32.exe	netsh.exe
PID 4724 wrote to memory of 3328	4724	rundll32.exe	netsh.exe
PID 4724 wrote to memory of 1092	4724	rundll32.exe	powershell.exe
PID 4724 wrote to memory of 1092	4724	rundll32.exe	powershell.exe
PID 968 wrote to memory of 704	968	explorha.exe	rundll32.exe
PID 968 wrote to memory of 704	968	explorha.exe	rundll32.exe
PID 968 wrote to memory of 704	968	explorha.exe	rundll32.exe
PID 968 wrote to memory of 4728	968	explorha.exe	explorha.exe
PID 968 wrote to memory of 4728	968	explorha.exe	explorha.exe
PID 968 wrote to memory of 4728	968	explorha.exe	explorha.exe
PID 968 wrote to memory of 4656	968	explorha.exe	lumma21.exe
PID 968 wrote to memory of 4656	968	explorha.exe	lumma21.exe
PID 968 wrote to memory of 4656	968	explorha.exe	lumma21.exe
PID 4412 wrote to memory of 3984	4412	chrosha.exe	lummalg.exe
PID 4412 wrote to memory of 3984	4412	chrosha.exe	lummalg.exe
PID 4412 wrote to memory of 3984	4412	chrosha.exe	lummalg.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 3984 wrote to memory of 2024	3984	lummalg.exe	RegAsm.exe
PID 4412 wrote to memory of 508	4412	chrosha.exe	rundll32.exe
PID 4412 wrote to memory of 508	4412	chrosha.exe	rundll32.exe
PID 4412 wrote to memory of 508	4412	chrosha.exe	rundll32.exe
PID 508 wrote to memory of 3692	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 3692	508	rundll32.exe	rundll32.exe
PID 3692 wrote to memory of 4912	3692	rundll32.exe	netsh.exe
PID 3692 wrote to memory of 4912	3692	rundll32.exe	netsh.exe
PID 3692 wrote to memory of 3944	3692	rundll32.exe	powershell.exe
PID 3692 wrote to memory of 3944	3692	rundll32.exe	powershell.exe
PID 4412 wrote to memory of 1732	4412	chrosha.exe	rundll32.exe
PID 4412 wrote to memory of 1732	4412	chrosha.exe	rundll32.exe
PID 4412 wrote to memory of 1732	4412	chrosha.exe	rundll32.exe
PID 4412 wrote to memory of 4356	4412	chrosha.exe	un300un.exe
PID 4412 wrote to memory of 4356	4412	chrosha.exe	un300un.exe
PID 4356 wrote to memory of 3380	4356	un300un.exe	AddInProcess32.exe
PID 4356 wrote to memory of 3380	4356	un300un.exe	AddInProcess32.exe
PID 4356 wrote to memory of 3380	4356	un300un.exe	AddInProcess32.exe
PID 4356 wrote to memory of 2736	4356	un300un.exe	regsvcs.exe
PID 4356 wrote to memory of 2736	4356	un300un.exe	regsvcs.exe
PID 4356 wrote to memory of 2736	4356	un300un.exe	regsvcs.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe
PID 4356 wrote to memory of 2140	4356	un300un.exe	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe
"C:\Users\Admin\AppData\Local\Temp\ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\098131212907_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\1000022001\857b8e0eca.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\857b8e0eca.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:704

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe
"C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:4656

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\1000103001\lummalg.exe
"C:\Users\Admin\AppData\Local\Temp\1000103001\lummalg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2024

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\098131212907_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1732

C:\Users\Admin\AppData\Local\Temp\1000105001\un300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000105001\un300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Users\Admin\Pictures\nHymOUq2r0HQOkvV36lOyKuE.exe
"C:\Users\Admin\Pictures\nHymOUq2r0HQOkvV36lOyKuE.exe"
4⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\AppData\Local\Temp\uss.0.exe
"C:\Users\Admin\AppData\Local\Temp\uss.0.exe"
5⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\uss.1.exe
"C:\Users\Admin\AppData\Local\Temp\uss.1.exe"
5⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:2644

