amadey | 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386a

Analysis

max time kernel
115s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
Size

2.8MB
MD5

c32d39710b13585f9608ebac9e028ea0
SHA1

96ce25ea1f05d91a7314e6eed4101af60259a811
SHA256

9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386a
SHA512

e6222188e39d4260c8de06a4d8033ef2a4c1122e8df22fda616b4bb2de2377846c1621f3cb0d9840c81791b7a1cba3276081063875a91781972a2be0da96e3c5
SSDEEP

49152:GLNDk2Pu0hI2hcbYQc4Nv0PYax7Ia1uTZYs:GFk2PuWIBeOv0P1WayZYs

Score

10^/10

amadey cryptbot lumma stealc xmrig 9c9aa5 fed3aa stok discovery evasion execution miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

cryptbot

http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734

Extracted

Family

lumma

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2920 created 1196	2920	f73d0b292e.exe	21
PID 2688 created 1196	2688	783e26d6da.exe	21

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Enumerates VirtualBox registry keys 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	a133921b52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	9541b56535.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6110e0ab9d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f73d0b292e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	70a894aa0b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	783e26d6da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a133921b52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ANEDNjf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2cf4512e98.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9541b56535.exe

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1592-432-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/1592-435-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/1592-434-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/1592-433-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/1592-431-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/1592-436-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/1592-437-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
2220	powershell.exe
1996	powershell.exe
288	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a133921b52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2cf4512e98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2cf4512e98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	783e26d6da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6110e0ab9d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f73d0b292e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	70a894aa0b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6110e0ab9d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	70a894aa0b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9541b56535.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	783e26d6da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f73d0b292e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a133921b52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ANEDNjf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ANEDNjf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9541b56535.exe

Executes dropped EXE 23 IoCs

pid	Process
2256	axplong.exe
2144	6110e0ab9d.exe
2920	f73d0b292e.exe
1812	70a894aa0b.exe
2808	skotes.exe
1020	kf5cl0F.exe
2012	a133921b52.exe
1268	ANEDNjf.exe
948	4b9f4ded1c.exe
744	7z.exe
2360	7z.exe
1588	7z.exe
2836	7z.exe
3060	7z.exe
2680	7z.exe
2828	7z.exe
2168	7z.exe
1952	in.exe
1752	2cf4512e98.exe
2888	9541b56535.exe
2032	b95d9d8471.exe
2688	783e26d6da.exe
2660	Intel_PTT_EK_Recertification.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	f73d0b292e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	9541b56535.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	783e26d6da.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	2cf4512e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	6110e0ab9d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	70a894aa0b.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	a133921b52.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	ANEDNjf.exe

Loads dropped DLL 40 IoCs

pid	Process
2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
2256	axplong.exe
2256	axplong.exe
2256	axplong.exe
2256	axplong.exe
2256	axplong.exe
1812	70a894aa0b.exe
2808	skotes.exe
2256	axplong.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2528	cmd.exe
744	7z.exe
2528	cmd.exe
2360	7z.exe
2528	cmd.exe
1588	7z.exe
2528	cmd.exe
2836	7z.exe
2528	cmd.exe
3060	7z.exe
2528	cmd.exe
2680	7z.exe
2528	cmd.exe
2828	7z.exe
2528	cmd.exe
2168	7z.exe
2528	cmd.exe
2528	cmd.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2628	taskeng.exe
2628	taskeng.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\6110e0ab9d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007328001\\6110e0ab9d.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\70a894aa0b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007330001\\70a894aa0b.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
2256	axplong.exe
2144	6110e0ab9d.exe
2920	f73d0b292e.exe
1812	70a894aa0b.exe
2808	skotes.exe
2012	a133921b52.exe
1268	ANEDNjf.exe
1752	2cf4512e98.exe
2888	9541b56535.exe
2688	783e26d6da.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2660 set thread context of 1592	2660	Intel_PTT_EK_Recertification.exe	83

