amadey | 929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332

Analysis

max time kernel
27s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
Size

1.8MB
MD5

7d9afc35fad93d00174000bf815c3981
SHA1

e35b98aea100d3e4001bc6868cca01fb0a2791d5
SHA256

929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332
SHA512

77a9f022d3257d8df846d4fd18ee0b811b091ce60251ef36fd6514f856cb2eafc08aa946fbb575b1d147ea2500ec647234ee95383b964f3e3b31477eaf86a198
SSDEEP

49152:nT1D+jIw717LdIiS9vi9EqvJZ68P3yXJRHcST:T1ST711IiSofc4iX78

Score

10^/10

amadey redline risepro 0e6740 e76b71 newbild evasion execution infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001865b-208.dat	family_redline
behavioral1/memory/2296-244-0x0000000001100000-0x0000000001150000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017472-245.dat	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2692-460-0x000000013F350000-0x0000000140585000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017472-245.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2692-460-0x000000013F350000-0x0000000140585000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing URLs to raw contents of a Github gist 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017472-245.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2692-460-0x000000013F350000-0x0000000140585000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing possible sandbox system UUIDs 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017472-245.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
behavioral1/memory/2692-460-0x000000013F350000-0x0000000140585000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Detects executables referencing many IR and analysis tools 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017472-245.dat	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/2692-460-0x000000013F350000-0x0000000140585000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a721cb567f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
2476	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a721cb567f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a721cb567f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Executes dropped EXE 13 IoCs

pid	Process
2684	explortu.exe
2676	explortu.exe
1264	a721cb567f.exe
2188	axplong.exe
1920	8b4aba7a44.exe
412	45274e37d0.exe
2532	judit.exe
2296	redline123123.exe
2692	stub.exe
1488	upd.exe
2652	setup222.exe
2820	gold.exe
2344	lummac2.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	a721cb567f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	explortu.exe

Loads dropped DLL 22 IoCs

pid	Process
2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
2684	explortu.exe
2684	explortu.exe
1264	a721cb567f.exe
2684	explortu.exe
2684	explortu.exe
2188	axplong.exe
2188	axplong.exe
2532	judit.exe
2692	stub.exe
2188	axplong.exe
2188	axplong.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2188	axplong.exe
2188	axplong.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2188	axplong.exe
2188	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b4aba7a44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\8b4aba7a44.exe"	explortu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
72	pastebin.com
73	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000164ec-98.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
2684	explortu.exe
2676	explortu.exe
1264	a721cb567f.exe
2188	axplong.exe
2676	explortu.exe
1920	8b4aba7a44.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2676	2684	explortu.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	a721cb567f.exe
File created	C:\Windows\Tasks\explortu.job	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1900	sc.exe
3000	sc.exe
2668	sc.exe
1604	sc.exe
1556	sc.exe
384	sc.exe
2044	sc.exe
1728	sc.exe
1940	sc.exe
2568	sc.exe
1864	sc.exe
1900	sc.exe
2736	sc.exe
2808	sc.exe
2328	sc.exe
2972	sc.exe
2968	sc.exe
356	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2040	1488	WerFault.exe	53
2464	2820	WerFault.exe	56

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup222.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
2684	explortu.exe
1264	a721cb567f.exe
2188	axplong.exe
2944	chrome.exe
2944	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe
Token: SeShutdownPrivilege	2944	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
1264	a721cb567f.exe
412	45274e37d0.exe
412	45274e37d0.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
412	45274e37d0.exe
412	45274e37d0.exe
2944	chrome.exe
2944	chrome.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
412	45274e37d0.exe
412	45274e37d0.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe
412	45274e37d0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	explortu.exe
1920	8b4aba7a44.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2684	2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe	28
PID 2000 wrote to memory of 2684	2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe	28
PID 2000 wrote to memory of 2684	2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe	28
PID 2000 wrote to memory of 2684	2000	929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe	28
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 2676	2684	explortu.exe	29
PID 2684 wrote to memory of 1264	2684	explortu.exe	31
PID 2684 wrote to memory of 1264	2684	explortu.exe	31
PID 2684 wrote to memory of 1264	2684	explortu.exe	31
PID 2684 wrote to memory of 1264	2684	explortu.exe	31
PID 1264 wrote to memory of 2188	1264	a721cb567f.exe	32
PID 1264 wrote to memory of 2188	1264	a721cb567f.exe	32
PID 1264 wrote to memory of 2188	1264	a721cb567f.exe	32
PID 1264 wrote to memory of 2188	1264	a721cb567f.exe	32
PID 2684 wrote to memory of 1920	2684	explortu.exe	33
PID 2684 wrote to memory of 1920	2684	explortu.exe	33
PID 2684 wrote to memory of 1920	2684	explortu.exe	33
PID 2684 wrote to memory of 1920	2684	explortu.exe	33
PID 2684 wrote to memory of 412	2684	explortu.exe	34
PID 2684 wrote to memory of 412	2684	explortu.exe	34
PID 2684 wrote to memory of 412	2684	explortu.exe	34
PID 2684 wrote to memory of 412	2684	explortu.exe	34
PID 412 wrote to memory of 2944	412	45274e37d0.exe	35
PID 412 wrote to memory of 2944	412	45274e37d0.exe	35
PID 412 wrote to memory of 2944	412	45274e37d0.exe	35
PID 412 wrote to memory of 2944	412	45274e37d0.exe	35
PID 2944 wrote to memory of 2968	2944	chrome.exe	36
PID 2944 wrote to memory of 2968	2944	chrome.exe	36
PID 2944 wrote to memory of 2968	2944	chrome.exe	36
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38
PID 2944 wrote to memory of 3048	2944	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe
"C:\Users\Admin\AppData\Local\Temp\929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Users\Admin\1000015002\a721cb567f.exe
    "C:\Users\Admin\1000015002\a721cb567f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\onefile_2532_133630557427282000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
        5⤵
        Executes dropped EXE
        
        PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
        5⤵
        Executes dropped EXE
        
        PID:1488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 52
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
        
        SetupWizard.exe
        6⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\SetupWizard-bd560d1e45c1dc21\SetupWizard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SetupWizard-bd560d1e45c1dc21\SetupWizard.exe"
        7⤵
        
        PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:2820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 84
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
        5⤵
        Executes dropped EXE
        
        PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
        5⤵
        
        PID:2352
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
        5⤵
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        6⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe"
        7⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
        8⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe"
        7⤵
        
        PID:2000
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:1548
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:1232
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:2736
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:356
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:2808
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:1728
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:1940
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        
        PID:2964
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        
        PID:1628
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        
        PID:2868
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        
        PID:2284
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        8⤵
        Launches sc.exe
        
        PID:384
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:1900
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:3000
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        8⤵
        Launches sc.exe
        
        PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        5⤵
        
        PID:692
      - C:\Users\Admin\AppData\Local\Temp\onefile_692_133630557673914000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        6⤵
        
        PID:916
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe"
        5⤵
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
        6⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"
        7⤵
        
        PID:1872
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        
        PID:2836
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        
        PID:1932
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        
        PID:2516
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        
        PID:2556
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "YCSDKNAW"
        8⤵
        Launches sc.exe
        
        PID:1556
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "YCSDKNAW" binpath= "C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:2972
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:1900
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "YCSDKNAW"
        8⤵
        Launches sc.exe
        
        PID:2968
- - C:\Users\Admin\AppData\Local\Temp\1000016001\8b4aba7a44.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\8b4aba7a44.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\1000017001\45274e37d0.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\45274e37d0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7b89758,0x7fef7b89768,0x7fef7b89778
        5⤵
        
        PID:2968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:2
        5⤵
        
        PID:3048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:8
        5⤵
        
        PID:1948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:8
        5⤵
        
        PID:2320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2192 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:1
        5⤵
        
        PID:2656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:1
        5⤵
        
        PID:2088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1168 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:2
        5⤵
        
        PID:1192
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1376 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:1
        5⤵
        
        PID:644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2560 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:1
        5⤵
        
        PID:2332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2216 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:8
        5⤵
        
        PID:1544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1236,i,8862912840315896015,10859953352466357119,131072 /prefetch:8
        5⤵
        
        PID:1148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2512

C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
1⤵
PID:2260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1608
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:2060
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2252
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:2796

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:3040
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1084
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2524
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2044
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1864
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1604
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2328
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2896
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3008
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\a721cb567f.exe

Filesize
1.8MB

MD5
6ae449a5dae6af3e4593d52f748e6364

SHA1
420c0340118e79162a1853822a724a423aac9a4c

SHA256
bbcfd52003c646a8d9afbf5e37d19d2085707de6b6f85668c7a23bf4527d8509

SHA512
192e9538db826c99d88b2a8413da7cba3319ba15b70b66df8cf11d38664177a0d813c1eb4ed107b61c2e3376c11e27bd4763e473a3eaf9447ab84bf0ec5b7476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
987bc46034edf7ddb40a503a34449047

SHA1
989d3ffac1d4124e9ecd53fed9ac5401ad1b471c

SHA256
ff63a956cf359037bc277d7ad36123bbb97236897952042c24d5367c20fab384

SHA512
a4d2b5ab0924c5bc19e1918289bf1da31d41e18f4d23ae02426cedb652860fa7e9c7805a50511e83292c45b2ccaf0ed89b42c414096dee888909e8c7d7b034e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe

Filesize
2.5MB

MD5
fbfbe4ee13baecac3e7d16bec24cf079

SHA1
360caf2bb458bee7e65c316099a868b929839d25

SHA256
3d65e5f78fa228a79d279fd903b45e584effe6b680d3a3adcb582985de62d01e

SHA512
8f5d849e739430cdc560f9dbda5f2f72a07ed0493054298b0d195cf50c972e9a24effdb71cadeea6ced14663fc1268f4a0f45234f37aac334638ffcd8057b28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe

Filesize
455KB

MD5
f8ec725e4b969f157fd70166e73a56a3

SHA1
8bc092817245f2727154454e0011a8d6704e2eb7

SHA256
eb74efaf4832a80809815051fc97704819fbc4b1d57f07faf39746a02ed1dd10

SHA512
7dc3acb485263fd616ea84999a897f0e298f21485a34457697c523a095083d7de599b3cfc4bc3d45a5d36bc374a3a5e8778646dfa97c447d4be710021678e040

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe

Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe

Filesize
1.7MB

MD5
e8a7d0c6dedce0d4a403908a29273d43

SHA1
8289c35dabaee32f61c74de6a4e8308dc98eb075

SHA256
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

SHA512
c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\8b4aba7a44.exe

Filesize
1.3MB

MD5
953edb01a59b8ed60615b0ccfb2738bf

SHA1
5f04f03d4354f26965d2d1246d9ff0f7b04204aa

SHA256
6ffac1844bc8e0d4332101e5672e25db2fb7f8a1a2196d3712840f2629b33d1d

SHA512
e0e3dadf4208ae6efd182e3700e98f4edc027da49135b5936e719e049d3108b4276e89a864ecdc97969d19134f0296e6cdf4fbd813ede2ac39b571654d3faa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\45274e37d0.exe

Filesize
1.1MB

MD5
f413a72e0ea8b3ae29262e1bd813016e

SHA1
83f333ef11135ce8c155d3e29a26d94b143ce331

SHA256
7c321b5bfbf0597e0adb2ef50a43cb73e412fb21a9627080c88e8f077f4cbae6

SHA512
9b09ea47bc837a21cb872243ca94190c5f277554d5542456cc3f3dcd148020fc7de6e7cf32d6bc85b3500af8f69e04d7834a25cf042e21ee09901e2c711caf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe

Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\721934792624

Filesize
81KB

MD5
a3d49310eec0139f451765e5edc7b22a

SHA1
5c66230a6d56a3e015932e9849e0cbde6cabc4a3

SHA256
b00b4a57188b3f0025522c814ebde77619e2951c8c6c7eb16fce9bf6659830ec

SHA512
e40e651ae839e2f56f6eb7135165d8a9de5ce788bffbf9849ff9be3277d358262a975ad6aa6931185f893b6832754bf69c687ae9fad8f8a232e4c79fb3b13450

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7090.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe

Filesize
35.9MB

MD5
f42cf8e651260693b4122edda321d0f9

SHA1
c3da7e97ddff05951e1e265fe28051c475315ac1

SHA256
c7a584526e6c3acb22eee1dd92e4303405a3598231d3545e465e3412e97a66bd

SHA512
4deef4cda38b75d3d5fabefcb23663a91a0ef29732074f3736cbcbdfd391986491cc6c12b20087ff5892b981fb6ba9c72cbd67c35dfd6c1ceb768655f241c0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar72AA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2532_133630557427282000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8

Filesize
14B

MD5
b4dabbe6a891216d78bf379d87a0a68f

SHA1
641959b130d94a871418e1eeb3027beb818b9ad7

SHA256
e47b2d81151ae4fa7ed42bccb311a4b7c27c783fff2b6bfcab222fff0259ad4b

SHA512
ffff8da20d14c533398ea097c308fd17a6a083226506f0d9ed0a6de3fd1a652a560e74f3826820c458855226ffec917926d406cdf9e1c25b483fa56b43dfc8c0

Download Submit
\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
7d9afc35fad93d00174000bf815c3981

SHA1
e35b98aea100d3e4001bc6868cca01fb0a2791d5

SHA256
929a07d2cea387dd4f1760e689c0814d0a9d22a3db3bffe147027c377c45d332

SHA512
77a9f022d3257d8df846d4fd18ee0b811b091ce60251ef36fd6514f856cb2eafc08aa946fbb575b1d147ea2500ec647234ee95383b964f3e3b31477eaf86a198

Download Submit
\Users\Admin\AppData\Local\Temp\SetupWizard-bd560d1e45c1dc21\SetupWizard.exe

