amadey | 776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
Size

1.8MB
MD5

0aa21c6428a32586f3cecc00a4de33b9
SHA1

c1aaec1513a31b28839ef1137cd116ba4dff771c
SHA256

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70
SHA512

eb91e8bb467ea9661cae6da78841d61db866873a391d88b7998a430391937cf66737bc9c02e5e15a4a147169193746a81197232706d8fc7c837989b04b31a773
SSDEEP

24576:TdaunKnGqDFwbXie8rL9AtJDWC58UJSR1f++H54WmdIKY7/JbU0OiTz31LAy0EOP:TrTiQxX0R3GWJbUHiTdJ9O301wAY

Score

10^/10

amadey lumma redline stealc @logscloudyt_bot default default2 fed3aa livetraffic newbundle2 tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

default

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

lumma

https://racedsuitreow.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2764-51-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2764-50-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2764-48-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2764-45-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2764-43-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1696-145-0x0000000001010000-0x0000000001062000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\UyipsQUmQU.exe	family_redline
behavioral1/memory/2664-385-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe	family_redline
behavioral1/memory/2040-529-0x0000000000FE0000-0x0000000001032000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Waters.pif

description pid process target process

PID 948 created 1272 948 Waters.pif Explorer.EXE
PID 948 created 1272 948 Waters.pif Explorer.EXE

description	pid	process	target process
PID 948 created 1272	948	Waters.pif	Explorer.EXE
PID 948 created 1272	948	Waters.pif	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe

Executes dropped EXE 26 IoCs

Processes:

axplong.exegold.exe12dsvc.exeNework.exeHkbsse.exestealc_default2.exef3XK0BhAKv.exeUyipsQUmQU.exeneedmoney.exepenis.exeacentric.exe2.exesplwow64.exesvchost015.execrypted.exe8f6fd618cc.exeLummaC222222.exeWaters.pif66ed86be077bb_12.exe2.exenewbundle2.exe41f8a47cfa.exerstxdhuj.exeskotes.exe6307b62173.exeservice123.exe

pid	process
2704	axplong.exe
2428	gold.exe
1152	12dsvc.exe
2580	Nework.exe
2076	Hkbsse.exe
2484	stealc_default2.exe
2500	f3XK0BhAKv.exe
1696	UyipsQUmQU.exe
708	needmoney.exe
2848	penis.exe
3052	acentric.exe
1376	2.exe
1700	splwow64.exe
2856	svchost015.exe
1740	crypted.exe
1360	8f6fd618cc.exe
376	LummaC222222.exe
948	Waters.pif
604	66ed86be077bb_12.exe
708	2.exe
2040	newbundle2.exe
1996	41f8a47cfa.exe
1728	rstxdhuj.exe
5408	skotes.exe
5680	6307b62173.exe
6096	service123.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exe776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe

Loads dropped DLL 44 IoCs

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeaxplong.exeNework.exeRegAsm.exe2.exeneedmoney.exestealc_default2.execmd.exeWerFault.exe41f8a47cfa.exeskotes.exe2.exeservice123.exe

pid	process
1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2580	Nework.exe
2704	axplong.exe
2704	axplong.exe
1456	RegAsm.exe
1456	RegAsm.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
1376	2.exe
2704	axplong.exe
708	needmoney.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2484	stealc_default2.exe
2484	stealc_default2.exe
2832	cmd.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
2704	axplong.exe
5340	WerFault.exe
5340	WerFault.exe
5340	WerFault.exe
5340	WerFault.exe
1996	41f8a47cfa.exe
1996	41f8a47cfa.exe
5340	WerFault.exe
5408	skotes.exe
5408	skotes.exe
708	2.exe
708	2.exe
6096	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

axplong.exeacentric.exerstxdhuj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000287001\\splwow64.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\8f6fd618cc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000308001\\8f6fd618cc.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update"	acentric.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\41f8a47cfa.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000341000\\41f8a47cfa.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe"	rstxdhuj.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 api64.ipify.org
60 api64.ipify.org
62 ipinfo.io
63 ipinfo.io
67 api.myip.com
68 api.myip.com
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2412 tasklist.exe
668 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeaxplong.exe