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-318-0x000000013F3A0000-0x000000013F830000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
File created	C:\Windows\Tasks\skotes.job	70a894aa0b.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kf5cl0F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6110e0ab9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a894aa0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a133921b52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANEDNjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9541b56535.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b95d9d8471.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cf4512e98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b9f4ded1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	783e26d6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73d0b292e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1740	powershell.exe
2236	PING.EXE
1952	powershell.exe
2112	PING.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ANEDNjf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ANEDNjf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ANEDNjf.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2236	PING.EXE
2112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
2256	axplong.exe
2144	6110e0ab9d.exe
2920	f73d0b292e.exe
2920	f73d0b292e.exe
2920	f73d0b292e.exe
2920	f73d0b292e.exe
2920	f73d0b292e.exe
640	dialer.exe
640	dialer.exe
640	dialer.exe
640	dialer.exe
1812	70a894aa0b.exe
2808	skotes.exe
1020	kf5cl0F.exe
2676	powershell.exe
2220	powershell.exe
2012	a133921b52.exe
1268	ANEDNjf.exe
2012	a133921b52.exe
2012	a133921b52.exe
2012	a133921b52.exe
2012	a133921b52.exe
2012	a133921b52.exe
1740	powershell.exe
1752	2cf4512e98.exe
1268	ANEDNjf.exe
1268	ANEDNjf.exe
1268	ANEDNjf.exe
1268	ANEDNjf.exe
2888	9541b56535.exe
2888	9541b56535.exe
2888	9541b56535.exe
2888	9541b56535.exe
2888	9541b56535.exe
2888	9541b56535.exe
2032	b95d9d8471.exe
1996	powershell.exe
288	powershell.exe
2688	783e26d6da.exe
2688	783e26d6da.exe
2688	783e26d6da.exe
2688	783e26d6da.exe
2688	783e26d6da.exe
1436	dialer.exe
1436	dialer.exe
1436	dialer.exe
1436	dialer.exe
2660	Intel_PTT_EK_Recertification.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	kf5cl0F.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeRestorePrivilege	744	7z.exe
Token: 35	744	7z.exe
Token: SeSecurityPrivilege	744	7z.exe
Token: SeSecurityPrivilege	744	7z.exe
Token: SeRestorePrivilege	2360	7z.exe
Token: 35	2360	7z.exe
Token: SeSecurityPrivilege	2360	7z.exe
Token: SeSecurityPrivilege	2360	7z.exe
Token: SeRestorePrivilege	1588	7z.exe
Token: 35	1588	7z.exe
Token: SeSecurityPrivilege	1588	7z.exe
Token: SeSecurityPrivilege	1588	7z.exe
Token: SeRestorePrivilege	2836	7z.exe
Token: 35	2836	7z.exe
Token: SeSecurityPrivilege	2836	7z.exe
Token: SeSecurityPrivilege	2836	7z.exe
Token: SeRestorePrivilege	3060	7z.exe
Token: 35	3060	7z.exe
Token: SeSecurityPrivilege	3060	7z.exe
Token: SeSecurityPrivilege	3060	7z.exe
Token: SeRestorePrivilege	2680	7z.exe
Token: 35	2680	7z.exe
Token: SeSecurityPrivilege	2680	7z.exe
Token: SeSecurityPrivilege	2680	7z.exe
Token: SeRestorePrivilege	2828	7z.exe
Token: 35	2828	7z.exe
Token: SeSecurityPrivilege	2828	7z.exe
Token: SeSecurityPrivilege	2828	7z.exe
Token: SeRestorePrivilege	2168	7z.exe
Token: 35	2168	7z.exe
Token: SeSecurityPrivilege	2168	7z.exe
Token: SeSecurityPrivilege	2168	7z.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2032	b95d9d8471.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeLockMemoryPrivilege	1592	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
1812	70a894aa0b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2256	2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe	30
PID 2960 wrote to memory of 2256	2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe	30
PID 2960 wrote to memory of 2256	2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe	30
PID 2960 wrote to memory of 2256	2960	9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe	30
