amadey | 54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/02/2025, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
Size

2.0MB
MD5

354e5ac5449695bd3e8520e47ba4815e
SHA1

a023339baaea904f78d73c5b440ffa764aa9b6a2
SHA256

54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a
SHA512

ab31ab9d52efb5955003f62ec7d87dd706daf322d154a03bbe3533c385f9802777b1e939b9cfdbe9acd4431e7855907ae0d3c88a89ced8b20fb30a008550d42e
SSDEEP

49152:PyurhZIw1XiVWyvHdT8rXVZJDBw+fsPtoajy/v/FGiLi/0/dN:n0swdTiXBBRsPCRpLiE

Score

10^/10

amadey gcleaner povertystealer stealc xworm 9c9aa5 reno defense_evasion discovery loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

xworm

Version

5.0

185.163.204.65:7000

Mutex

SWaSxcOz2FkLWFU7

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7801507553:AAER1leGn_BtfmbwwWVlXFOz-GpclQKTfe0/sendMessage?chat_id=6012304042

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2908-594-0x0000000000300000-0x0000000000744000-memory.dmp	family_povertystealer

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4ae-783.dat	family_xworm
behavioral1/memory/2404-798-0x0000000001280000-0x00000000012B0000-memory.dmp	family_xworm

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7d2c155908.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	62ed8d94c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	uXivbut.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sha256.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	77c0cd7ff6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	80e834c89e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe

Downloads MZ/PE file 14 IoCs

flow	pid	Process
66	2440	BitLockerToGo.exe
70	1892	BitLockerToGo.exe
5	2732	skotes.exe
30	2080	futors.exe
60	2080	futors.exe
63	2080	futors.exe
8	2732	skotes.exe
8	2732	skotes.exe
8	2732	skotes.exe
8	2732	skotes.exe
8	2732	skotes.exe
8	2732	skotes.exe
8	2732	skotes.exe
8	2732	skotes.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	80e834c89e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sha256.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sha256.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7d2c155908.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	77c0cd7ff6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	62ed8d94c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	62ed8d94c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7d2c155908.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	77c0cd7ff6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	80e834c89e.exe

Executes dropped EXE 18 IoCs

pid	Process
2732	skotes.exe
708	amnew.exe
2080	futors.exe
1012	7d2c155908.exe
2696	monthdragon.exe
2532	monthdragon.exe
1672	e7e5689be8.exe
1900	77c0cd7ff6.exe
1632	80e834c89e.exe
2908	ftS1RPn.exe
1908	62ed8d94c5.exe
280	DF9PCFR.exe
2848	uXivbut.exe
904	Gxtuum.exe
1628	sha256.exe
2040	8QQOJj9.exe
648	09aa8a38d4.exe
2404	7tzlyz8.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	62ed8d94c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	uXivbut.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	sha256.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	8QQOJj9.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	7d2c155908.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	77c0cd7ff6.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	80e834c89e.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	Gxtuum.exe

Loads dropped DLL 39 IoCs

pid	Process
1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
2732	skotes.exe
708	amnew.exe
2732	skotes.exe
2732	skotes.exe
2080	futors.exe
2080	futors.exe
2696	monthdragon.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
2732	skotes.exe
1672	e7e5689be8.exe
1672	e7e5689be8.exe
1672	e7e5689be8.exe
2080	futors.exe
2080	futors.exe
2732	skotes.exe
2732	skotes.exe
2732	skotes.exe
2080	futors.exe
2732	skotes.exe
280	DF9PCFR.exe
2732	skotes.exe
2732	skotes.exe
2848	uXivbut.exe
2848	uXivbut.exe
2440	BitLockerToGo.exe
904	Gxtuum.exe
904	Gxtuum.exe
1892	BitLockerToGo.exe
2732	skotes.exe
2732	skotes.exe
2732	skotes.exe
648	09aa8a38d4.exe
648	09aa8a38d4.exe
648	09aa8a38d4.exe
2732	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\62ed8d94c5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10011880101\\62ed8d94c5.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\77c0cd7ff6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10011870101\\77c0cd7ff6.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
2732	skotes.exe
1012	7d2c155908.exe
1900	77c0cd7ff6.exe
1632	80e834c89e.exe
2908	ftS1RPn.exe
1908	62ed8d94c5.exe
2848	uXivbut.exe
904	Gxtuum.exe
1628	sha256.exe
2040	8QQOJj9.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2532	2696	monthdragon.exe	39
PID 1632 set thread context of 2440	1632	80e834c89e.exe	47
PID 1672 set thread context of 2092	1672	e7e5689be8.exe	42
PID 1908 set thread context of 1892	1908	62ed8d94c5.exe	51
PID 280 set thread context of 932	280	DF9PCFR.exe	54
PID 1672 set thread context of 548	1672	e7e5689be8.exe	50