Filesize
41.7MB

MD5
77329dce89bc79eb23d549a7c8bca2fe

SHA1
b501d5abad6d3bab842a45ce08cd0c8805eed10a

SHA256
ae29306ae7122b542645dbfc5c556ffe61660c7e5dbc508e36d67292d36c0643

SHA512
e7e905e21344e7c1549188ee7126ee70c30bd020a8b80de5017f855f0c00ded3a84a1e2efe619ff3df3e2d113214c2b5f345dfed9bae55a0997deaf26c05d6d7

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2532_133630557427282000\stub.exe

Filesize
17.9MB

MD5
972d9d2422f1a71bed840709024302f8

SHA1
e52170710e3c413ae3cfa45fcdecf19db4aa382c

SHA256
1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564

SHA512
3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

Download Submit
memory/1264-61-0x0000000001310000-0x00000000017D5000-memory.dmp

Filesize
4.8MB

Download
memory/1264-81-0x0000000001310000-0x00000000017D5000-memory.dmp

Filesize
4.8MB

Download
memory/1488-276-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1920-294-0x0000000001280000-0x00000000017B2000-memory.dmp

Filesize
5.2MB

Download
memory/1920-528-0x0000000001280000-0x00000000017B2000-memory.dmp

Filesize
5.2MB

Download
memory/1920-498-0x0000000001280000-0x00000000017B2000-memory.dmp

Filesize
5.2MB

Download
memory/1920-90-0x0000000001280000-0x00000000017B2000-memory.dmp

Filesize
5.2MB

Download
memory/1920-88-0x0000000001280000-0x00000000017B2000-memory.dmp

Filesize
5.2MB

Download
memory/2000-5-0x0000000000310000-0x00000000007DE000-memory.dmp

Filesize
4.8MB

Download
memory/2000-0-0x0000000000310000-0x00000000007DE000-memory.dmp

Filesize
4.8MB

Download
memory/2000-16-0x0000000007080000-0x000000000754E000-memory.dmp

Filesize
4.8MB

Download
memory/2000-15-0x0000000000310000-0x00000000007DE000-memory.dmp

Filesize
4.8MB

Download
memory/2000-3-0x0000000000310000-0x00000000007DE000-memory.dmp

Filesize
4.8MB

Download
memory/2000-2-0x0000000000311000-0x000000000033F000-memory.dmp

Filesize
184KB

Download
memory/2000-1-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2188-82-0x00000000011D0000-0x0000000001695000-memory.dmp

Filesize
4.8MB

Download
memory/2188-497-0x00000000011D0000-0x0000000001695000-memory.dmp

Filesize
4.8MB

Download
memory/2188-499-0x00000000011D0000-0x0000000001695000-memory.dmp

Filesize
4.8MB

Download
memory/2188-293-0x00000000011D0000-0x0000000001695000-memory.dmp

Filesize
4.8MB

Download
memory/2296-244-0x0000000001100000-0x0000000001150000-memory.dmp

Filesize
320KB

Download
memory/2352-536-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2352-544-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-537-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-538-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-540-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-542-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-546-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-548-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-550-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-552-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-554-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-556-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-558-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-560-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-562-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-564-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-566-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-568-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/2352-535-0x0000000004BA0000-0x0000000004C8C000-memory.dmp

Filesize
944KB

Download
memory/2352-534-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/2352-529-0x0000000001130000-0x00000000014CC000-memory.dmp

Filesize
3.6MB

Download
memory/2476-835-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2476-834-0x0000000019EB0000-0x000000001A192000-memory.dmp

Filesize
2.9MB

Download
memory/2532-495-0x000000013FB80000-0x0000000140655000-memory.dmp

Filesize
10.8MB

Download
memory/2652-526-0x000000013FB70000-0x000000013FB94000-memory.dmp

Filesize
144KB

Download
memory/2676-26-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-44-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-33-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-31-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-29-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-30-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-32-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-38-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-41-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-46-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-43-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-34-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-45-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2684-60-0x0000000006C70000-0x0000000007135000-memory.dmp

Filesize
4.8MB

Download
memory/2684-19-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-292-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-27-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-250-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-89-0x0000000006C70000-0x00000000071A2000-memory.dmp

Filesize
5.2MB

Download
memory/2684-148-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-171-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-182-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-496-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-22-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-18-0x0000000000E71000-0x0000000000E9F000-memory.dmp

Filesize
184KB

Download
memory/2684-20-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-444-0x0000000006C70000-0x0000000007135000-memory.dmp

Filesize
4.8MB

Download
memory/2684-17-0x0000000000E70000-0x000000000133E000-memory.dmp

Filesize
4.8MB

Download
memory/2684-28-0x000000000A1F0000-0x000000000A6BE000-memory.dmp

Filesize
4.8MB

Download
memory/2692-460-0x000000013F350000-0x0000000140585000-memory.dmp

Filesize
18.2MB

Download
memory/2740-830-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2740-831-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download