PID 2256 wrote to memory of 2144	2256	axplong.exe	32
PID 2256 wrote to memory of 2144	2256	axplong.exe	32
PID 2256 wrote to memory of 2144	2256	axplong.exe	32
PID 2256 wrote to memory of 2144	2256	axplong.exe	32
PID 2256 wrote to memory of 2920	2256	axplong.exe	34
PID 2256 wrote to memory of 2920	2256	axplong.exe	34
PID 2256 wrote to memory of 2920	2256	axplong.exe	34
PID 2256 wrote to memory of 2920	2256	axplong.exe	34
PID 2920 wrote to memory of 640	2920	f73d0b292e.exe	35
PID 2920 wrote to memory of 640	2920	f73d0b292e.exe	35
PID 2920 wrote to memory of 640	2920	f73d0b292e.exe	35
PID 2920 wrote to memory of 640	2920	f73d0b292e.exe	35
PID 2920 wrote to memory of 640	2920	f73d0b292e.exe	35
PID 2920 wrote to memory of 640	2920	f73d0b292e.exe	35
PID 2256 wrote to memory of 1812	2256	axplong.exe	36
PID 2256 wrote to memory of 1812	2256	axplong.exe	36
PID 2256 wrote to memory of 1812	2256	axplong.exe	36
PID 2256 wrote to memory of 1812	2256	axplong.exe	36
PID 1812 wrote to memory of 2808	1812	70a894aa0b.exe	37
PID 1812 wrote to memory of 2808	1812	70a894aa0b.exe	37
PID 1812 wrote to memory of 2808	1812	70a894aa0b.exe	37
PID 1812 wrote to memory of 2808	1812	70a894aa0b.exe	37
PID 2808 wrote to memory of 1020	2808	skotes.exe	38
PID 2808 wrote to memory of 1020	2808	skotes.exe	38
PID 2808 wrote to memory of 1020	2808	skotes.exe	38
PID 2808 wrote to memory of 1020	2808	skotes.exe	38
PID 1020 wrote to memory of 2676	1020	kf5cl0F.exe	41
PID 1020 wrote to memory of 2676	1020	kf5cl0F.exe	41
PID 1020 wrote to memory of 2676	1020	kf5cl0F.exe	41
PID 1020 wrote to memory of 2676	1020	kf5cl0F.exe	41
PID 1020 wrote to memory of 2220	1020	kf5cl0F.exe	43
PID 1020 wrote to memory of 2220	1020	kf5cl0F.exe	43
PID 1020 wrote to memory of 2220	1020	kf5cl0F.exe	43
PID 1020 wrote to memory of 2220	1020	kf5cl0F.exe	43
PID 2256 wrote to memory of 2012	2256	axplong.exe	45
PID 2256 wrote to memory of 2012	2256	axplong.exe	45
PID 2256 wrote to memory of 2012	2256	axplong.exe	45
PID 2256 wrote to memory of 2012	2256	axplong.exe	45
PID 2808 wrote to memory of 1268	2808	skotes.exe	46
PID 2808 wrote to memory of 1268	2808	skotes.exe	46
PID 2808 wrote to memory of 1268	2808	skotes.exe	46
PID 2808 wrote to memory of 1268	2808	skotes.exe	46
PID 2808 wrote to memory of 948	2808	skotes.exe	47
PID 2808 wrote to memory of 948	2808	skotes.exe	47
PID 2808 wrote to memory of 948	2808	skotes.exe	47
PID 2808 wrote to memory of 948	2808	skotes.exe	47
PID 948 wrote to memory of 2528	948	4b9f4ded1c.exe	48
PID 948 wrote to memory of 2528	948	4b9f4ded1c.exe	48
PID 948 wrote to memory of 2528	948	4b9f4ded1c.exe	48
PID 948 wrote to memory of 2528	948	4b9f4ded1c.exe	48
PID 2528 wrote to memory of 1300	2528	cmd.exe	50
PID 2528 wrote to memory of 1300	2528	cmd.exe	50
PID 2528 wrote to memory of 1300	2528	cmd.exe	50
PID 2528 wrote to memory of 744	2528	cmd.exe	51
PID 2528 wrote to memory of 744	2528	cmd.exe	51
PID 2528 wrote to memory of 744	2528	cmd.exe	51
PID 2528 wrote to memory of 2360	2528	cmd.exe	52
PID 2528 wrote to memory of 2360	2528	cmd.exe	52
PID 2528 wrote to memory of 2360	2528	cmd.exe	52
PID 2528 wrote to memory of 1588	2528	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2392	attrib.exe
2708	attrib.exe
1928	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
  "C:\Users\Admin\AppData\Local\Temp\9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\1007328001\6110e0ab9d.exe
      "C:\Users\Admin\AppData\Local\Temp\1007328001\6110e0ab9d.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\1007329001\f73d0b292e.exe
      "C:\Users\Admin\AppData\Local\Temp\1007329001\f73d0b292e.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\1007330001\70a894aa0b.exe
      "C:\Users\Admin\AppData\Local\Temp\1007330001\70a894aa0b.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath "C:\dkdikf"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\1017253001\4b9f4ded1c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017253001\4b9f4ded1c.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\system32\mode.com
        