pid process

1120 776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
2704 axplong.exe

flow	ioc
59	api64.ipify.org
60	api64.ipify.org
62	ipinfo.io
63	ipinfo.io
67	api.myip.com
68	api.myip.com

pid	process
2412	tasklist.exe
668	tasklist.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

gold.exe12dsvc.exeneedmoney.execrypted.exe66ed86be077bb_12.exe

description	pid	process	target process
PID 2428 set thread context of 2764	2428	gold.exe	RegAsm.exe
PID 1152 set thread context of 1456	1152	12dsvc.exe	RegAsm.exe
PID 708 set thread context of 2856	708	needmoney.exe	svchost015.exe
PID 1740 set thread context of 2664	1740	crypted.exe	RegAsm.exe
PID 604 set thread context of 956	604	66ed86be077bb_12.exe	RegAsm.exe

Drops file in Windows directory 7 IoCs

Processes:

41f8a47cfa.exe776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeNework.exesplwow64.exe

description	ioc	process
File created	C:\Windows\Tasks\skotes.job	41f8a47cfa.exe
File created	C:\Windows\Tasks\axplong.job	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64.exe
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5340 1728 WerFault.exe rstxdhuj.exe

pid	pid_target	process	target process
5340	1728	WerFault.exe	rstxdhuj.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LummaC222222.exeWaters.pif8f6fd618cc.exerstxdhuj.exe6307b62173.exeRegAsm.exefindstr.exepenis.exesvchost015.exeaxplong.exeRegAsm.exetasklist.exetasklist.execmd.exeRegAsm.exeRegAsm.exef3XK0BhAKv.execrypted.execmd.exenewbundle2.exestealc_default2.exeacentric.exeUyipsQUmQU.exeneedmoney.execmd.exefindstr.execmd.exeskotes.exe776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exegold.exeschtasks.exeHkbsse.exesplwow64.exeschtasks.exe66ed86be077bb_12.exe2.exeNework.exechoice.execmd.exefindstr.exe41f8a47cfa.exe12dsvc.exe2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC222222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f6fd618cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rstxdhuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6307b62173.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3XK0BhAKv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acentric.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UyipsQUmQU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	needmoney.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66ed86be077bb_12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41f8a47cfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12dsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

stealc_default2.exe2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

f3XK0BhAKv.exeRegAsm.exeUyipsQUmQU.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	f3XK0BhAKv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	f3XK0BhAKv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	f3XK0BhAKv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380041003300420034003800410032002d0039004100420035002d0034003700330045002d0039004300380036002d004400410046004300340041003600350045004200380032007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	UyipsQUmQU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	UyipsQUmQU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	f3XK0BhAKv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

6120 schtasks.exe
2128 schtasks.exe

pid	process
6120	schtasks.exe
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeaxplong.exestealc_default2.exeUyipsQUmQU.exeRegAsm.exepenis.exef3XK0BhAKv.exeWaters.pifLummaC222222.exeRegAsm.exenewbundle2.exerstxdhuj.exe

pid	process
1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
2704	axplong.exe
2484	stealc_default2.exe
1696	UyipsQUmQU.exe
2764	RegAsm.exe
2848	penis.exe
2500	f3XK0BhAKv.exe
2484	stealc_default2.exe
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
948	Waters.pif
376	LummaC222222.exe
376	LummaC222222.exe
376	LummaC222222.exe
376	LummaC222222.exe
2764	RegAsm.exe
2764	RegAsm.exe
1696	UyipsQUmQU.exe
1696	UyipsQUmQU.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2040	newbundle2.exe
2040	newbundle2.exe
2040	newbundle2.exe
1728	rstxdhuj.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

penis.exef3XK0BhAKv.exeUyipsQUmQU.exeRegAsm.exetasklist.exetasklist.exeRegAsm.exeacentric.exe66ed86be077bb_12.exenewbundle2.exerstxdhuj.exe

