amadey | 4741cf03bed9f4b6d4e0173a11d23f55b75259de759780f95380ffcb4889330c

Analysis

max time kernel
11s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.9MB
MD5

137d70585e38efccf58c790c71c31b43
SHA1

bcd99b2c2c197434ff904c93593a11551f623e17
SHA256

4741cf03bed9f4b6d4e0173a11d23f55b75259de759780f95380ffcb4889330c
SHA512

78b942bd952b404d515f389b46bfe031c09d318c0995fd334304ddaf6d1855719889e8cd7d409c1efc538a6c95c7a3c51806d91e7cc41612656b176e45810f4b
SSDEEP

49152:BRnAuvBWzTHUviUS/SmtGyBX2wc2cKUtV28xcP:rnrBQTHiiUS/xGyBmwc2cvtHCP

Score

10^/10

amadey cryptbot lumma stealc 9c9aa5 stok discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

https://tacitglibbr.biz/api

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://drive-connect.cyou/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

cryptbot

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	MGjaoEXAImpBzJgl.exe

Executes dropped EXE 7 IoCs

pid	Process
2372	skotes.exe
2444	ShtrayEasy35.exe
2808	MGjaoEXAImpBzJgl.exe
2408	889gGSFDyhH4xiO3.exe
692	U64Xx7dc7dIVYGLp.exe
2280	ibcYnDN8F3RUir3S.exe
1760	9wHpy4xNf98ZeS0B.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	skotes.exe

Loads dropped DLL 9 IoCs

pid	Process
2248	file.exe
2248	file.exe
2372	skotes.exe
2444	ShtrayEasy35.exe
2444	ShtrayEasy35.exe
2808	MGjaoEXAImpBzJgl.exe
2444	ShtrayEasy35.exe
2444	ShtrayEasy35.exe
2444	ShtrayEasy35.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YxV0HKwK\\MGjaoEXAImpBzJgl.exe"	MGjaoEXAImpBzJgl.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001c712-280.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2248	file.exe
2372	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 38 IoCs

pid	pid_target	Process	procid_target
7352	692	WerFault.exe	35
15896	13684	WerFault.exe	57
1140	1760	WerFault.exe	36
5800	2408	WerFault.exe	34
3460	308	WerFault.exe	53
4396	10864	WerFault.exe	68
20952	8800	WerFault.exe	49
33712	17832	WerFault.exe	62
13532	2528	WerFault.exe	46
26404	13076	WerFault.exe	69
10596	4740	WerFault.exe	54
29348	14828	WerFault.exe	77
28256	3216	WerFault.exe	51
13824	21020	WerFault.exe	91
31320	16072	WerFault.exe	88
9688	940	WerFault.exe	42
5992	6456	WerFault.exe	66
18216	2212	WerFault.exe	41
7592	7716	WerFault.exe	79
4776	10084	WerFault.exe	50
5832	27196	WerFault.exe	84
23340	9784	WerFault.exe	60
840	2280	WerFault.exe	37
28796	20368	WerFault.exe	95
4212	18608	WerFault.exe	109
32032	24084	WerFault.exe	71
9400	18004	WerFault.exe	123
34612	9476	WerFault.exe	93
20300	5580	WerFault.exe	85
9148	1756	WerFault.exe	119
11568	6388	WerFault.exe	125
23932	12196	WerFault.exe	118
12068	2108	WerFault.exe	52
15712	28640	WerFault.exe	107
30904	18328	WerFault.exe	96
5632	24148	WerFault.exe	97
26112	9932	WerFault.exe	121
31344	13284	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShtrayEasy35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MGjaoEXAImpBzJgl.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
23676	powershell.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
25300	taskkill.exe
21524	taskkill.exe
23148	taskkill.exe
8480	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
28092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2248	file.exe
2372	skotes.exe
2444	ShtrayEasy35.exe
2808	MGjaoEXAImpBzJgl.exe
2408	889gGSFDyhH4xiO3.exe
2408	889gGSFDyhH4xiO3.exe
2408	889gGSFDyhH4xiO3.exe
692	U64Xx7dc7dIVYGLp.exe
692	U64Xx7dc7dIVYGLp.exe
692	U64Xx7dc7dIVYGLp.exe
692	U64Xx7dc7dIVYGLp.exe
2280	ibcYnDN8F3RUir3S.exe
2280	ibcYnDN8F3RUir3S.exe
2280	ibcYnDN8F3RUir3S.exe
1760	9wHpy4xNf98ZeS0B.exe
1760	9wHpy4xNf98ZeS0B.exe
1760	9wHpy4xNf98ZeS0B.exe
2280	ibcYnDN8F3RUir3S.exe
1760	9wHpy4xNf98ZeS0B.exe
2280	ibcYnDN8F3RUir3S.exe
2280	ibcYnDN8F3RUir3S.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2248	file.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2372	2248	file.exe	30
PID 2248 wrote to memory of 2372	2248	file.exe	30
PID 2248 wrote to memory of 2372	2248	file.exe	30
PID 2248 wrote to memory of 2372	2248	file.exe	30
PID 2372 wrote to memory of 2444	2372	skotes.exe	32
PID 2372 wrote to memory of 2444	2372	skotes.exe	32
PID 2372 wrote to memory of 2444	2372	skotes.exe	32
PID 2372 wrote to memory of 2444	2372	skotes.exe	32
PID 2444 wrote to memory of 2808	2444	ShtrayEasy35.exe	33
PID 2444 wrote to memory of 2808	2444	ShtrayEasy35.exe	33
PID 2444 wrote to memory of 2808	2444	ShtrayEasy35.exe	33
PID 2444 wrote to memory of 2808	2444	ShtrayEasy35.exe	33
PID 2444 wrote to memory of 2408	2444	ShtrayEasy35.exe	34
PID 2444 wrote to memory of 2408	2444	ShtrayEasy35.exe	34
PID 2444 wrote to memory of 2408	2444	ShtrayEasy35.exe	34
PID 2444 wrote to memory of 2408	2444	ShtrayEasy35.exe	34
PID 2444 wrote to memory of 692	2444	ShtrayEasy35.exe	35
PID 2444 wrote to memory of 692	2444	ShtrayEasy35.exe	35
PID 2444 wrote to memory of 692	2444	ShtrayEasy35.exe	35
PID 2444 wrote to memory of 692	2444	ShtrayEasy35.exe	35
PID 2444 wrote to memory of 1760	2444	ShtrayEasy35.exe	36
PID 2444 wrote to memory of 1760	2444	ShtrayEasy35.exe	36
PID 2444 wrote to memory of 1760	2444	ShtrayEasy35.exe	36
PID 2444 wrote to memory of 1760	2444	ShtrayEasy35.exe	36
PID 2444 wrote to memory of 2280	2444	ShtrayEasy35.exe	37
PID 2444 wrote to memory of 2280	2444	ShtrayEasy35.exe	37
PID 2444 wrote to memory of 2280	2444	ShtrayEasy35.exe	37
PID 2444 wrote to memory of 2280	2444	ShtrayEasy35.exe	37