        mode 65,10
        8⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        8⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\system32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        9⤵
        Views/modifies file attributes
        
        PID:1928
        
        C:\Windows\system32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        9⤵
        Views/modifies file attributes
        
        PID:2708
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\1017254001\2cf4512e98.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017254001\2cf4512e98.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\1017255001\9541b56535.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017255001\9541b56535.exe"
        6⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\1017256001\b95d9d8471.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017256001\b95d9d8471.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath "C:\hexgsmwhwm"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
      - C:\Users\Admin\AppData\Local\Temp\1017257001\783e26d6da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1017257001\783e26d6da.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\1007331001\a133921b52.exe
      "C:\Users\Admin\AppData\Local\Temp\1007331001\a133921b52.exe"
      4⤵
      Enumerates VirtualBox registry keys
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2012
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

C:\Windows\system32\taskeng.exe
taskeng.exe {5B54846E-00F1-46E0-BCB0-4DEE28DF3F7B} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:2628
- C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
    3⤵
    - Drops file in System32 directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.1.10.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1007328001\6110e0ab9d.exe

Filesize
2.8MB

MD5
79d73f0973da38285b0e0a83fa7ef5d0

SHA1
18692d3c66779517481c1868e39a8ed62f3af7fd

SHA256
554bde2e706bad2908fc0534a58e7cfa7e099edc754a46717f738616da146131

SHA512
471ba9cd38f5126e79a52baa70e5bb169dd09b7b05b7a56da8dc6da28c0a6e579d2962b575ac4ca83695d8a60a07457d974e2d79d4e7506cb4769a7ff87ca270

Download Submit
C:\Users\Admin\AppData\Local\Temp\1007329001\f73d0b292e.exe

Filesize
1.9MB

MD5
d6070b7d0ec34e67a998dbe217c6c746

SHA1
64e771f2bcb20e9ccc89c8b4a9cf1b36e431d491

SHA256
10b27d9cb387fa4ac371de8767d5204925ca4da9c490ea8e2491b1a60c49fd85

SHA512
52bc768f8654cef43e62abfdba30878313aea5893d80759c633d84ce01c701b05e6f24c995f3a2568ab16ca69e6c1223b7e39c74c509fd6607bfa5e9418784f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1007330001\70a894aa0b.exe

Filesize
2.9MB

MD5
90c7e768e9ccc60d7259f30b23571419

SHA1
06aa4afabe34974704b73757888f6605711115dc

SHA256
fa51ea713353ed850b8b06c9ea95fd37ab6c07668711aaec94d97c5e8cf2eceb

SHA512
0861209fb9b11a1da355b6e0a1cb9e69840e8aae638ad744638c37039f037da2f1781ac556bdf988a2f269f84bda8348d4cceb1a8aef8e7b5bcf8b70910c0033

Download Submit
C:\Users\Admin\AppData\Local\Temp\1007331001\a133921b52.exe

Filesize
4.3MB

MD5
aa1d9bfcb4fee4ff65cf6209fbc83204

SHA1
3334182b3bf48e928683a9c0a87d25ea57e8d70b

SHA256
dc645ba585c2d41ec553cefd46bd3dab212882cb07097905f9ed071e8882b161

SHA512
aec316f0ea02349b57a5e75a972edf70b8aea705a7c74f67452a5840834fca0cf70c3d099ca003bab73a25186e6f03298ea68440a03216fb40ece74b82f71d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe

Filesize
21KB

MD5
14becdf1e2402e9aa6c2be0e6167041e

SHA1
72cbbae6878f5e06060a0038b25ede93b445f0df

SHA256
7a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a

SHA512
16b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe

Filesize
1.8MB

MD5
25fb9c54265bbacc7a055174479f0b70

SHA1
4af069a2ec874703a7e29023d23a1ada491b584e

SHA256
552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c

SHA512
7dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017253001\4b9f4ded1c.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017254001\2cf4512e98.exe

Filesize
1.8MB

MD5
ff279f4e5b1c6fbda804d2437c2dbdc8

SHA1
2feb3762c877a5ae3ca60eeebc37003ad0844245

SHA256
e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378

SHA512
c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017255001\9541b56535.exe

Filesize
4.3MB

MD5
d6cfec5f8c250d92d751030c95d46aec

SHA1
70439cf2611f97c84af487c44b88703d004a2bca

SHA256
0200c5657794ccc0916aae772004b7f72a793b77dc807b51b2f88e597813f611

SHA512
a939f9af174d37e3d32d0794b1f14110deffd7847b884a79b5fd300bcc7c30ce285f6dbbc41ad6ab5bd237bb6353efb7ddee903a8ec155a10840dec8c25d9bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017258001\0088db9a46.exe

Filesize
112KB

MD5
6ebaf1137fd8cde7dac6ff3044f094ac

SHA1
283fc901af7b858487c4093d7839d4a3f4b3f04e

SHA256
0b375dd837cf8c9951633b1f7918472b6d770247db554a2f273b2ad326b9f55a

SHA512
d10dd4b7e1c669eabcff2e141fac18339c2f4c6c323544197d7c8f7946ce0527008d327582a2f608a79dcfaa9a2e1e84ed58471d83797bb39bba74c4923d7708

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5006.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5047.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1.7MB

MD5
5659eba6a774f9d5322f249ad989114a

SHA1
4bfb12aa98a1dc2206baa0ac611877b815810e4c

SHA256
e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4

SHA512
f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
1.7MB

MD5
5404286ec7853897b3ba00adf824d6c1

SHA1
39e543e08b34311b82f6e909e1e67e2f4afec551

SHA256
ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266

SHA512
c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
1.7MB

MD5
5eb39ba3698c99891a6b6eb036cfb653

SHA1
d2f1cdd59669f006a2f1aa9214aeed48bc88c06e

SHA256
e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2

SHA512
6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.7MB

MD5
7187cc2643affab4ca29d92251c96dee

SHA1
ab0a4de90a14551834e12bb2c8c6b9ee517acaf4

SHA256
c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830

SHA512
27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.7MB

MD5
b7d1e04629bec112923446fda5391731

SHA1
814055286f963ddaa5bf3019821cb8a565b56cb8

SHA256
4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789

SHA512
79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.7MB

MD5
0dc4014facf82aa027904c1be1d403c1

SHA1
5e6d6c020bfc2e6f24f3d237946b0103fe9b1831

SHA256
a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7

SHA512
cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
3.3MB

MD5
cea368fc334a9aec1ecff4b15612e5b0

SHA1
493d23f72731bb570d904014ffdacbba2334ce26

SHA256
07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541

SHA512
bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.3MB

MD5
045b0a3d5be6f10ddf19ae6d92dfdd70

SHA1
0387715b6681d7097d372cd0005b664f76c933c7

SHA256
94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

SHA512
58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a21351a7b43ffc62b4f26cd264ad80d8

SHA1
139efdfc402b5f8bdb0db1d3ebb69dd33935595b

SHA256
a14940a2beeaa6b8bc7f0fd1fb662cae816261c661a852cbbd1a88d2f7eab2fd

SHA512
3d6fda37c0f52ef031d5f488fd5501fa73e0e8d2b8b78ad261a1560fd8fc0189f78346beea318252b22f1300a1899987f3de00d036dc91a0a019e24be97ddae5