description	pid	process
Token: SeDebugPrivilege	2848	penis.exe
Token: SeDebugPrivilege	2500	f3XK0BhAKv.exe
Token: SeBackupPrivilege	2500	f3XK0BhAKv.exe
Token: SeBackupPrivilege	2848	penis.exe
Token: SeSecurityPrivilege	2500	f3XK0BhAKv.exe
Token: SeSecurityPrivilege	2848	penis.exe
Token: SeSecurityPrivilege	2500	f3XK0BhAKv.exe
Token: SeSecurityPrivilege	2500	f3XK0BhAKv.exe
Token: SeSecurityPrivilege	2500	f3XK0BhAKv.exe
Token: SeSecurityPrivilege	2848	penis.exe
Token: SeSecurityPrivilege	2848	penis.exe
Token: SeSecurityPrivilege	2848	penis.exe
Token: SeDebugPrivilege	1696	UyipsQUmQU.exe
Token: SeDebugPrivilege	2764	RegAsm.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	668	tasklist.exe
Token: SeDebugPrivilege	2664	RegAsm.exe
Token: SeDebugPrivilege	3052	acentric.exe
Token: SeDebugPrivilege	604	66ed86be077bb_12.exe
Token: SeDebugPrivilege	2040	newbundle2.exe
Token: SeDebugPrivilege	1728	rstxdhuj.exe
Token: SeDebugPrivilege	1728	rstxdhuj.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeNework.exeWaters.pif41f8a47cfa.exe

pid	process
1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
2580	Nework.exe
948	Waters.pif
948	Waters.pif
948	Waters.pif
1996	41f8a47cfa.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Waters.pif

pid process

948 Waters.pif
948 Waters.pif
948 Waters.pif

pid	process
948	Waters.pif
948	Waters.pif
948	Waters.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exeaxplong.exegold.exeNework.exe12dsvc.exe

description	pid	process	target process
PID 1120 wrote to memory of 2704	1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe	axplong.exe
PID 1120 wrote to memory of 2704	1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe	axplong.exe
PID 1120 wrote to memory of 2704	1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe	axplong.exe
PID 1120 wrote to memory of 2704	1120	776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe	axplong.exe
PID 2704 wrote to memory of 2428	2704	axplong.exe	gold.exe
PID 2704 wrote to memory of 2428	2704	axplong.exe	gold.exe
PID 2704 wrote to memory of 2428	2704	axplong.exe	gold.exe
PID 2704 wrote to memory of 2428	2704	axplong.exe	gold.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 3040	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2428 wrote to memory of 2764	2428	gold.exe	RegAsm.exe
PID 2704 wrote to memory of 1152	2704	axplong.exe	12dsvc.exe
PID 2704 wrote to memory of 1152	2704	axplong.exe	12dsvc.exe
PID 2704 wrote to memory of 1152	2704	axplong.exe	12dsvc.exe
PID 2704 wrote to memory of 1152	2704	axplong.exe	12dsvc.exe
PID 2704 wrote to memory of 2580	2704	axplong.exe	Nework.exe
PID 2704 wrote to memory of 2580	2704	axplong.exe	Nework.exe
PID 2704 wrote to memory of 2580	2704	axplong.exe	Nework.exe
PID 2704 wrote to memory of 2580	2704	axplong.exe	Nework.exe
PID 2580 wrote to memory of 2076	2580	Nework.exe	Hkbsse.exe
PID 2580 wrote to memory of 2076	2580	Nework.exe	Hkbsse.exe
PID 2580 wrote to memory of 2076	2580	Nework.exe	Hkbsse.exe
PID 2580 wrote to memory of 2076	2580	Nework.exe	Hkbsse.exe
PID 2704 wrote to memory of 2484	2704	axplong.exe	stealc_default2.exe
PID 2704 wrote to memory of 2484	2704	axplong.exe	stealc_default2.exe
PID 2704 wrote to memory of 2484	2704	axplong.exe	stealc_default2.exe
PID 2704 wrote to memory of 2484	2704	axplong.exe	stealc_default2.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 560	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe
PID 1152 wrote to memory of 1456	1152	12dsvc.exe	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe
  "C:\Users\Admin\AppData\Local\Temp\776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:560
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1456
      - C:\Users\Admin\AppData\Roaming\f3XK0BhAKv.exe
        
