amadey | 589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1a

Analysis

max time kernel
98s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Size

1.8MB
MD5

0454591fcaf329644dd317bd79a18c80
SHA1

8c88ba6a8fc8ba40d6985b4fcc27454ad5676938
SHA256

589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1a
SHA512

91dc9c080d78a7d3b20c7a68458c71d3fc2690708093233ede447b805eae5a04522d1cb913d7a2aaa3a901d7051c1e2a65d9269e32509ce0c341439f13368ccf
SSDEEP

49152:IH/TsFrtHZnq+zSicjd/53JqGvx6VfVjX1oiCcc6:IruVLlYd/55tv6jXeiCc7

Score

10^/10

amadey lumma redline sectoprat stealc 9c9aa5 brat fed3aa install_bot6 defense_evasion discovery execution infostealer persistence rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

brat

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

redline

Botnet

Install_bot6

101.99.92.189:57725

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/7932-31740-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/7932-31740-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	ca48c950f7.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	46bd64b991.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	65ba892202.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	95bcb29863.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eb770f0123.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	00d2c1ad54.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bbc9bc4bc8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	276ca7f698.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ca48c950f7.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6388	powershell.exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
76	3444	defnur.exe
147	6812	skotes.exe
147	6812	skotes.exe
46	100	axplong.exe
57	100	axplong.exe
113	100	axplong.exe
15	100	axplong.exe
15	100	axplong.exe
28	100	axplong.exe
28	100	axplong.exe
28	100	axplong.exe
28	100	axplong.exe
28	100	axplong.exe
28	100	axplong.exe
50	3444	defnur.exe

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	95bcb29863.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	00d2c1ad54.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ca48c950f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	65ba892202.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	276ca7f698.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	276ca7f698.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bbc9bc4bc8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bbc9bc4bc8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	95bcb29863.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eb770f0123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	46bd64b991.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	00d2c1ad54.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eb770f0123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	65ba892202.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	46bd64b991.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ca48c950f7.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	uniqwwww.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	UniversitiesGe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	00d2c1ad54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	am209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defnur.exe

Executes dropped EXE 35 IoCs

pid	Process
100	axplong.exe
4296	leg.exe
2420	leg.exe
3004	leg.exe
1832	axplong.exe
4032	am209.exe
3444	defnur.exe
2768	inst.exe
1412	Fuckman1222.exe
3012	Fuckman1222.exe
2648	basx.exe
5720	basx.tmp
4404	3gpmediastation713.exe
5788	uniqwwww.exe
5932	uniqwwww.tmp
4864	95bcb29863.exe
5188	goldik12321.exe
680	goldik12321.exe
516	uniqwwww.exe
688	eb770f0123.exe
2536	uniqwwww.tmp
3180	uniq12321112.exe
2872	uniq12321112.exe
5220	UniversitiesGe.exe
6112	46bd64b991.exe
2276	276ca7f698.exe
5436	00d2c1ad54.exe
2308	65ba892202.exe
6812	skotes.exe
6472	bbc9bc4bc8.exe
4692	skotes.exe
6532	axplong.exe
2240	defnur.exe
3184	ca48c950f7.exe
4052	GenValObj.exe

Identifies Wine through registry keys 2 TTPs 14 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	276ca7f698.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	00d2c1ad54.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	ca48c950f7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	95bcb29863.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	bbc9bc4bc8.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	eb770f0123.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	46bd64b991.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine	65ba892202.exe

Loads dropped DLL 8 IoCs

pid	Process
5720	basx.tmp
4404	3gpmediastation713.exe
5932	uniqwwww.tmp
5932	uniqwwww.tmp
5932	uniqwwww.tmp
2536	uniqwwww.tmp
2536	uniqwwww.tmp
2536	uniqwwww.tmp