Download Submit
\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
2.8MB

MD5
c32d39710b13585f9608ebac9e028ea0

SHA1
96ce25ea1f05d91a7314e6eed4101af60259a811

SHA256
9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386a

SHA512
e6222188e39d4260c8de06a4d8033ef2a4c1122e8df22fda616b4bb2de2377846c1621f3cb0d9840c81791b7a1cba3276081063875a91781972a2be0da96e3c5

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/640-83-0x0000000001C80000-0x0000000002080000-memory.dmp

Filesize
4.0MB

Download
memory/640-84-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/640-86-0x00000000757E0000-0x0000000075827000-memory.dmp

Filesize
284KB

Download
memory/640-79-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/1020-134-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/1268-339-0x0000000001270000-0x000000000171B000-memory.dmp

Filesize
4.7MB

Download
memory/1268-201-0x0000000001270000-0x000000000171B000-memory.dmp

Filesize
4.7MB

Download
memory/1268-177-0x0000000001270000-0x000000000171B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-403-0x00000000757E0000-0x0000000075827000-memory.dmp

Filesize
284KB

Download
memory/1436-401-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/1436-400-0x0000000001BB0000-0x0000000001FB0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-397-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/1592-433-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-434-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-430-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-437-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-432-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-431-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-435-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1592-436-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/1740-337-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1740-336-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1752-407-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1752-411-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1752-415-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1752-371-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1752-429-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1812-116-0x0000000000A30000-0x0000000000D4B000-memory.dmp

Filesize
3.1MB

Download
memory/1812-114-0x0000000006B00000-0x0000000006E1B000-memory.dmp

Filesize
3.1MB

Download
memory/1812-101-0x0000000000A30000-0x0000000000D4B000-memory.dmp

Filesize
3.1MB

Download
memory/1952-444-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/1952-318-0x000000013F3A0000-0x000000013F830000-memory.dmp

Filesize
4.6MB

Download
memory/1952-445-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2012-158-0x0000000000260000-0x0000000000DC1000-memory.dmp

Filesize
11.4MB

Download
memory/2012-338-0x0000000000260000-0x0000000000DC1000-memory.dmp

Filesize
11.4MB

Download
memory/2012-340-0x0000000000260000-0x0000000000DC1000-memory.dmp

Filesize
11.4MB

Download
memory/2012-182-0x0000000000260000-0x0000000000DC1000-memory.dmp

Filesize
11.4MB

Download
memory/2012-192-0x0000000000260000-0x0000000000DC1000-memory.dmp

Filesize
11.4MB

Download
memory/2032-369-0x0000000001100000-0x000000000110C000-memory.dmp

Filesize
48KB

Download
memory/2144-48-0x00000000003D0000-0x00000000008CD000-memory.dmp

Filesize
5.0MB

Download
memory/2144-49-0x00000000003D0000-0x00000000008CD000-memory.dmp

Filesize
5.0MB

Download
memory/2256-180-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-46-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-405-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-181-0x0000000006860000-0x00000000073C1000-memory.dmp

Filesize
11.4MB

Download
memory/2256-409-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-43-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-27-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-25-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-227-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-26-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-23-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-22-0x0000000000D11000-0x0000000000D3F000-memory.dmp

Filesize
184KB

Download
memory/2256-412-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-21-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-45-0x0000000006860000-0x0000000006D5D000-memory.dmp

Filesize
5.0MB

Download
memory/2256-156-0x0000000006860000-0x00000000073C1000-memory.dmp

Filesize
11.4MB

Download
memory/2256-44-0x0000000006860000-0x0000000006D5D000-memory.dmp

Filesize
5.0MB

Download
memory/2256-135-0x0000000006860000-0x0000000006B7B000-memory.dmp

Filesize
3.1MB

Download
memory/2256-50-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-119-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-107-0x0000000006860000-0x0000000006D22000-memory.dmp

Filesize
4.8MB

Download
memory/2256-108-0x0000000006860000-0x0000000006D22000-memory.dmp

Filesize
4.8MB

Download
memory/2256-99-0x0000000006860000-0x0000000006B7B000-memory.dmp

Filesize
3.1MB

Download
memory/2256-51-0x0000000006860000-0x0000000006D5D000-memory.dmp

Filesize
5.0MB

Download
memory/2256-52-0x0000000006860000-0x0000000006D5D000-memory.dmp

Filesize
5.0MB

Download
memory/2256-53-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-71-0x0000000006860000-0x0000000006D22000-memory.dmp