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
12096	attrib.exe
17564	attrib.exe
33272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\YxV0HKwK\MGjaoEXAImpBzJgl.exe
      C:\Users\Admin\AppData\Local\Temp\YxV0HKwK\MGjaoEXAImpBzJgl.exe 2444
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\O4WUG9Lk\zgM7XWmcVR824qzS.exe
        
        C:\Users\Admin\AppData\Local\Temp\O4WUG9Lk\zgM7XWmcVR824qzS.exe 0
        5⤵
        
        PID:6332
      - C:\Users\Admin\AppData\Local\Temp\6YQ9RQVGMKHVCLJYJBVTZV6JPMHC9BW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6YQ9RQVGMKHVCLJYJBVTZV6JPMHC9BW.exe"
        6⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\ObSVX8vL\2oNQRkksuILVSKCj.exe
        
        C:\Users\Admin\AppData\Local\Temp\ObSVX8vL\2oNQRkksuILVSKCj.exe 3416
        7⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 244
        8⤵
        Program crash
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\JlFH1VVU0EFXkkWQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\JlFH1VVU0EFXkkWQ.exe 3416
        7⤵
        
        PID:16072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 16072 -s 244
        8⤵
        Program crash
        
        PID:31320
        
        C:\Users\Admin\AppData\Local\Temp\WvkzP8lwfpwOTcB3.exe
        
        C:\Users\Admin\AppData\Local\Temp\WvkzP8lwfpwOTcB3.exe 3416
        7⤵
        
        PID:21020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 21020 -s 204
        8⤵
        Program crash
        
        PID:13824
        
        C:\Users\Admin\AppData\Local\Temp\RM8ZCXgYQfvLj8tB.exe
        
        C:\Users\Admin\AppData\Local\Temp\RM8ZCXgYQfvLj8tB.exe 3416
        7⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9476 -s 260
        8⤵
        Program crash
        
        PID:34612
        
        C:\Users\Admin\AppData\Local\Temp\HBbWs5vkvIkcx2vf.exe
        
        C:\Users\Admin\AppData\Local\Temp\HBbWs5vkvIkcx2vf.exe 3416
        7⤵
        
        PID:24212
        
        C:\Users\Admin\AppData\Local\Temp\VmEGMYlF0CIpYCFU.exe
        
        C:\Users\Admin\AppData\Local\Temp\VmEGMYlF0CIpYCFU.exe 3416
        7⤵
        
        PID:20368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 20368 -s 232
        8⤵
        Program crash
        