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2032-108-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-109-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-113-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-116-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-121-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-119-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-120-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-118-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-115-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-114-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-112-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-117-0x0000000140000000-0x00000001405B7000-memory.dmp	themida
behavioral2/memory/2032-111-0x0000000140000000-0x00000001405B7000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46bd64b991.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015984001\\46bd64b991.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00d2c1ad54.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015985001\\00d2c1ad54.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
2268	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
100	axplong.exe
1832	axplong.exe
4864	95bcb29863.exe
688	eb770f0123.exe
6112	46bd64b991.exe
5436	00d2c1ad54.exe
2276	276ca7f698.exe
6812	skotes.exe
2308	65ba892202.exe
6472	bbc9bc4bc8.exe
4692	skotes.exe
6532	axplong.exe
3184	ca48c950f7.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 3004	4296	leg.exe	87
PID 2768 set thread context of 2032	2768	inst.exe	103
PID 1412 set thread context of 3012	1412	Fuckman1222.exe	109
PID 5188 set thread context of 680	5188	goldik12321.exe	121
PID 3180 set thread context of 2872	3180	uniq12321112.exe	128

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AccompaniedMassive	UniversitiesGe.exe
File created	C:\Windows\Tasks\skotes.job	00d2c1ad54.exe
File created	C:\Windows\Tasks\axplong.job	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe
File opened for modification	C:\Windows\FavoriteElderly	UniversitiesGe.exe
File opened for modification	C:\Windows\CollinsRenaissance	UniversitiesGe.exe
File opened for modification	C:\Windows\WebsiteCoordination	UniversitiesGe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2444	4296	WerFault.exe	85
3624	1412	WerFault.exe	108
5200	5188	WerFault.exe	120
1580	3180	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fuckman1222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	276ca7f698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95bcb29863.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca48c950f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fuckman1222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uniq12321112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goldik12321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goldik12321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GenValObj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basx.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uniqwwww.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniversitiesGe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65ba892202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbc9bc4bc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uniqwwww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uniqwwww.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00d2c1ad54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb770f0123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uniq12321112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46bd64b991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3gpmediastation713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uniqwwww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leg.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2268	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
2268	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
100	axplong.exe
100	axplong.exe
1832	axplong.exe
1832	axplong.exe
5720	basx.tmp
5720	basx.tmp
4864	95bcb29863.exe
4864	95bcb29863.exe
688	eb770f0123.exe
688	eb770f0123.exe
2536	uniqwwww.tmp
2536	uniqwwww.tmp
6112	46bd64b991.exe
6112	46bd64b991.exe
5436	00d2c1ad54.exe
5436	00d2c1ad54.exe
2276	276ca7f698.exe
2276	276ca7f698.exe
6812	skotes.exe
6812	skotes.exe
2308	65ba892202.exe
2308	65ba892202.exe
6472	bbc9bc4bc8.exe
6472	bbc9bc4bc8.exe
4692	skotes.exe
4692	skotes.exe
6532	axplong.exe
6532	axplong.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
3184	ca48c950f7.exe
4052	GenValObj.exe
4052	GenValObj.exe
4052	GenValObj.exe
4052	GenValObj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	GenValObj.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4032	am209.exe
5720	basx.tmp
2536	uniqwwww.tmp
5436	00d2c1ad54.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 100	2268	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe	83
PID 2268 wrote to memory of 100	2268	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe	83
PID 2268 wrote to memory of 100	2268	589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe	83
PID 100 wrote to memory of 4296	100	axplong.exe	85
PID 100 wrote to memory of 4296	100	axplong.exe	85
PID 100 wrote to memory of 4296	100	axplong.exe	85
PID 4296 wrote to memory of 2420	4296	leg.exe	86
PID 4296 wrote to memory of 2420	4296	leg.exe	86
PID 4296 wrote to memory of 2420	4296	leg.exe	86
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 4296 wrote to memory of 3004	4296	leg.exe	87
PID 100 wrote to memory of 4032	100	axplong.exe	95
PID 100 wrote to memory of 4032	100	axplong.exe	95
PID 100 wrote to memory of 4032	100	axplong.exe	95
PID 4032 wrote to memory of 3444	4032	am209.exe	96
PID 4032 wrote to memory of 3444	4032	am209.exe	96
PID 4032 wrote to memory of 3444	4032	am209.exe	96
PID 100 wrote to memory of 2768	100	axplong.exe	102
PID 100 wrote to memory of 2768	100	axplong.exe	102
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 2768 wrote to memory of 2032	2768	inst.exe	103
PID 100 wrote to memory of 1412	100	axplong.exe	108
PID 100 wrote to memory of 1412	100	axplong.exe	108
PID 100 wrote to memory of 1412	100	axplong.exe	108
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 1412 wrote to memory of 3012	1412	Fuckman1222.exe	109
PID 100 wrote to memory of 2648	100	axplong.exe	113
PID 100 wrote to memory of 2648	100	axplong.exe	113
PID 100 wrote to memory of 2648	100	axplong.exe	113
PID 2648 wrote to memory of 5720	2648	basx.exe	114
PID 2648 wrote to memory of 5720	2648	basx.exe	114
PID 2648 wrote to memory of 5720	2648	basx.exe	114
PID 5720 wrote to memory of 4404	5720	basx.tmp	115
PID 5720 wrote to memory of 4404	5720	basx.tmp	115
PID 5720 wrote to memory of 4404	5720	basx.tmp	115
PID 100 wrote to memory of 5788	100	axplong.exe	116
PID 100 wrote to memory of 5788	100	axplong.exe	116
PID 100 wrote to memory of 5788	100	axplong.exe	116
PID 5788 wrote to memory of 5932	5788	uniqwwww.exe	118
PID 5788 wrote to memory of 5932	5788	uniqwwww.exe	118
PID 5788 wrote to memory of 5932	5788	uniqwwww.exe	118