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File created	C:\Windows\Tasks\Gxtuum.job	uXivbut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1876	2696	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d2c155908.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80e834c89e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7e5689be8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62ed8d94c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DF9PCFR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uXivbut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09aa8a38d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77c0cd7ff6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	monthdragon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	monthdragon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	monthdragon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7d2c155908.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7d2c155908.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7d2c155908.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	futors.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	futors.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2404	7tzlyz8.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
2732	skotes.exe
1012	7d2c155908.exe
1012	7d2c155908.exe
1012	7d2c155908.exe
1012	7d2c155908.exe
1012	7d2c155908.exe
2532	monthdragon.exe
2532	monthdragon.exe
2532	monthdragon.exe
2532	monthdragon.exe
1672	e7e5689be8.exe
1672	e7e5689be8.exe
1672	e7e5689be8.exe
1900	77c0cd7ff6.exe
1632	80e834c89e.exe
2908	ftS1RPn.exe
1908	62ed8d94c5.exe
2848	uXivbut.exe
904	Gxtuum.exe
1628	sha256.exe
548	AddInProcess32.exe
548	AddInProcess32.exe
548	AddInProcess32.exe
548	AddInProcess32.exe
2040	8QQOJj9.exe
648	09aa8a38d4.exe
648	09aa8a38d4.exe
648	09aa8a38d4.exe
648	09aa8a38d4.exe
648	09aa8a38d4.exe
2040	8QQOJj9.exe
2040	8QQOJj9.exe
2040	8QQOJj9.exe
2040	8QQOJj9.exe
2404	7tzlyz8.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	e7e5689be8.exe
Token: SeDebugPrivilege	2092	AddInProcess32.exe
Token: SeDebugPrivilege	648	09aa8a38d4.exe
Token: SeDebugPrivilege	2404	7tzlyz8.exe
Token: SeDebugPrivilege	2404	7tzlyz8.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
708	amnew.exe
2848	uXivbut.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2404	7tzlyz8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2732	1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe	31
PID 1052 wrote to memory of 2732	1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe	31
PID 1052 wrote to memory of 2732	1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe	31
PID 1052 wrote to memory of 2732	1052	54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe	31
PID 2732 wrote to memory of 708	2732	skotes.exe	33
PID 2732 wrote to memory of 708	2732	skotes.exe	33
PID 2732 wrote to memory of 708	2732	skotes.exe	33
PID 2732 wrote to memory of 708	2732	skotes.exe	33
PID 708 wrote to memory of 2080	708	amnew.exe	34
PID 708 wrote to memory of 2080	708	amnew.exe	34
PID 708 wrote to memory of 2080	708	amnew.exe	34
PID 708 wrote to memory of 2080	708	amnew.exe	34
PID 2732 wrote to memory of 1012	2732	skotes.exe	36
PID 2732 wrote to memory of 1012	2732	skotes.exe	36
PID 2732 wrote to memory of 1012	2732	skotes.exe	36
PID 2732 wrote to memory of 1012	2732	skotes.exe	36
PID 2080 wrote to memory of 2696	2080	futors.exe	38
PID 2080 wrote to memory of 2696	2080	futors.exe	38
PID 2080 wrote to memory of 2696	2080	futors.exe	38
PID 2080 wrote to memory of 2696	2080	futors.exe	38
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 2532	2696	monthdragon.exe	39
PID 2696 wrote to memory of 1876	2696	monthdragon.exe	40
PID 2696 wrote to memory of 1876	2696	monthdragon.exe	40
PID 2696 wrote to memory of 1876	2696	monthdragon.exe	40
PID 2696 wrote to memory of 1876	2696	monthdragon.exe	40
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 2732 wrote to memory of 1672	2732	skotes.exe	41
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 1672 wrote to memory of 2092	1672	e7e5689be8.exe	42
PID 2080 wrote to memory of 1900	2080	futors.exe	43
PID 2080 wrote to memory of 1900	2080	futors.exe	43
PID 2080 wrote to memory of 1900	2080	futors.exe	43
PID 2080 wrote to memory of 1900	2080	futors.exe	43
PID 2732 wrote to memory of 1632	2732	skotes.exe	45
PID 2732 wrote to memory of 1632	2732	skotes.exe	45
PID 2732 wrote to memory of 1632	2732	skotes.exe	45
PID 2732 wrote to memory of 1632	2732	skotes.exe	45
PID 2732 wrote to memory of 2908	2732	skotes.exe	46
PID 2732 wrote to memory of 2908	2732	skotes.exe	46
PID 2732 wrote to memory of 2908	2732	skotes.exe	46