        "C:\Users\Admin\AppData\Roaming\f3XK0BhAKv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Users\Admin\AppData\Roaming\UyipsQUmQU.exe
        
        "C:\Users\Admin\AppData\Roaming\UyipsQUmQU.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
      "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
      "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
      "C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
      "C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:532
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MaskBathroomCompositionInjection" Participants
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:948
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1740
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\1000308001\8f6fd618cc.exe
      "C:\Users\Admin\AppData\Local\Temp\1000308001\8f6fd618cc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe
      "C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:376
  - - C:\Users\Admin\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe
      "C:\Users\Admin\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\1000321001\2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000321001\2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6096
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Users\Admin\AppData\Roaming\1000341000\41f8a47cfa.exe
      "C:\Users\Admin\AppData\Roaming\1000341000\41f8a47cfa.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:1996
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\1000023001\6307b62173.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000023001\6307b62173.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5680
  - - C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe
      "C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 800
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:5340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:424
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14da23cbcf947ca68ed51469d039bc9d

SHA1
bf058e7e204a419ed04c25d7c81d5afa6002b4bd

SHA256
832910d19076fa3abfe94f32b6be8b4333c0669a9f3f49a1b1be7f0828a195ad

SHA512
5866ee94f09638db607c2f8828421dc3ebc60eb39424b6c4226e2876c7ef6c10030548c931500117e3b1a380897347d08cd092241db941058a30623782ed0eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
312KB

MD5
389881b424cf4d7ec66de13f01c7232a

SHA1
d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

SHA256
9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

SHA512
2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

Filesize
1.1MB

MD5
6c9e7815208530b2574368f8a70e5790

SHA1
61d5d998abbbfe9c6efd9d38b8c99a3b48f8a7de

SHA256
c0f8b5afad6fab4136affd308519c36e3779d597413d00e79e7f939bd7bae782

SHA512
013b6ce1104d05cdd4587197c4e177ef13409db9c81084551450674833d3876a050035a4545a647a257538a2cb44aafaada534c9bfe8e2b5bcf6a9f2dcff134d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

Filesize
4.1MB

MD5
7fa5c660d124162c405984d14042506f

SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

Filesize
494KB

MD5
6760374f17416485fa941b354d3dd800

SHA1
d88389ec19ac3e87bc743ba3f8b7c518601fdbf9

SHA256
9dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5

SHA512
6e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe

Filesize
454KB

MD5
37d198ad751d31a71acc9cb28ed0c64e

SHA1
8eb519b7a6df66d84c566605da9a0946717a921d

SHA256
1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

SHA512
60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe

Filesize
673KB

MD5
b859d1252109669c1a82b235aaf40932

SHA1
b16ea90025a7d0fad9196aa09d1091244af37474

SHA256
083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

SHA512
9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe

Filesize
1.3MB

MD5
2b01c9b0c69f13da5ee7889a4b17c45e

SHA1
27f0c1ae0ddeddc9efac38bc473476b103fef043

SHA256
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

SHA512
23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000308001\8f6fd618cc.exe

Filesize
374KB

MD5
1284189a11bd4f537fee0890dc21b33b

SHA1
fc870cbaaba025161019f37f8ab2a3e6806cb2f8

SHA256
afabd219f0d644da4f9542932cbb5afcbcb0c66a2302c2353bb89447104cbb93

SHA512
19daa87707f8f5ef9d7c7febaaab3c4ac21f56de3ebef4e2ed009aadab75bffd21ecee6a1b9d4e1a8efa514532e5093356b9a80f8b0b70e3cc1d331843e52b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