C:\Users\Admin\AppData\Local\Temp\589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe
"C:\Users\Admin\AppData\Local\Temp\589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1aN.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe
    "C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe
      "C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe"
      4⤵
      Executes dropped EXE
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe
      "C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 836
      4⤵
      Program crash
      PID:2444
- - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
    "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
      "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\10039050101\95bcb29863.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10039050101\95bcb29863.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\10039060101\eb770f0123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10039060101\eb770f0123.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
    - - C:\Users\Admin\AppData\Local\Temp\10039070101\276ca7f698.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10039070101\276ca7f698.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\10039080101\bbc9bc4bc8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10039080101\bbc9bc4bc8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6472
- - C:\Users\Admin\AppData\Local\Temp\1013507001\inst.exe
    "C:\Users\Admin\AppData\Local\Temp\1013507001\inst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        5⤵
        
        PID:7936
- - C:\Users\Admin\AppData\Local\Temp\1013949001\Fuckman1222.exe
    "C:\Users\Admin\AppData\Local\Temp\1013949001\Fuckman1222.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\1013949001\Fuckman1222.exe
      "C:\Users\Admin\AppData\Local\Temp\1013949001\Fuckman1222.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 828
      4⤵
      Program crash
      PID:3624
- - C:\Users\Admin\AppData\Local\Temp\1014355001\basx.exe
    "C:\Users\Admin\AppData\Local\Temp\1014355001\basx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\is-BRRFP.tmp\basx.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BRRFP.tmp\basx.tmp" /SL5="$C01C6,3416463,56832,C:\Users\Admin\AppData\Local\Temp\1014355001\basx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5720
    - - C:\Users\Admin\AppData\Local\3GP Media Station 2013 7.13\3gpmediastation713.exe
        