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:3752

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1424
5⤵
- Program crash
PID:4828

C:\Users\Admin\Pictures\I3g0lQD3Zsv6SYNXDeN55THe.exe
"C:\Users\Admin\Pictures\I3g0lQD3Zsv6SYNXDeN55THe.exe"
4⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:368

C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe
"C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe"
4⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4960

C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe
"C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe"
5⤵
PID:2444

C:\Users\Admin\Pictures\6KV22eqGefcYb3e5FgGYJTzI.exe
"C:\Users\Admin\Pictures\6KV22eqGefcYb3e5FgGYJTzI.exe"
4⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3260

C:\Users\Admin\Pictures\6KV22eqGefcYb3e5FgGYJTzI.exe
"C:\Users\Admin\Pictures\6KV22eqGefcYb3e5FgGYJTzI.exe"
5⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1036 -ip 1036
1⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f486926b6a2dfecee27ee66cda7baafd

SHA1
1a7e77522be903a2ccff4057fc2d9982f6940eb3

SHA256
abd826088f38dca0a426cde67da37c179c68f1ad91853c11963678b4bbcbd59d

SHA512
d13feff40c714dbba96189e5e9b8fa970d09c4effe40425f9fa7234394c0c95531e891f36571858e9d9ff9fcfcdfbebf81595cdf01b2d1a4f62b4dbde93e03ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2730b7b80e5162a8019025bbea798685

SHA1
69b6904d93ad582be522851e1b138c7b6fbcc0ed

SHA256
f4365abd73df4d70be9dcc12dc128f8ad504add56e13b2e245ccadd4322a7290

SHA512
d00ad4fdd762dba4babc8222c6b3a7747a67bf708abe6e5dba06378a88ad7312e69b1987896439f43fb652a0b71afec511b3e7cb4d9d43d92659632015da5771

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
1.8MB

MD5
644930f420117e3d11ac8391a9de30d5

SHA1
8ceea30914eb12ded4e9a3e6fb71723ff041ef58

SHA256
ebde61add0ff4e2a11d479edc5513f694022063bc2db8eebcdfb2fd9f2b6bfe3

SHA512
92dea7b748d373fc5571e19ea5018ac55fae990e755c9d4c45aa7a2209b62cd8b995564dad2708a4e5725a59e2fc936f9b45a60467e731c3ecf14b794816a1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\857b8e0eca.exe
Filesize
3.0MB

MD5
c9de505b9585b0731d4ad6ff04f257ca

SHA1
4b50e8269112c8385959e11cc20d165b617dda7e

SHA256
6d43839a8e57cd6955733420371c093165c4bc1421ec172784101ca1fd564537

SHA512
e721d78bfa67885acd54226434eb7a2acdead1380a802e07020bbd586c0551084d74479df5193b554cbcff34f7ad2962712430acb73e0f9976f75d06595f16a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe
Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000103001\lummalg.exe
Filesize
350KB

MD5
04df085b57814d1a1accead4e153909e

SHA1
6d277da314ef185ba9072a9b677b599b1f46c35b

SHA256
91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

SHA512
f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000105001\un300un.exe
Filesize
4.1MB

MD5
8803d74d52bcda67e9b889bd6cc5823e

SHA1
884a1fa1ae3d53bc435d34f912c0068e789a8b25

SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

SHA512
c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kktvj5g0.qy3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uss.0.exe
Filesize
299KB

MD5
bf81c7e629eaa2c4a995c9945b98a933

SHA1
145f783f7ea60f1a759dcd2fcc8cb501dac868df

SHA256
7ec38e1e46dbe3557ac9e7dadf0c1adf7e189f2ab820df7f6e08443b5333b1c5

SHA512
fcf7bd1ac1da2e3ce8199cfc462c589f5e303744dfa29eebf4a24e526db3a23221cc8d2198a33af7ab7115e9b5b00f11a6e33e889710536d9e1e4e15ac66d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\uss.1.exe
Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\Pictures\6KV22eqGefcYb3e5FgGYJTzI.exe
Filesize
4.2MB