Filesize
4.8MB

Download
memory/2256-70-0x0000000006860000-0x0000000006D22000-memory.dmp

Filesize
4.8MB

Download
memory/2256-427-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2256-356-0x0000000000D10000-0x000000000101D000-memory.dmp

Filesize
3.1MB

Download
memory/2528-370-0x000000013F3A0000-0x000000013F830000-memory.dmp

Filesize
4.6MB

Download
memory/2528-315-0x000000013F3A0000-0x000000013F830000-memory.dmp

Filesize
4.6MB

Download
memory/2528-357-0x000000013F3A0000-0x000000013F830000-memory.dmp

Filesize
4.6MB

Download
memory/2528-317-0x000000013F3A0000-0x000000013F830000-memory.dmp

Filesize
4.6MB

Download
memory/2688-393-0x0000000004A70000-0x0000000004E70000-memory.dmp

Filesize
4.0MB

Download
memory/2688-394-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/2688-396-0x00000000757E0000-0x0000000075827000-memory.dmp

Filesize
284KB

Download
memory/2688-399-0x0000000000B80000-0x0000000001042000-memory.dmp

Filesize
4.8MB

Download
memory/2808-174-0x00000000069A0000-0x0000000006E4B000-memory.dmp

Filesize
4.7MB

Download
memory/2808-117-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-202-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-193-0x00000000069A0000-0x0000000006E4B000-memory.dmp

Filesize
4.7MB

Download
memory/2808-404-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-183-0x00000000069A0000-0x0000000006E4B000-memory.dmp

Filesize
4.7MB

Download
memory/2808-416-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-179-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-408-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-173-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-342-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2808-175-0x00000000069A0000-0x0000000006E4B000-memory.dmp

Filesize
4.7MB

Download
memory/2808-413-0x00000000008E0000-0x0000000000BFB000-memory.dmp

Filesize
3.1MB

Download
memory/2888-428-0x0000000000200000-0x0000000000DE5000-memory.dmp

Filesize
11.9MB

Download
memory/2888-414-0x0000000000200000-0x0000000000DE5000-memory.dmp

Filesize
11.9MB

Download
memory/2888-410-0x0000000000200000-0x0000000000DE5000-memory.dmp

Filesize
11.9MB

Download
memory/2888-406-0x0000000000200000-0x0000000000DE5000-memory.dmp

Filesize
11.9MB

Download
memory/2920-75-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/2920-72-0x0000000001250000-0x0000000001712000-memory.dmp

Filesize
4.8MB

Download
memory/2920-81-0x0000000001250000-0x0000000001712000-memory.dmp

Filesize
4.8MB

Download
memory/2920-77-0x00000000757E0000-0x0000000075827000-memory.dmp

Filesize
284KB

Download
memory/2920-74-0x0000000004CB0000-0x00000000050B0000-memory.dmp

Filesize
4.0MB

Download
memory/2920-73-0x0000000004CB0000-0x00000000050B0000-memory.dmp

Filesize
4.0MB

Download
memory/2960-20-0x0000000006740000-0x0000000006A4D000-memory.dmp

Filesize
3.1MB

Download
memory/2960-0-0x0000000000810000-0x0000000000B1D000-memory.dmp

Filesize
3.1MB

Download
memory/2960-18-0x0000000000810000-0x0000000000B1D000-memory.dmp

Filesize
3.1MB

Download
memory/2960-6-0x0000000000810000-0x0000000000B1D000-memory.dmp

Filesize
3.1MB

Download
memory/2960-4-0x0000000000810000-0x0000000000B1D000-memory.dmp

Filesize
3.1MB

Download
memory/2960-3-0x0000000000810000-0x0000000000B1D000-memory.dmp

Filesize
3.1MB

Download
memory/2960-2-0x0000000000811000-0x000000000083F000-memory.dmp

Filesize
184KB

Download
memory/2960-1-0x0000000077A30000-0x0000000077A32000-memory.dmp

Filesize
8KB

Download