        "C:\Users\Admin\AppData\Local\3GP Media Station 2013 7.13\3gpmediastation713.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4404
- - C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe
    "C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\is-UBNJR.tmp\uniqwwww.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UBNJR.tmp\uniqwwww.tmp" /SL5="$E007E,1433787,121344,C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5932
    - - C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
      - C:\Users\Admin\AppData\Local\Temp\is-PUQ3C.tmp\uniqwwww.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PUQ3C.tmp\uniqwwww.tmp" /SL5="$100042,1433787,121344,C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2536
- - C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
    "C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
      "C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 816
      4⤵
      Program crash
      PID:5200
- - C:\Users\Admin\AppData\Local\Temp\1015545001\uniq12321112.exe
    "C:\Users\Admin\AppData\Local\Temp\1015545001\uniq12321112.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\1015545001\uniq12321112.exe
      "C:\Users\Admin\AppData\Local\Temp\1015545001\uniq12321112.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 828
      4⤵
      Program crash
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\1015983001\UniversitiesGe.exe
    "C:\Users\Admin\AppData\Local\Temp\1015983001\UniversitiesGe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Ment Ment.cmd & Ment.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\1015984001\46bd64b991.exe
    "C:\Users\Admin\AppData\Local\Temp\1015984001\46bd64b991.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6112
- - C:\Users\Admin\AppData\Local\Temp\1015985001\00d2c1ad54.exe
    "C:\Users\Admin\AppData\Local\Temp\1015985001\00d2c1ad54.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6812
    - - C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
        5⤵
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
        5⤵
        
        PID:2248
- - C:\Users\Admin\AppData\Local\Temp\1015986001\65ba892202.exe
    "C:\Users\Admin\AppData\Local\Temp\1015986001\65ba892202.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\1015987001\ca48c950f7.exe
    "C:\Users\Admin\AppData\Local\Temp\1015987001\ca48c950f7.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\1015988001\GenValObj.exe
    "C:\Users\Admin\AppData\Local\Temp\1015988001\GenValObj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4296 -ip 4296
1⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1412 -ip 1412
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5188 -ip 5188
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3180 -ip 3180
1⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6532

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:7932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3GPNewStation\3GPNewStation.exe

Filesize
2.9MB

MD5
ad58de60dd713fff54afb3fe6b9c9396

SHA1
9d6da82e8080f10980925268e10aa31552a6a8c1

SHA256
10ff246e53b15a43ca9e0b632c5980b5ab0ff8519fd4e988fa36b10030a1f6f0

SHA512
7a23463c01e5b502b4d572b97b30bbe825755ee9d87df465725cf0102cc18f40ab7cf53d842b835a155f99b8754c9e7ded2c91f0505508268e9ad6a868eea146

Download Submit
C:\Users\Admin\AppData\Local\3GP Media Station 2013 7.13\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGDWJGSY\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\leg.exe

Filesize
360KB

MD5
f538440ebbfc3498d7e6db8777ec3e9c

SHA1
5f27766bc04a65fd59262c2e01827bc8eec3f588

SHA256
d4603d8d8b8b5c969ec08b5fc10416f1ac0fade1a61b1a15195ab15bb8a2bde8

SHA512
abf91642b8d77a54a90f9eae52b1be854ece047563e5a06f6b6e0250bf12792cb00230237583a2767d457e03e4d3f2b93d6473be4dbc996b6836e79d1f50beb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10039050101\95bcb29863.exe

Filesize
1.8MB

MD5
ef2aaf6328e522d6505a64978c956928

SHA1
d2ee3d6c5dd57a35549a752cf50e775ad01eeb76

SHA256
4204bff10546a4fff499e3638c08e0d1ca185cc2d9a25e79caa0e85aacd5e3d9

SHA512
c888b4aa1550a02cb67fe636668ddf67d19eaa436fdeb24537197ab4dd2e57d811bd82bbcc4d4ef28b67354ec28df2a173333784e7ad243c1c7c78e3333b23b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10039060101\eb770f0123.exe

Filesize
1.7MB

MD5
0c934037292e1538c2f76cfb2b4c00e1

SHA1
ebdd34bf1128d7e3bf195f0d457c807ccb7ba3f1

SHA256
9caab04fb3c68579e9bca99a3120609230a107ebd80d12e2ae5dcff90bac4173

SHA512
04eb2e6f880d5465e7417f4a60538107f44f139047b1b45aef715c4b17f01abfbaee095201be5e0995198adc626d9a65543f04eead687a04a5a489f01ca058b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10039070101\276ca7f698.exe