C:\Users\Admin\AppData\Local\Temp\54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
"C:\Users\Admin\AppData\Local\Temp\54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\1091498001\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1091498001\amnew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 556
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\10011870101\77c0cd7ff6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10011870101\77c0cd7ff6.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\10011880101\62ed8d94c5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10011880101\62ed8d94c5.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1892
- - C:\Users\Admin\AppData\Local\Temp\1091550001\7d2c155908.exe
    "C:\Users\Admin\AppData\Local\Temp\1091550001\7d2c155908.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\1091551001\e7e5689be8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091551001\e7e5689be8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:548
- - C:\Users\Admin\AppData\Local\Temp\1091552001\80e834c89e.exe
    "C:\Users\Admin\AppData\Local\Temp\1091552001\80e834c89e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\1091553001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1091553001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe"
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\1091555001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1091555001\uXivbut.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:904
    - - C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe
        
        "C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
- - C:\Users\Admin\AppData\Local\Temp\1091556001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1091556001\8QQOJj9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\1091557001\09aa8a38d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1091557001\09aa8a38d4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\1091558001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091558001\7tzlyz8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5fe90db08b99ce932d33df656d27375

SHA1
81fba37c151857bc0234a07845221f515653e166

SHA256
5f5a1c1150a82831843e34299a0f7e37fdf3acd6527d06c21500671f41368f2c

SHA512
0eb763379563169816578399ca1ecf36a123bf5c064d9df6b8299bfb00ecea86effe0cb9ffc3860c2a954e105392262ce8327825d00e95d33248f121f22c02a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c11cf7793f1ace26b7c01f13dd98c346

SHA1
f4fcca4f36168cc8c7034cbaef58352aa4c7a835

SHA256
7ccf73fab92dfcdd91bc9bf738bb9efd5148e8ddb0df12eea022f9c100d31b89

SHA512
851b5b9b26bcb88ddb514ea90c963a605193b89e324c02804ac32bb0950097e2fb07c2c373a0ebd601dc31068060e10aabb105327cd6ca2b2c688c1afaf0c354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
15ca9626fd58d1b99c84a86f8c52c2d9

SHA1
62532c6107c0efec2af80eecab2d37c8cac7f9a4

SHA256
6e18a46296e8f5e5d7f868044ddcc5f2e9127ff41e2bf5c3d8a8946b172927ad

SHA512
61f293ee32e2485a4d88760373fc52f710cdf63f3c6a913681c28296e059f1ef68fbf17210002ef5276dcb0907d8cb87a99887420b1a906845e6c01067ecf184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe

Filesize
345KB

MD5
3987c20fe280784090e2d464dd8bb61a

SHA1
22427e284b6d6473bacb7bc09f155ef2f763009c

SHA256
e9af37031ed124a76401405412fe2348dad28687ac8f25bf8a992299152bd6d9

SHA512
5419469496f663cedcfa4acc6d13018a8ee957a43ff53f6ffa5d30483480838e4873ff64d8879996a32d93c11e727f0dded16ca04ab2e942ed5376ba29b10018

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011870101\77c0cd7ff6.exe

Filesize
1.7MB

MD5
e07e428934869380a09e44ba74f35fd1

SHA1
4d03453968a0b5a8e2f0d0f2711f8058e832f9bf

SHA256
eba48666f919b709a9b0af2c29644859070a549143769c959c1bba1d9141fb82

SHA512
72f6476535fb4dadfb09ac311a6ff37b505ffadbbb24dcd0d1a3c84c8a6dc18783c9f2f8797d184e24bb18e0071352841c71e5b911fcced2f6e4836b252e7efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091498001\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091550001\7d2c155908.exe