Filesize
352KB

MD5
2f1d09f64218fffe7243a8b44345b27e

SHA1
72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe

SHA256
4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2

SHA512
5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe

Filesize
10.3MB

MD5
489f9c4fc0afa8d1be37bc5e2f57833b

SHA1
c2bac602a73c19b345b64e0b7cf2f837be307b61

SHA256
d9dbfbc8294cbf6a32d43413ed328594ee058d7356c26eb5cd196f9f4867c078

SHA512
7f43d972f58a025d09143c57351221fe7b10c1756a0c5578ac42698c21ea05986d4bbc0c7ff4be339c2d0930b505e4f4dda53c0800d84b059a21be938adb678e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000321001\2.exe

Filesize
6.3MB

MD5
d09d52b00ae2fd3ea3135aa31d7cb323

SHA1
40c053b5a7f8e6e3c78895382662cf2556e3b2ea

SHA256
fcfb14707aa5abe3cf84d6059717246e6593cd43d60c609fe3095825827637c7

SHA512
1a126471a5972babceebd66008dc136e098b37a64a25521c8213887daf6a7cf3ece3058286c68e3ebec85a40b5a3e53a84e243381ffef4283941c70fc814f6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

Filesize
963KB

MD5
1ef39c8bc5799aa381fe093a1f2d532a

SHA1
57eabb02a7c43c9682988227dd470734cc75edb2

SHA256
0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4

SHA512
13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000429001\66f0297e9c3eb_15.exe

Filesize
10.5MB

MD5
38ef48a2e156067f1770497335e92066

SHA1
304bcccdfb486bf797d69f109f0b6fe64a94d945

SHA256
88efb8b6990e916e7590c2bd3f734f390f7c3d7b517a5fdc1baba0a2f6fbd54c

SHA512
7212757dc8bd59ce9e5d7e474b78324fae11b7a20dc1326fe34d2bdeff4a6b4e9e4471326656cc3db162feaec65ef0f0c96efb91f3ce9b3173f725195d4b7145

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
0aa21c6428a32586f3cecc00a4de33b9

SHA1
c1aaec1513a31b28839ef1137cd116ba4dff771c

SHA256
776fc52ffbf27f1bcb817b4d60761292718195ebc361eb49a1da457a99707e70

SHA512
eb91e8bb467ea9661cae6da78841d61db866873a391d88b7998a430391937cf66737bc9c02e5e15a4a147169193746a81197232706d8fc7c837989b04b31a773

Download Submit
C:\Users\Admin\AppData\Local\Temp\579783382990

Filesize
81KB

MD5
44251bdf9eb2732cac53e7550ab05af0

SHA1
af5b88b18632bc5868a41a26eccc24e054990460

SHA256
6d1aec30a87e925ab4be4605585c62ad493252c6e3e79e0bb869ba7654ab2eab

SHA512
1d6fd73fc24749e207d09021de697c6d91fc416668fafe678a5495c359beaf632482bd9dbde02756bf7cb7b7d4f0ae3a65808a6e3e9b7737f3c09684a7a19bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4433.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
19KB

MD5
b98d78c3abe777a5474a60e970a674ad

SHA1
079e438485e46aff758e2dff4356fdd2c7575d78

SHA256
2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

SHA512
6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Navy

Filesize
56KB

MD5
d4eb107cfd9fc38ed7e7b253562e155a

SHA1
7fc17c27c9f4739c19211600398bf1ee9df84dc5

SHA256
68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

SHA512
3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Participants

Filesize
2KB

MD5
f0e725addf4ec15a56aa0bde5bd8b2a7

SHA1
1f54a49195d3f7fd93c5fec06cc5904c57995147

SHA256
7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

SHA512
00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rick

Filesize
869KB

MD5
e0d37e7b879f4b4e0dde5006da5009bd

SHA1
33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

SHA256
27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

SHA512
68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streaming

Filesize
97KB

MD5
1501de696d22f872db44b548cba0e4fa

SHA1
ed8a2948aaf041bfd0196a180f5888bdddcb9879

SHA256
dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef

SHA512
fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4451.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temperature

Filesize
89KB

MD5
249d56cbe275c2258ccd964f0c6241d9

SHA1
8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

SHA256
7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

SHA512
440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp3267.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\1000341000\41f8a47cfa.exe