Filesize
1.8MB

MD5
15838795f1e1a07c33f4e7774f561ee5

SHA1
e4f7657e3de303e7b45132f21ed5d6e4586dea5f

SHA256
ec42f48aacfa01517907a227a1d499b4b37c1a272e33572ef9dc1a63582e3c07

SHA512
46483a6e3de88c97a7359209dafbd6c8dfc6fe501d1b1275f5bc15fa40fcaaee444e8030b3da9413617b77fc8873aba60f1de83f1e555ec49c2cdd9fd08d49f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10039080101\bbc9bc4bc8.exe

Filesize
1.8MB

MD5
b04fbdc10c75213ac8e0af54425c9616

SHA1
7230666ba2d8ca2f64bbafa876861412e5470f8c

SHA256
785d4a5aea353d0150548869ced832f8714cb0d8891a343e0d701852e8a7d9ec

SHA512
b241a02d7336cd006606d389df8d03cd6fbddb03ed64700b2c53b90e7098e2a0feaa3d5cbc18039a29a0d18581b43c9a9be5b88d17a36bc8388b05557687ffe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013507001\inst.exe

Filesize
2.4MB

MD5
b78291a2e93ae3359bf71e2f3f19fc40

SHA1
37f9196386402783a0a957fb5b66ae333b2f7c5b

SHA256
1c424c1e3645768d6236ce26bd0cd24cf0ba3bb4e7414febcc428cf9f91a5124

SHA512
bf4d24d233d96a0c0b70cbaf618f725b94cdedd6e4ab41da9527c9449d6759fb4caae7e532001384f125e6189642d8bec0d6dbe5b38bb4129fcc0da3eed971d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013949001\Fuckman1222.exe

Filesize
357KB

MD5
61d52fac0e14469242d7a57c38fb69f9

SHA1
ba287e919dbd980dc21390c9eca47904463b43b5

SHA256
b9b4f637ac232a76c562a0c693f217d40c1c42652f8a78bef2cf4caceb9eb164

SHA512
9f84bc269b0a4c0b31866a9982e90a4273a0d2bea4bf53a100c6083c1fe75515847e2d84b0f4f4b1d79eaa2185ad1a9893b67337d10069fb30e969231db2580d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014355001\basx.exe

Filesize
3.5MB

MD5
32414cb2ab39604bc84c2a0ebbe3020b

SHA1
a5e6a87bc217844cd83004e0bcad34610b1795a1

SHA256
f3d8ca857bd0e09b98935427357253fba4e89a7d8fa20aaadc9152ca422b81e2

SHA512
a49119f70901b1e4e5c32d09f8faf5f8ac15e19dab1616289872e56299cd09992fb27138624c9840f6a493649bc7a734be7df0ce9aef6e4c34efeb9b2636d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014861001\uniqwwww.exe

Filesize
1.8MB

MD5
795b8522c1d7efc974112bb62c43f521

SHA1
38445b88d37326334cf6118d233a8999b9f56568

SHA256
d053c11c1da8639dcd73ebae06f8f94237f736f3dd28ac85342f3387a721b5c9

SHA512
c02cb08b41b326c452d1d47277c98a5e772ff639e56a4a90b6e1424fb3214aa802c4ba2bd840f2d019e32a14c031532d73ed75202d5f1193614d730093f3b28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe

Filesize
501KB

MD5
c80b4443546055bfdc0f3edc5b88abe8

SHA1
4df4951f787aca9b1fbeafa4590614fa9db9db4a

SHA256
6d15b1a8ef83b775e3a71618c88a2e1b4dbffb8b81afe61552e8af2d77214d64

SHA512
1388114d4cf91a7ae5bc1c37a1caae5e3c17cfd02a2730fa3398582ad8896d8f7a94bf7f730d855cebe9dff1af31abafc3d82e831514a16d5f17333879d5c324

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015545001\uniq12321112.exe

Filesize
373KB

MD5
e27290cd5d7a83a7c72d156261377e6a

SHA1
dba2917728f66082c83588785d89e1da7cdc8134

SHA256
bbd1ebbe42ded3aae2027261fa46f60ac80230edfac30e6308b364b9e171c2b8

SHA512
6bb19239c0323b0c7fbf479b296cd125bbae53a617bb47c0cff42a8a5bd0bfb2868bb17a33a7f10c645419632868db139879994182c9b5d4d9296fddaf07d76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015983001\UniversitiesGe.exe