MD5
18f895ab89f981c760469b745619f473

SHA1
3a5b2cb6a591bd4dfc7c8f2e9fa99d3e608b11ac

SHA256
4f68c9725fe7f5e055174ee8b1766cb118f5df986b00134c3d3fb850d135dc42

SHA512
a7597458dc132a4e5fa281eb6c671dbafc83860e3fec812ba69e69305f3a3274e353d5d2d3386225e64d386b8feac8d1fd5a22e0b30ea695b3df07aac52410a9

Download Submit
C:\Users\Admin\Pictures\6KV22eqGefcYb3e5FgGYJTzI.exe
Filesize
128KB

MD5
d69cafe7957976668863504587120ea8

SHA1
623836075303bfcef7e36afc77e37a5bb99581f1

SHA256
d68cad6be2254a463b405d682d9d4fdba0267da0209e5caf380f8deb086b0f37

SHA512
a010319c2a5a6059560168409cef3a3d3caa9ca5e5d53aada8393e8640e21e8528d1dce77636a7a3251cd004dd67c97b1a1343b6c163ec5d55c8868e838ac0ad

Download Submit
C:\Users\Admin\Pictures\I3g0lQD3Zsv6SYNXDeN55THe.exe
Filesize
4.2MB

MD5
14129c0f718fe1025afb38409a87e557

SHA1
dc6e8d64bd67dea1010ce41233d3a58466060707

SHA256
36dc2c54f49d449388e8816cb7933ac5f52228203172b13d6c95c462da1b0d4d

SHA512
077eab45b87302dd32baf43f00bfeddea3b19fbba6900406c266215f1adb4b22e0034e91bbd0ea6363bbe38313913bde47f78b2522c935d8f54e6bde8e693346

Download Submit
C:\Users\Admin\Pictures\jt9EkawxHz5NYVmusEMBhiql.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe
Filesize
1.1MB

MD5
f3985b27d3d31587addce47b04b7249a

SHA1
338d106bec988c19e9ec8346152da9a29178d436

SHA256
32685ed7b109ca4d610e1bbdb150c26ebdcd61c900768093ff35c60176865eb2

SHA512
0bd330570d0690ff7674a637a3e016bfb35643b266876a3142becf4ac0062ee8eed7bb32f7a6df5213d73d9fb7400c68e2647516259a4f5145178c44ff6de989

Download Submit
C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe
Filesize
832KB

MD5
3da953479878beedf8c9accdf7f9d215

SHA1
e1ccb9254a2265cdf222c367b42805fd408699fe

SHA256
cee6a43429bfd1b7936e21c668dc3cef4c5171b06f7bf6858e8bdf105aeac48f

SHA512
9b1f57a78df9609707ca3788d01663f11ce47dfbec2ff7b5c6e2f696b114fd1d23f177ec93025ec6f46e9540cb8822bd817c14bba5737e8a3d42ddfeb32e4cf8

Download Submit
C:\Users\Admin\Pictures\mGO8QPCFd4KNeRgk4eqUjnUG.exe
Filesize
512KB

MD5
25888798c6a30165f500ae6005809f76

SHA1
23f9df84415f65bbd5673b0d0e9659c700064ac5

SHA256
56f117033350854f216960e56df2550e3540a78de44f7bb68063f793ab86833c

SHA512
b238875972e90852d5c1bc58d7396f00eec67af6db0fce73fea8aff9093b3ab4e98f0e8e84fdaea7cf2f2e295532423698a9b4f57a38a976d67277fe52ddc5cd

Download Submit
C:\Users\Admin\Pictures\nHymOUq2r0HQOkvV36lOyKuE.exe
Filesize
443KB