        PID:28796
        
        C:\Users\Admin\AppData\Local\Temp\9h2Id32PzbdnvBFH.exe
        
        C:\Users\Admin\AppData\Local\Temp\9h2Id32PzbdnvBFH.exe 3416
        7⤵
        
        PID:18328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 18328 -s 216
        8⤵
        Program crash
        
        PID:30904
        
        C:\Users\Admin\AppData\Local\Temp\hxBjSimWIHSmZKzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\hxBjSimWIHSmZKzy.exe 3416
        7⤵
        
        PID:24148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24148 -s 292
        8⤵
        Program crash
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\6nva7MmASRxdeLEt.exe
        
        C:\Users\Admin\AppData\Local\Temp\6nva7MmASRxdeLEt.exe 3416
        7⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12196 -s 256
        8⤵
        Program crash
        
        PID:23932
        
        C:\Users\Admin\AppData\Local\Temp\hLIoG65UcxYg2iUl.exe
        
        C:\Users\Admin\AppData\Local\Temp\hLIoG65UcxYg2iUl.exe 3416
        7⤵
        
        PID:27892
        
        C:\Users\Admin\AppData\Local\Temp\wN15KfZlfzpX3qM8.exe
        
        C:\Users\Admin\AppData\Local\Temp\wN15KfZlfzpX3qM8.exe 3416
        7⤵
        
        PID:13284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13284 -s 248
        8⤵
        Program crash
        
        PID:31344
        
        C:\Users\Admin\AppData\Local\Temp\N8j1MWA3q1NGSON2.exe
        
        C:\Users\Admin\AppData\Local\Temp\N8j1MWA3q1NGSON2.exe 3416
        7⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\RjIU15H2i9VXQFii.exe
        
        C:\Users\Admin\AppData\Local\Temp\RjIU15H2i9VXQFii.exe 3416
        7⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\NgXbBEsYwiDtOe9Y.exe
        
        C:\Users\Admin\AppData\Local\Temp\NgXbBEsYwiDtOe9Y.exe 3416
        7⤵
        
        PID:15684
        
        C:\Users\Admin\AppData\Local\Temp\A8wmxBj9pB8BoxLB.exe
        
        C:\Users\Admin\AppData\Local\Temp\A8wmxBj9pB8BoxLB.exe 3416
        7⤵
        
        PID:35796
        
        C:\Users\Admin\AppData\Local\Temp\wAWpm2XRemOTTHTZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\wAWpm2XRemOTTHTZ.exe 3416
        7⤵
        
        PID:35776
        
        C:\Users\Admin\AppData\Local\Temp\8Ff0uNlbH4NIUwK6.exe
        
        C:\Users\Admin\AppData\Local\Temp\8Ff0uNlbH4NIUwK6.exe 3416
        7⤵
        
        PID:29424
        
        C:\Users\Admin\AppData\Local\Temp\M3QZPhXGgePG7U04.exe
        
        C:\Users\Admin\AppData\Local\Temp\M3QZPhXGgePG7U04.exe 3416
        7⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\6kEVlZ3mIBrh0WAA.exe
        
        C:\Users\Admin\AppData\Local\Temp\6kEVlZ3mIBrh0WAA.exe 3416
        7⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\ikpaUekc9mDp1P8X.exe
        
        C:\Users\Admin\AppData\Local\Temp\ikpaUekc9mDp1P8X.exe 3416
        7⤵
        
        PID:31656
        
        C:\Users\Admin\AppData\Local\Temp\AfuBQV6uXK6smEzv.exe
        
        C:\Users\Admin\AppData\Local\Temp\AfuBQV6uXK6smEzv.exe 3416
        7⤵
        
        PID:30056
        
        C:\Users\Admin\AppData\Local\Temp\0t3Zh6E4w7JGjApH.exe
        
        C:\Users\Admin\AppData\Local\Temp\0t3Zh6E4w7JGjApH.exe 3416
        7⤵
        
        PID:23668
        
        C:\Users\Admin\AppData\Local\Temp\wyXE6jekV9Tz04hw.exe
        
        C:\Users\Admin\AppData\Local\Temp\wyXE6jekV9Tz04hw.exe 3416
        7⤵
        
        PID:30452
        
        C:\Users\Admin\AppData\Local\Temp\eSoVVCRUdLolqiEY.exe
        
        C:\Users\Admin\AppData\Local\Temp\eSoVVCRUdLolqiEY.exe 3416
        7⤵
        
        PID:13148
        
        C:\Users\Admin\AppData\Local\Temp\6QcMhbTehCNw5wTp.exe
        
        C:\Users\Admin\AppData\Local\Temp\6QcMhbTehCNw5wTp.exe 3416
        7⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\G3wxvJf5iEKy4vVw.exe
        