Filesize
435KB

MD5
9e8835f955e76958242682c313e7195c

SHA1
51544394f6867baaf518768fae610be8afdf48fd

SHA256
3dbd82fe0ab3c3ed3ecabe41b6aee651928f0305b07b0285828fd878d84ee4a9

SHA512
2856fa5e5feea068bb07dbe74baff55957b6f5ef612892e7ebdc3a525d87bd7b7da7b31f8d9a75bc441ca83f5307dc52821216ad65a37217f0feada03454d747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\76b53b3ec448f7ccdda2063b15d2bfc3_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
79B

MD5
bbc8da7d36df3f91c460984c2abe8419

SHA1
9a247c3d293022fde4f3abc8b56259275c4ef97c

SHA256
0399ccf5e780949a63400736a46cce7d1879903d0f45c6b7d194c960ba4dddc2

SHA512
facbe33baa35fccf8072fe207a4d5eda2a64c4ed067c8eecb23e49cb003747be4c3772cb4ae2dfb87f91aa711b9a8371a2e0d76dc40830e275098172318d7cb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\76b53b3ec448f7ccdda2063b15d2bfc3_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
2KB

MD5
1e4dc409f498d715a4b4d916e1ace32c

SHA1
8fe71c2cb2bf81bbf8f89e76ffe0304a9d9edb6c

SHA256
aab59ac6a1fd7cc528d903168c86289f9550576bccf47e99928ab96a73ad00d6

SHA512
221cda4834d38e9b565360920ccc66db8000dd6737cef13f5e6086fa97569f002b351ba810e59e3abe8bd6288fa24d12ffb2530a24ac26353c155fc87afda8ab

Download Submit
C:\Users\Admin\AppData\Roaming\UyipsQUmQU.exe

Filesize
304KB

MD5
12f13e368d8f8a329c94302ca0bd5d8a

SHA1
17fdaeb0122b61c702ec7a4c809fc26ca4cb73bf

SHA256
570aaaf62baff05ca992f53356044c86f85f46014451b85f8306915fef498a24

SHA512
031c116d0fe92912363eb7e580dea59504d4de5ac4fc51a1cf8d85393585c0acc712256142a88d33ebdf5b616068ca02066806cea6f4c0072a50f0b0144440da

Download Submit
C:\Users\Admin\AppData\Roaming\f3XK0BhAKv.exe

Filesize
563KB

MD5
7909fbb384c65c469c877dda84add34c

SHA1
3280b2d39ccd8b669e95e971652ef6578136e377

SHA256
402b94a9f6fbbf5822c2f8c60f0dcb373cdeb9508b4730de6bdccbb6a52ba8ee

SHA512
a003ecaf93f5343275c8baa75d420266825a8cde7bf3ec8b3ae6ab2ff60c619a9d9dad20256c717ed8a5d925c8c16f31a63ac9c4edc01689a3584ce04810b788

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
64dac8316063005732778edd56bb99ca

SHA1
5dfb87b3d5091dda07ddd2db73775e964e4c32bc

SHA256
b6d0423b14c29e89ccee3beb38809675495faa35ff9a9cc7873ece4f2ff2ff3a

SHA512
06aadd7ac3d2fae26673ddc098554a3553e98b5520e94987774df9442b9effa9281a3b6a4b5d7a89f31a7d65a5e21dbe5351beeff45b4e7b9d2066e8bd6e29f5

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
534KB

MD5
a6da8d868dbd5c9fe6b505db0ee7eb71

SHA1
3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

SHA256
4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

SHA512
132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

Download Submit
memory/604-651-0x0000000005E90000-0x0000000006132000-memory.dmp

Filesize
2.6MB

Download
memory/604-503-0x0000000001090000-0x0000000001AD6000-memory.dmp

Filesize
10.3MB

Download
memory/604-792-0x0000000006130000-0x00000000063C6000-memory.dmp

Filesize
2.6MB

Download
memory/604-872-0x0000000000A10000-0x0000000000A32000-memory.dmp

Filesize
136KB

Download
memory/708-361-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/1120-15-0x0000000000BA0000-0x000000000103D000-memory.dmp