Filesize
828KB

MD5
d05c6019e8f4f2d004ae9055e1c8079d

SHA1
13b411440b37d1134c09018fcc55b215d3743314

SHA256
e5dd75c651de425c6ff14196ae0b026bd38a09bc9b535315a8d03e4c3c1c0a40

SHA512
c33f0595b910e9664768003b76ea897a95ead7b063d5e58035587801798dfb4caa55351a0dca811c88450c6899602fcb1bd44fcb033f11d39652e65ea42e1d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015985001\00d2c1ad54.exe

Filesize
1.8MB

MD5
5b255759eb7f38d7d89f1ef670509339

SHA1
9eb560cbeac2209209e6187998f86cd4d4cea6a7

SHA256
c04478baef60f5a6860b939b5a15c5306495b06a302f694ce3da8aeb973a16b8

SHA512
bee3c71ab3c4d4b891ea3f7569fda345046c5ea84d39e3037e63f0b71a4a97411c8e67a177cac2b4876ac65ace2ab6b85eee2d2257bfd699686a36fd0f6138b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015987001\ca48c950f7.exe

Filesize
4.3MB

MD5
d3527dde5c35777831df5b047296dc0d

SHA1
9c821ab5317fb4bc93fb168c8f4e9b8958ee969e

SHA256
3c46d3be5eb550913a52a35db6e738d7f69fa052473d568f1ac74fd13219ea94

SHA512
dc90d44616d41e75c867232bdb74a1a76b405e3d27396a2a19b35ac1bbe083c44d351921e3e7c6d028c00be558369682d875a86317434b2a5cc846e8481ca056

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015988001\GenValObj.exe

Filesize
2.2MB

MD5
d2b4448a53561596c82abc5b8a72b385

SHA1
62a552abd96e5320b393fbeb47e5bd61722181e0

SHA256
b2c9897574e420f2cbe55f480862abf607da31b34fc3173129e2fb3c0e402838

SHA512
15749fc8bc10f58d205ff8b08db93f07780de7476e2d1cf1984815a3857a02a095c189007350760261c93dd7f524c9f46c363b49838ff478ce40aaed95c60a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe

Filesize
1.8MB

MD5
8cd2034ffb65699b7ce76d746518ab6e

SHA1
155579dc7c4e0f40cd7490ca61fbbbaa0a306a27

SHA256
f2db20a1353bd4384ecb6a24fce94ceac73a32a12b654d15b559454ca686e2b4

SHA512
fdef7545e628555c69401e8ec1f8a785a1c058188e85a5eae547654d94efa6b19a9c2e69d14c35e6887febbd4777602d029c5b8e134217d0237bf693be1f8a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
0454591fcaf329644dd317bd79a18c80

SHA1
8c88ba6a8fc8ba40d6985b4fcc27454ad5676938

SHA256
589ef50988e0559c5fca408cf5ca43be043f19f2594f9295b5db68c2f278fb1a

SHA512
91dc9c080d78a7d3b20c7a68458c71d3fc2690708093233ede447b805eae5a04522d1cb913d7a2aaa3a901d7051c1e2a65d9269e32509ce0c341439f13368ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ment

Filesize
13KB

MD5
a67f25f56cb23fbc29e019e0cccd0a7b

SHA1
5f7b04dde51844b6a21d60766b893764693efa52

SHA256
aff0699b0257ab27762b1285b872e18f7d72cae40a01acd8cacf3155c7e7150f

SHA512
9f658c9c0423a25a3d70f8224ff0bb5e3dbb593994a0e4c0a3013d73ffbd3a6360b0b83653c6b4559c9152076951e7ce4fc88483f616dd152c4ad271a1c161df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0yubvaw.0h3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRRFP.tmp\basx.tmp