        C:\Users\Admin\AppData\Local\Temp\G3wxvJf5iEKy4vVw.exe 3416
        7⤵
        
        PID:32724
        
        C:\Users\Admin\AppData\Local\Temp\k50XzY0orikHlzPe.exe
        
        C:\Users\Admin\AppData\Local\Temp\k50XzY0orikHlzPe.exe 3416
        7⤵
        
        PID:29056
        
        C:\Users\Admin\AppData\Local\Temp\Itrm8zrrhrgdsOgo.exe
        
        C:\Users\Admin\AppData\Local\Temp\Itrm8zrrhrgdsOgo.exe 3416
        7⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\C2wFmspiqduNJ9UI.exe
        
        C:\Users\Admin\AppData\Local\Temp\C2wFmspiqduNJ9UI.exe 3416
        7⤵
        
        PID:35476
        
        C:\Users\Admin\AppData\Local\Temp\uPYUKWnaNFfZ8h1v.exe
        
        C:\Users\Admin\AppData\Local\Temp\uPYUKWnaNFfZ8h1v.exe 3416
        7⤵
        
        PID:18972
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\889gGSFDyhH4xiO3.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\889gGSFDyhH4xiO3.exe 2444
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 452
        5⤵
        Program crash
        
        PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\U64Xx7dc7dIVYGLp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\U64Xx7dc7dIVYGLp.exe 2444
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 240
        5⤵
        Program crash
        
        PID:7352
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\9wHpy4xNf98ZeS0B.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\9wHpy4xNf98ZeS0B.exe 2444
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 280
        5⤵
        Program crash
        
        PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ibcYnDN8F3RUir3S.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ibcYnDN8F3RUir3S.exe 2444
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 364
        5⤵
        Program crash
        
        PID:840
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\NsdUHhOzc9OQQXDd.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\NsdUHhOzc9OQQXDd.exe 2444
      4⤵
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\0z1dwx3X5D5fmVWW.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\0z1dwx3X5D5fmVWW.exe 2444
      4⤵
      PID:2212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 380
        5⤵
        Program crash
        
        PID:18216
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\XYuR6nF1Jcxxgi7R.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\XYuR6nF1Jcxxgi7R.exe 2444
      4⤵
      PID:940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1040
        5⤵
        Program crash
        
        PID:9688
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\I1m0ejmGkl6pX7kJ.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\I1m0ejmGkl6pX7kJ.exe 2444
      4⤵
      PID:2528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 320
        5⤵
        Program crash
        
        PID:13532
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6jfZUsmZmwjbhZIg.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6jfZUsmZmwjbhZIg.exe 2444
      4⤵
      PID:8224
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\iD7QxVrCFCpEEoTw.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\iD7QxVrCFCpEEoTw.exe 2444
      4⤵
      PID:8800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8800 -s 5256
        5⤵
        Program crash
        
        PID:20952
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\TbghWdqA0gKa1bOv.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\TbghWdqA0gKa1bOv.exe 2444
      4⤵
      PID:10084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10084 -s 344
        5⤵
        Program crash
        
        PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\xPqjyuChizPkM48c.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\xPqjyuChizPkM48c.exe 2444
      4⤵
      PID:3216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 388
        5⤵
        Program crash
        
        PID:28256
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\pNWRlEZWFP0MiLA1.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\pNWRlEZWFP0MiLA1.exe 2444
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 924
        5⤵
        Program crash
        
        PID:12068
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mliluCUF0j54Uv8J.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mliluCUF0j54Uv8J.exe 2444
      4⤵
      PID:308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 316
        5⤵
        Program crash
        
        PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\eu40gHzLFtzwFnlP.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\eu40gHzLFtzwFnlP.exe 2444
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 340
        5⤵
        Program crash
        
        PID:10596
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Wu0jJagZ4JCVl4Vr.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Wu0jJagZ4JCVl4Vr.exe 2444
      4⤵
      PID:13684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13684 -s 188
        5⤵
        Program crash
        
        PID:15896
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\HWMSDucsWqUVPxw9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\HWMSDucsWqUVPxw9.exe 2444
      4⤵
      PID:9784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9784 -s 368
        5⤵
        Program crash
        
        PID:23340
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ZDCz92SXM0NgqcNo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ZDCz92SXM0NgqcNo.exe 2444
      4⤵
      PID:17832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17832 -s 916
        5⤵
        Program crash
        
        PID:33712
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\GItBfPY2xQKH5PX9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\GItBfPY2xQKH5PX9.exe 2444
      4⤵
      PID:6456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 344
        5⤵
        Program crash
        
        PID:5992
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\5u56s4JKuY3QJncL.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\5u56s4JKuY3QJncL.exe 2444
      4⤵
      PID:10864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10864 -s 276
        5⤵
        Program crash
        
        PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\R2u2StAwUGrartte.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\R2u2StAwUGrartte.exe 2444
      4⤵
      PID:13076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13076 -s 260
        5⤵
        Program crash
        