MD5
a825a478aced95f8226c1aac334badf1

SHA1
76053bb1f3091cff4ee766c09e4ab6a188ef930e

SHA256
d240c502306ef7352c0ec765d71399532bba2276231e663cbcbf88d7171df9fa

SHA512
9947428e15180174abce0f1565ae0a80715e0e3a15126c50de3bdc9cd5b8586a98e75a14f47d1dbf2c1925ca15c98c80b156aea46990e90ce9d30a0859bd0439

Download Submit
memory/968-169-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-236-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-37-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-35-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-34-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/968-33-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/968-32-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/968-30-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/968-282-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-31-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/968-406-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-138-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-48-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-27-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/968-29-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/968-28-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/968-26-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/968-136-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-25-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-36-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-189-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-203-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-114-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-24-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-100-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/968-140-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/1036-283-0x0000000000B30000-0x0000000000C30000-memory.dmp

Filesize
1024KB

Download
memory/1036-499-0x0000000000400000-0x0000000000B18000-memory.dmp

Filesize
7.1MB

Download
memory/1092-99-0x00007FF998B00000-0x00007FF9995C1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-93-0x000002126B4A0000-0x000002126B4AA000-memory.dmp

Filesize
40KB

Download
memory/1092-92-0x000002126B810000-0x000002126B822000-memory.dmp

Filesize
72KB

Download
memory/1092-91-0x000002126B1B0000-0x000002126B1C0000-memory.dmp

Filesize
64KB

Download
memory/1092-90-0x00007FF998B00000-0x00007FF9995C1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-85-0x000002126B360000-0x000002126B382000-memory.dmp

Filesize
136KB

Download
memory/1276-388-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2024-187-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2024-182-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2024-178-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2024-186-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2024-185-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2024-188-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2140-258-0x0000000072510000-0x0000000072CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2140-259-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2140-257-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-148-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2240-152-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/2240-151-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2240-150-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2240-149-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2240-146-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2240-147-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2240-145-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/3752-8-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3752-4-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3752-1-0x0000000076F14000-0x0000000076F16000-memory.dmp

Filesize
8KB

Download
memory/3752-9-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3752-0-0x0000000000F70000-0x000000000141F000-memory.dmp

Filesize
4.7MB

Download
memory/3752-23-0x0000000000F70000-0x000000000141F000-memory.dmp

Filesize
4.7MB

Download
memory/3752-10-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/3752-6-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3752-5-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3752-11-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3752-7-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3752-2-0x0000000000F70000-0x000000000141F000-memory.dmp

Filesize
4.7MB

Download
memory/3752-3-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/3944-216-0x00007FF999E50000-0x00007FF99A911000-memory.dmp

Filesize
10.8MB

Download
memory/3944-218-0x000001FAC7AA0000-0x000001FAC7AB0000-memory.dmp

Filesize
64KB

Download
memory/3944-219-0x000001FAC7AA0000-0x000001FAC7AB0000-memory.dmp

Filesize
64KB

Download
memory/3944-224-0x00007FF999E50000-0x00007FF99A911000-memory.dmp

Filesize
10.8MB

Download
memory/3984-215-0x0000000002DA0000-0x0000000004DA0000-memory.dmp

Filesize
32.0MB

Download
memory/3984-183-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3984-174-0x0000000000A10000-0x0000000000A6E000-memory.dmp

Filesize
376KB

Download
memory/3984-184-0x0000000002DA0000-0x0000000004DA0000-memory.dmp

Filesize
32.0MB

Download
memory/3984-175-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-139-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-79-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-205-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-190-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-173-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-141-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-137-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-135-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-297-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-134-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-101-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-237-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-76-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4008-490-0x0000000000290000-0x0000000000631000-memory.dmp

Filesize
3.6MB

Download
memory/4084-46-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4084-44-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/4084-47-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/4084-45-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4084-43-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4084-41-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/4084-42-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/4084-40-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download
memory/4084-39-0x0000000000B20000-0x0000000000FCF000-memory.dmp

Filesize
4.7MB

Download