Filesize
4.6MB

Download
memory/1120-1-0x0000000077430000-0x0000000077432000-memory.dmp

Filesize
8KB

Download
memory/1120-2-0x0000000000BA1000-0x0000000000BCF000-memory.dmp

Filesize
184KB

Download
memory/1120-3-0x0000000000BA0000-0x000000000103D000-memory.dmp

Filesize
4.6MB

Download
memory/1120-4-0x0000000000BA0000-0x000000000103D000-memory.dmp

Filesize
4.6MB

Download
memory/1120-9-0x0000000000BA0000-0x000000000103D000-memory.dmp

Filesize
4.6MB

Download
memory/1120-0-0x0000000000BA0000-0x000000000103D000-memory.dmp

Filesize
4.6MB

Download
memory/1152-66-0x0000000000350000-0x0000000000466000-memory.dmp

Filesize
1.1MB

Download
memory/1376-259-0x0000000001080000-0x000000000112E000-memory.dmp

Filesize
696KB

Download
memory/1456-142-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-113-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-123-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-129-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-121-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-119-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1456-130-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-117-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-126-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-115-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1456-127-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1696-145-0x0000000001010000-0x0000000001062000-memory.dmp

Filesize
328KB

Download
memory/1728-574-0x0000000000F20000-0x0000000001018000-memory.dmp

Filesize
992KB

Download
memory/1728-1670-0x0000000005130000-0x0000000005198000-memory.dmp

Filesize
416KB

Download
memory/1728-1671-0x0000000000BB0000-0x0000000000BFC000-memory.dmp

Filesize
304KB

Download
memory/1728-1672-0x0000000000D50000-0x0000000000DA4000-memory.dmp

Filesize
336KB

Download
memory/1728-575-0x0000000004CA0000-0x0000000004D8E000-memory.dmp

Filesize
952KB

Download
memory/1740-368-0x0000000001130000-0x0000000001184000-memory.dmp

Filesize
336KB

Download
memory/2040-529-0x0000000000FE0000-0x0000000001032000-memory.dmp

Filesize
328KB

Download
memory/2428-49-0x0000000002330000-0x0000000004330000-memory.dmp

Filesize
32.0MB

Download
memory/2428-36-0x0000000000950000-0x00000000009A4000-memory.dmp

Filesize
336KB

Download
memory/2484-216-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2484-481-0x0000000000AA0000-0x0000000000CE3000-memory.dmp

Filesize
2.3MB

Download
memory/2484-111-0x0000000000AA0000-0x0000000000CE3000-memory.dmp

Filesize
2.3MB

Download
memory/2500-147-0x0000000000EC0000-0x0000000000F52000-memory.dmp

Filesize
584KB

Download
memory/2664-385-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2664-372-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2704-21-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-18-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-19-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-350-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-1705-0x0000000006190000-0x00000000063D3000-memory.dmp

Filesize
2.3MB

Download
memory/2704-81-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-108-0x0000000006190000-0x00000000063D3000-memory.dmp

Filesize
2.3MB

Download
memory/2704-148-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-17-0x00000000002D1000-0x00000000002FF000-memory.dmp

Filesize
184KB

Download
memory/2704-110-0x0000000006190000-0x00000000063D3000-memory.dmp

Filesize
2.3MB

Download
memory/2704-16-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2704-112-0x00000000002D0000-0x000000000076D000-memory.dmp

Filesize
4.6MB

Download
memory/2764-50-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-48-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-51-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-41-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-39-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-43-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-45-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2848-204-0x0000000001360000-0x00000000013E0000-memory.dmp

Filesize
512KB

Download
memory/2856-349-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-489-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-337-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-343-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-347-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-345-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-352-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-341-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2856-339-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3052-237-0x0000000000D60000-0x0000000000DD8000-memory.dmp

Filesize
480KB

Download
memory/3052-417-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download