        PID:26404
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\GHokb6954HPQok84.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\GHokb6954HPQok84.exe 2444
      4⤵
      PID:24084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24084 -s 356
        5⤵
        Program crash
        
        PID:32032
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\92HRM5Q813iswusl.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\92HRM5Q813iswusl.exe 2444
      4⤵
      PID:14828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14828 -s 276
        5⤵
        Program crash
        
        PID:29348
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\3g0sCDMLHqfrlvnI.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\3g0sCDMLHqfrlvnI.exe 2444
      4⤵
      PID:27196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 27196 -s 284
        5⤵
        Program crash
        
        PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\68xcmrTTZIhK9xKE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\68xcmrTTZIhK9xKE.exe 2444
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 328
        5⤵
        Program crash
        
        PID:20300
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\1VtqJw6bi087olFz.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\1VtqJw6bi087olFz.exe 2444
      4⤵
      PID:28640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28640 -s 312
        5⤵
        Program crash
        
        PID:15712
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6QzuNQqZ6fb65yNX.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6QzuNQqZ6fb65yNX.exe 2444
      4⤵
      PID:18608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 18608 -s 248
        5⤵
        Program crash
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\J5WDEYCMD5c5VbuY.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\J5WDEYCMD5c5VbuY.exe 2444
      4⤵
      PID:1756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 292
        5⤵
        Program crash
        
        PID:9148
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2pEcGQW0DwlMPmCd.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2pEcGQW0DwlMPmCd.exe 2444
      4⤵
      PID:15144
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\uzGn5TLjmUJkulrh.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\uzGn5TLjmUJkulrh.exe 2444
      4⤵
      PID:9932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9932 -s 332
        5⤵
        Program crash
        
        PID:26112
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\u65UM2mUjum3mDy5.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\u65UM2mUjum3mDy5.exe 2444
      4⤵
      PID:14512
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\boKHwsxUrx6JSOLq.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\boKHwsxUrx6JSOLq.exe 2444
      4⤵
      PID:18004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 18004 -s 276
        5⤵
        Program crash
        
        PID:9400
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\hcxcquDsqsDDAsMI.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\hcxcquDsqsDDAsMI.exe 2444
      4⤵
      PID:18464
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\qYXAY9ttDwyFXBbz.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\qYXAY9ttDwyFXBbz.exe 2444
      4⤵
      PID:6388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6388 -s 296
        5⤵
        Program crash
        