Filesize
692KB

MD5
f2bf27d02bdcd392ed472c9135a76ae2

SHA1
3b33df76227cbe09cafc75f338fc13e2d926667c

SHA256
aa7d6068edc957a5418ceefb01f69063b1c5ed6f334f390aadb857f416e1ff32

SHA512
2449d0e4f3473e8e0cdaaeed3df49f43ee1e3917e58e674bca4bd5a0de74b00311c56e21536678c654ed7f9154132a2ff4dad0ed65a05e8f3a93f3044ec8f58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IM41B.tmp\_isetup\_isdecmp.dll

Filesize
29KB

MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UBNJR.tmp\uniqwwww.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VURD7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6DAC.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/100-21-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/100-88-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/100-87-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/100-122-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/100-323-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/100-19-0x00000000007B1000-0x00000000007DF000-memory.dmp

Filesize
184KB

Download
memory/100-20-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/100-18-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/688-8861-0x0000000000DE0000-0x000000000144E000-memory.dmp

Filesize
6.4MB

Download
memory/688-11822-0x0000000000DE0000-0x000000000144E000-memory.dmp

Filesize
6.4MB

Download
memory/1412-698-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1832-76-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/1832-58-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/2032-127-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-116-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-162-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-161-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-160-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-159-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-158-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-157-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-156-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-155-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-154-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-153-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-152-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-151-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-150-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-149-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-148-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-147-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-146-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-145-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-143-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-142-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-141-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-140-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-139-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-138-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-137-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-136-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-135-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-134-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-133-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-132-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-164-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-144-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-131-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-130-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-129-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-128-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-108-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-126-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-125-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-124-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-123-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-165-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-166-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-167-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-168-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-111-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-117-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-112-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-109-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-114-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-115-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-118-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-113-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-163-0x000001D351A20000-0x000001D351A28000-memory.dmp

Filesize
32KB

Download
memory/2032-120-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-119-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2032-121-0x0000000140000000-0x00000001405B7000-memory.dmp

Filesize
5.7MB

Download
memory/2248-32238-0x0000000000890000-0x0000000000D2E000-memory.dmp

Filesize
4.6MB

Download
memory/2248-32339-0x0000000000890000-0x0000000000D2E000-memory.dmp

Filesize
4.6MB

Download
memory/2268-4-0x0000000000FB0000-0x0000000001467000-memory.dmp

Filesize
4.7MB

Download
memory/2268-17-0x0000000000FB0000-0x0000000001467000-memory.dmp

Filesize
4.7MB

Download
memory/2268-0-0x0000000000FB0000-0x0000000001467000-memory.dmp

Filesize
4.7MB

Download
memory/2268-2-0x0000000000FB1000-0x0000000000FDF000-memory.dmp

Filesize
184KB

Download
memory/2268-1-0x0000000077764000-0x0000000077766000-memory.dmp

Filesize
8KB

Download
memory/2268-3-0x0000000000FB0000-0x0000000001467000-memory.dmp

Filesize
4.7MB

Download
memory/2276-13299-0x0000000000400000-0x0000000000C47000-memory.dmp

Filesize
8.3MB

Download
memory/2276-17035-0x0000000000400000-0x0000000000C47000-memory.dmp

Filesize
8.3MB

Download
memory/2308-14520-0x0000000000400000-0x0000000000C47000-memory.dmp

Filesize
8.3MB

Download
memory/2308-18484-0x0000000000400000-0x0000000000C47000-memory.dmp

Filesize
8.3MB

Download
memory/2768-107-0x00000000006D0000-0x0000000000942000-memory.dmp

Filesize
2.4MB

Download
memory/3004-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3004-53-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3180-9674-0x0000000000DD0000-0x0000000000E34000-memory.dmp

Filesize
400KB

Download
memory/3184-24901-0x0000000000E80000-0x0000000001BAE000-memory.dmp

Filesize
13.2MB

Download
memory/3184-19821-0x0000000000E80000-0x0000000001BAE000-memory.dmp

Filesize
13.2MB

Download
memory/4052-27030-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/4052-30492-0x0000000006BE0000-0x0000000006C34000-memory.dmp