        PID:11568
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Xe6St1sFIoyljsES.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Xe6St1sFIoyljsES.exe 2444
      4⤵
      PID:20288
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\38Wynq9qktox0luC.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\38Wynq9qktox0luC.exe 2444
      4⤵
      PID:27060
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\WUxUXoRoS4Aq1YGD.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\WUxUXoRoS4Aq1YGD.exe 2444
      4⤵
      PID:27320
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\QpG3tAFJbQx35kob.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\QpG3tAFJbQx35kob.exe 2444
      4⤵
      PID:14076
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\U2MNuZAQ4lRIrXTs.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\U2MNuZAQ4lRIrXTs.exe 2444
      4⤵
      PID:34196
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\0gmqjHDe2m77ccPf.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\0gmqjHDe2m77ccPf.exe 2444
      4⤵
      PID:18756
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\H8MlSvvxLavh9qjk.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\H8MlSvvxLavh9qjk.exe 2444
      4⤵
      PID:33972
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\8XUi78RXKtPRHaVD.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\8XUi78RXKtPRHaVD.exe 2444
      4⤵
      PID:10756
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\dUEz7ZoWVgs1RLRc.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\dUEz7ZoWVgs1RLRc.exe 2444
      4⤵
      PID:18364
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\H7DDMNb31Ekim07f.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\H7DDMNb31Ekim07f.exe 2444
      4⤵
      PID:28656
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\iWrU4joxXEtzlNqM.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\iWrU4joxXEtzlNqM.exe 2444
      4⤵
      PID:14736
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\zYb4o2zA9050xigt.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\zYb4o2zA9050xigt.exe 2444
      4⤵
      PID:28836
- - C:\Users\Admin\AppData\Local\Temp\1015632001\4f26a2e67a.exe
    "C:\Users\Admin\AppData\Local\Temp\1015632001\4f26a2e67a.exe"
    3⤵
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\1015633001\00e2e622db.exe
    "C:\Users\Admin\AppData\Local\Temp\1015633001\00e2e622db.exe"
    3⤵
    PID:3872
- - C:\Users\Admin\AppData\Local\Temp\1015634001\2b4d53a222.exe
    "C:\Users\Admin\AppData\Local\Temp\1015634001\2b4d53a222.exe"
    3⤵
    PID:16184
  - - C:\Users\Admin\AppData\Local\Temp\3IW8SKJ2JWE41RSTTEHGXFRS.exe
      "C:\Users\Admin\AppData\Local\Temp\3IW8SKJ2JWE41RSTTEHGXFRS.exe"
      4⤵
      PID:30888
  - - C:\Users\Admin\AppData\Local\Temp\0WHI167X3QI5ULW8GM248.exe
      "C:\Users\Admin\AppData\Local\Temp\0WHI167X3QI5ULW8GM248.exe"
      4⤵
      PID:31732
- - C:\Users\Admin\AppData\Local\Temp\1015635001\409f8bc839.exe
    "C:\Users\Admin\AppData\Local\Temp\1015635001\409f8bc839.exe"
    3⤵
    PID:9476
- - C:\Users\Admin\AppData\Local\Temp\1015636001\d248f8475e.exe
    "C:\Users\Admin\AppData\Local\Temp\1015636001\d248f8475e.exe"
    3⤵
    PID:20444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:8480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:25300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:21524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:23148
- - C:\Users\Admin\AppData\Local\Temp\1015637001\edc1b1ab5b.exe
    "C:\Users\Admin\AppData\Local\Temp\1015637001\edc1b1ab5b.exe"
    3⤵
    PID:19640
- - C:\Users\Admin\AppData\Local\Temp\1015638001\326e61ee95.exe
    "C:\Users\Admin\AppData\Local\Temp\1015638001\326e61ee95.exe"
    3⤵
    PID:8732
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:7408
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:21940
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        
        PID:20932
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        
        PID:7916
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        
        PID:35600
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        
        PID:12792
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        
        PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        
        PID:20312
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        
        PID:7508
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        
        PID:10252
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:12096
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        
        PID:5376
      - C:\Windows\system32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:33272
      - C:\Windows\system32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:17564
      - C:\Windows\system32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:28092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:23676
- - C:\Users\Admin\AppData\Local\Temp\1015639001\291f8a5ac5.exe
    "C:\Users\Admin\AppData\Local\Temp\1015639001\291f8a5ac5.exe"
    3⤵
    PID:16652
- - C:\Users\Admin\AppData\Local\Temp\1015640001\701cdf4c02.exe
    "C:\Users\Admin\AppData\Local\Temp\1015640001\701cdf4c02.exe"
    3⤵
    PID:20208
  - - C:\Users\Admin\AppData\Local\Temp\1015640001\701cdf4c02.exe
      "C:\Users\Admin\AppData\Local\Temp\1015640001\701cdf4c02.exe"
      4⤵
      PID:26664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
b4d91406b77f8b91adc1f47c67732f97

SHA1
71758137a3498f7aecce26c54699a31b949ad817

SHA256
eaea52e2b32741d92bf88b8a60f541ffce402f1c4d1d2cee50b9d5a3809d8d6d

SHA512
f45f158f58d2c1b9126f07efdd5160c3a7990bf6fec6e7c7b6dae95e2fb9237a4e1fef89dbb61e9439ba64f477142fadd348550dbc7293f878189d81bb411bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd0baea79a59bade8b977ab37200383a

SHA1
fff0ccb9e5903149ac57925fd278afe54dfa1b05

SHA256
ad3a4134af9a0ea43a15a37438b8e0b3a4d5c8d4194a39ca4902ed9af6d737b7

SHA512
bdb445b6a4a7e40d220ee16681df44f01297289724448826b997e40f91d44f753540cd31226ecef02fe650b681616bc831bc5972aa255e8c64e1d12379fe278e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b88dc06090be00e7b1764a612fb649fd

SHA1
ea7ce921520b9faf4a2f5b954ae2fe203c29afe2

SHA256
e756e77f86280eeba486b4652cec3df2583be6713e86a23db97f2da1aca1de62

SHA512
5452415aff141ed7e6d9fb90f6ba376bd7acef70becae4186c03a7a2c61c4e3baaf860a53b3812ce26a0870fc9bed017a2ddc1427ff6255bff4bd3fec748e684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d4ce90a3ec89d2bbf92874ecab1917ae

SHA1
6235d0095deb6aa8c555233a13cf01dbabe47a62

SHA256
27ea8804e502dce3e00e2ee9428b1d961d060ca9c7d86113a908bbc1896e25f1

SHA512
794a3d1e1b3d5f9373537e69b9cbfbcb8c7929661d7c114f17b1306d500d32ff24e90ba388004b0f535f5d2d504a70a2b38c9b9bc93a53c55c15bf653d1f34db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe

Filesize
256KB

MD5
c37a981bc24c4aba6454da4eecb7acbe

SHA1
2bffdf27d0d4f7c810e323c1671a87ed2d6b644f

SHA256
d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361

SHA512
2f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015632001\4f26a2e67a.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015633001\00e2e622db.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015634001\2b4d53a222.exe

Filesize
1.8MB

MD5
4759820fde0c680644d332189bec83aa

SHA1
57299ea1dac94f357b2ff19e36df44f8eb5b4a33

SHA256
f77d07b9c49ce8361a05f50d39c3b2eefc02c9cf64200c80fdec8f445b7cac7d

SHA512
156af54e601d1826e61407e03cd499344b17df99c0e6f57d928d2c748873556855deac4bbed1a319f5512e7456b399c5ffe089e0ba887ed62e432c9040767651

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015635001\409f8bc839.exe

Filesize
1.7MB

MD5
3b81eb71fa324c0fbbda1b1cb2ee9362

SHA1
439b1c7c807fa07e76ae711c7fa7058e5b302465

SHA256
9f4dd6f6d3cbb601b23e8ee00e1280324b2168eaaa70e2480fe71761e0904ca7

SHA512
c957a963e4059a89c3626e4d7fe9276d5ed18b2d1fbab347d342514a2e11cb7d3eebe95d2e4601f9efe216c580b4c9e1b79e82dde6b64c9ccb51d5a9a514e19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015636001\d248f8475e.exe

Filesize
950KB

MD5
8f8350a0bc840e7eebada793eb192904

SHA1
6b93a4fee41a73c0f4cb5ab50ab2304ab6544e1a

SHA256
70f30b7615c2b39186216d5e56d169c864dea1a714b186b92155cb58bbc2a2af

SHA512
23485624b8549d6b150e723626ee85ae0565904d1a24311b33a48d6a333a5544a1e4336ac16ea1e76b172166c284f0a258e1f62d070ad78a8c7fe44be1d1a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015637001\edc1b1ab5b.exe

Filesize
2.7MB

MD5
21abfae8244aa79238cf95a0a3de2efd

SHA1
92a04e62faae9d4a6f557b28f70bc53bf121688a

SHA256
15f24104dae0fd4c0596b0ba490d65d3965154313316ffcf544d0b2db5bff894

SHA512
7e3388a51cc237b9666a07b06055e6fe4db4e98c3a04ae8733f6dd970f876ef119bc6c7c1d53fd0ad7b5183a79fd2aee6fe44563440f2126273ad5db33be740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015638001\326e61ee95.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015639001\291f8a5ac5.exe

Filesize
4.3MB

MD5
15334f94b4f5fa2dfa90e46a49e9b0a1

SHA1
892e5ca39368157587400114133896013266c1c9

SHA256
935723666cc1a0c30276875e3ce3fbc708b26a507b4f6419bf454d739b1c89a5

SHA512
efa63b3170756f825f0f3f4f9de52952f0bdd23f0612920c688b66f31395608da3b441dda8f9703c72e825506578dc480ad2deedf240d9669a9627cf545c1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015640001\701cdf4c02.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab15C2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\O4WUG9Lk\zgM7XWmcVR824qzS.exe

Filesize
1.1MB

MD5
b298555bb0abd747844310c6ca6db8cb

SHA1
a4e667d337c0063fc1e960cf96e76b4e2b710bee

SHA256
be1d891bc086dad79cd7c8fb5db190277871764ec2acf2211c876752cd39b222

SHA512
d2d857083ba04a9bef436b23f5598a786a1099aa816bb42377ececcb784af08b281d5c93081a5964f6ec8ae9286b6e0be607d0736293dfdf6c479e9c69de7069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98A8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
137d70585e38efccf58c790c71c31b43

SHA1
bcd99b2c2c197434ff904c93593a11551f623e17

SHA256
4741cf03bed9f4b6d4e0173a11d23f55b75259de759780f95380ffcb4889330c

SHA512
78b942bd952b404d515f389b46bfe031c09d318c0995fd334304ddaf6d1855719889e8cd7d409c1efc538a6c95c7a3c51806d91e7cc41612656b176e45810f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
memory/2248-5-0x0000000001290000-0x00000000015A9000-memory.dmp

Filesize
3.1MB

Download
memory/2248-0-0x0000000001290000-0x00000000015A9000-memory.dmp

Filesize
3.1MB

Download
memory/2248-3-0x0000000001290000-0x00000000015A9000-memory.dmp

Filesize
3.1MB

Download
memory/2248-18-0x0000000001290000-0x00000000015A9000-memory.dmp

Filesize
3.1MB

Download
memory/2248-86-0x0000000005FB0000-0x00000000062C9000-memory.dmp

Filesize
3.1MB

Download
memory/2248-2-0x0000000001291000-0x00000000012BF000-memory.dmp

Filesize
184KB

Download
memory/2248-1-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/2372-333-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-100-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-185-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-821-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-248-0x00000000061B0000-0x000000000665D000-memory.dmp

Filesize
4.7MB

Download
memory/2372-19-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-21-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-176-0x00000000061B0000-0x000000000663B000-memory.dmp

Filesize
4.5MB

Download
memory/2372-581-0x00000000061B0000-0x0000000006DBB000-memory.dmp

Filesize
12.0MB

Download
memory/2372-582-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-569-0x00000000061B0000-0x0000000006DBB000-memory.dmp