Filesize
336KB

Download
memory/4052-26290-0x0000000005EB0000-0x0000000005F12000-memory.dmp

Filesize
392KB

Download
memory/4052-22806-0x0000000005CB0000-0x0000000005D42000-memory.dmp

Filesize
584KB

Download
memory/4052-26824-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/4052-22702-0x0000000005AB0000-0x0000000005BB8000-memory.dmp

Filesize
1.0MB

Download
memory/4052-22324-0x0000000000ED0000-0x000000000110E000-memory.dmp

Filesize
2.2MB

Download
memory/4052-26671-0x0000000005F90000-0x0000000005FEE000-memory.dmp

Filesize
376KB

Download
memory/4296-51-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/4296-49-0x0000000072FEE000-0x0000000072FEF000-memory.dmp

Filesize
4KB

Download
memory/4296-50-0x00000000001F0000-0x000000000024E000-memory.dmp

Filesize
376KB

Download
memory/4404-5973-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4692-19654-0x0000000000980000-0x0000000000E3D000-memory.dmp

Filesize
4.7MB

Download
memory/4692-18668-0x0000000000980000-0x0000000000E3D000-memory.dmp

Filesize
4.7MB

Download
memory/4864-19893-0x0000000000670000-0x0000000000B08000-memory.dmp

Filesize
4.6MB

Download
memory/4864-11823-0x0000000000670000-0x0000000000B08000-memory.dmp

Filesize
4.6MB

Download
memory/4864-7229-0x0000000000670000-0x0000000000B08000-memory.dmp

Filesize
4.6MB

Download
memory/5188-7418-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/5436-13362-0x0000000000B10000-0x0000000000FCD000-memory.dmp

Filesize
4.7MB

Download
memory/5436-16012-0x0000000000B10000-0x0000000000FCD000-memory.dmp

Filesize
4.7MB

Download
memory/6112-12027-0x00000000007E0000-0x0000000000E4E000-memory.dmp

Filesize
6.4MB

Download
memory/6112-15630-0x00000000007E0000-0x0000000000E4E000-memory.dmp

Filesize
6.4MB

Download
memory/6112-15403-0x00000000007E0000-0x0000000000E4E000-memory.dmp

Filesize
6.4MB

Download
memory/6388-32248-0x0000025236AE0000-0x0000025236B02000-memory.dmp

Filesize
136KB

Download
memory/6472-21554-0x0000000000E90000-0x000000000131F000-memory.dmp

Filesize
4.6MB

Download
memory/6472-17395-0x0000000000E90000-0x000000000131F000-memory.dmp

Filesize
4.6MB

Download
memory/6472-29310-0x0000000000E90000-0x000000000131F000-memory.dmp

Filesize
4.6MB

Download
memory/6532-20122-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/6532-18669-0x00000000007B0000-0x0000000000C67000-memory.dmp

Filesize
4.7MB

Download
memory/6812-20281-0x0000000000980000-0x0000000000E3D000-memory.dmp

Filesize
4.7MB

Download
memory/6812-16099-0x0000000000980000-0x0000000000E3D000-memory.dmp

Filesize
4.7MB

Download
memory/7932-32239-0x00000000057E0000-0x000000000582C000-memory.dmp

Filesize
304KB

Download
memory/7932-31740-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7932-32240-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/7932-31742-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/7932-32233-0x00000000031A0000-0x00000000031B2000-memory.dmp

Filesize
72KB

Download
memory/7932-32336-0x00000000071A0000-0x00000000076CC000-memory.dmp

Filesize
5.2MB

Download
memory/7932-32335-0x0000000006AA0000-0x0000000006C62000-memory.dmp

Filesize
1.8MB

Download
memory/7932-32234-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/7932-32369-0x0000000007020000-0x0000000007096000-memory.dmp

Filesize
472KB

Download
memory/7932-32372-0x0000000007110000-0x000000000712E000-memory.dmp

Filesize
120KB

Download