Filesize
12.0MB

Download
memory/2372-276-0x00000000061B0000-0x000000000683F000-memory.dmp

Filesize
6.6MB

Download
memory/2372-175-0x00000000061B0000-0x000000000663B000-memory.dmp

Filesize
4.5MB

Download
memory/2372-529-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-20-0x00000000013E1000-0x000000000140F000-memory.dmp

Filesize
184KB

Download
memory/2372-267-0x00000000061B0000-0x000000000663B000-memory.dmp

Filesize
4.5MB

Download
memory/2372-266-0x00000000061B0000-0x000000000663B000-memory.dmp

Filesize
4.5MB

Download
memory/2372-263-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-23-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-473-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-24-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-303-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-302-0x00000000061B0000-0x000000000665D000-memory.dmp

Filesize
4.7MB

Download
memory/2372-472-0x00000000061B0000-0x0000000006DBB000-memory.dmp

Filesize
12.0MB

Download
memory/2372-470-0x00000000061B0000-0x0000000006DBB000-memory.dmp

Filesize
12.0MB

Download
memory/2372-166-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-92-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-414-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-136-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-117-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-400-0x00000000061B0000-0x0000000006466000-memory.dmp

Filesize
2.7MB

Download
memory/2372-348-0x00000000061B0000-0x000000000683F000-memory.dmp

Filesize
6.6MB

Download
memory/2372-401-0x00000000061B0000-0x0000000006466000-memory.dmp

Filesize
2.7MB

Download
memory/2372-356-0x00000000061B0000-0x0000000006466000-memory.dmp

Filesize
2.7MB

Download
memory/2372-381-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2372-357-0x00000000061B0000-0x0000000006466000-memory.dmp

Filesize
2.7MB

Download
memory/2372-363-0x00000000013E0000-0x00000000016F9000-memory.dmp

Filesize
3.1MB

Download
memory/2584-307-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2584-274-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2584-244-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2584-437-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2584-546-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/3872-351-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-379-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-178-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-273-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-262-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-330-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-412-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-439-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/3872-290-0x0000000000F70000-0x00000000013FB000-memory.dmp

Filesize
4.5MB

Download
memory/6332-375-0x0000000000FC0000-0x00000000010E7000-memory.dmp

Filesize
1.2MB

Download
memory/6332-251-0x0000000000FC0000-0x00000000010E7000-memory.dmp

Filesize
1.2MB

Download
memory/9476-284-0x00000000002A0000-0x000000000092F000-memory.dmp

Filesize
6.6MB

Download
memory/9476-304-0x00000000002A0000-0x000000000092F000-memory.dmp

Filesize
6.6MB

Download
memory/9476-306-0x00000000002A0000-0x000000000092F000-memory.dmp

Filesize
6.6MB

Download
memory/16184-449-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-309-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-498-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-249-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-308-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-376-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-285-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-399-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-559-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-578-0x0000000005E60000-0x0000000006116000-memory.dmp

Filesize
2.7MB

Download
memory/16184-580-0x0000000005E60000-0x0000000006116000-memory.dmp

Filesize
2.7MB

Download
memory/16184-640-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16184-345-0x00000000013D0000-0x000000000187D000-memory.dmp

Filesize
4.7MB

Download
memory/16652-496-0x0000000000F60000-0x0000000001B6B000-memory.dmp

Filesize
12.0MB

Download
memory/16652-847-0x0000000000F60000-0x0000000001B6B000-memory.dmp

Filesize
12.0MB

Download
memory/16652-571-0x0000000000F60000-0x0000000001B6B000-memory.dmp

Filesize
12.0MB

Download
memory/16652-646-0x0000000000F60000-0x0000000001B6B000-memory.dmp

Filesize
12.0MB

Download
memory/16652-704-0x0000000000F60000-0x0000000001B6B000-memory.dmp

Filesize
12.0MB

Download
memory/19640-377-0x0000000000AD0000-0x0000000000D86000-memory.dmp

Filesize
2.7MB

Download
memory/19640-378-0x0000000000AD0000-0x0000000000D86000-memory.dmp

Filesize
2.7MB

Download
memory/19640-409-0x0000000000AD0000-0x0000000000D86000-memory.dmp

Filesize
2.7MB

Download
memory/19640-358-0x0000000000AD0000-0x0000000000D86000-memory.dmp

Filesize
2.7MB

Download
memory/26664-755-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-759-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-757-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-761-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/26664-753-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-751-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-749-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-762-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/26664-763-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/30888-815-0x0000000000120000-0x00000000003D6000-memory.dmp

Filesize
2.7MB

Download
memory/30888-812-0x0000000000120000-0x00000000003D6000-memory.dmp

Filesize
2.7MB

Download