Filesize
2.0MB

MD5
9e7f13bd8cfdde8fa35a3a2040c34478

SHA1
cba6a1f53e666548538e63f5546c4dae63621976

SHA256
0056d1d301fea0eb710d536c76612cce8c249ae5e2f91463cd3a4675467d191f

SHA512
6f31a737a41a611b4d1143dd804056afc6da3c6e66cdbe643282b8dcca1d57b25bced179c630ddadd15d40633d9618e5e1e57820228441229e5adaddafa7c0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091551001\e7e5689be8.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091552001\80e834c89e.exe

Filesize
3.8MB

MD5
d06d5296790b037c3e1ce1435565c613

SHA1
6e035f229f01f597dc75f1110e3e80797c3f7e78

SHA256
97f1586f90fc21db5e9e2e5672dc9741de051fa82d1d9d46e877d6c392c7cea9

SHA512
0b697615828ef7ed8a9eb34f502a54e4098cbf4aa4c70b749111efd79b034b12ba1886cafa15acd66bb6ae8c502c630c0332c5eede59d5bd8d4e536799c83682

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091553001\ftS1RPn.exe

Filesize
1.7MB

MD5
356ccfc1d038c4bf5aa960b6d18bc9c5

SHA1
3507e3c30b44a318d15b30650744faa1c6c1169b

SHA256
bb745707746aa0b3053489a691ef41fa34f4d70364e9f06d53ee052bfcb24a7f

SHA512
dcf9897335f2992057e1a5ea571a2a98591caf79804a6275aa8bb4f1e9aa934aa2aa89424c5812722436d88bf70c7aea1d8a7843e9ba93d1ca41061253689ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe

Filesize
2.1MB

MD5
d59903af15c5257c5e274b297bec5e6d

SHA1
1d84da470c7821a2dbcc9a788e720a4bce32c8c4

SHA256
879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

SHA512
2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091555001\uXivbut.exe

Filesize
2.1MB

MD5
ebc28b4636ffb2ccd31c069fe4e3153e

SHA1
1123d1a5af8b311e66164a4eb9a4a5abf671f47a

SHA256
4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1

SHA512
f3d714acb0462b6bc3736fb5349bfab0b76fec39da7934cc79ac8decc8a7fb464afb9e1ac915f96595537ef5e3c803b4a0a31d6a904d0b7233ff160226960e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091556001\8QQOJj9.exe

Filesize
2.8MB

MD5
0658a83d9b5dbbc9dd5bf50c1efbbf1a

SHA1
6ef596985aa7da0170706e9a0a71a9189534f66c

SHA256
567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

SHA512
2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091558001\7tzlyz8.exe

Filesize
173KB

MD5
a43d79a6456eefe4bc9fee38bfe7b8f7

SHA1
8f8d0183e4ed13ed8ba02e647705b0782ca65061

SHA256
94c256f4b3313e68f351ceabccc2dcdf81583f118d0e8ccbac74e8165bbf3047

SHA512
7cdb870740e1f7d5aa1103d060eb31336c6634f13b02cc17dced0b462f5a7088934cdd327e86e8e2b9bb01fc300787cb16c5f353cf70afd237c1a9d53bf6f093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab431A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47A0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe

Filesize
4.1MB

MD5
f1abe4f549ebdf621c51ee73a35d548a

SHA1
2e98814bf5f0b37380a210278b12b24bb262433f

SHA256
2d10c308f8eb83b56d8491f593dcf492e6a57ddfc66ee285212cfa70482563bd

SHA512
da6460bbad6e52f1b81f344397a964512a576d08d7623c1476ec3b7e749a4446117f86c7918bcf45ae42107717aac6a697cb0709da8bee53a7b35abb7d26411b

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
1KB

MD5
7c05976036446d1aa142de973340446e

SHA1
1a7608d814c3f97d25261069f6c1f99ee08ca5c3

SHA256
c899ea5f58f957aaf251d5a93593142a7552446955961a3b0ceba6290d7208a2

SHA512
ea1fcf80a97900a9f3120232c606db95f58f7852c017a80ad6f892d0465b2fa6dfe88704fe455b18fc26ee2ddd4a929d889f29007a3fb3a21f144d00988c26b5

Download Submit
\Users\Admin\AppData\Local\Temp\A4FWevBWeE2ewS223ZR\Y-Cleaner.exe

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.0MB

MD5
354e5ac5449695bd3e8520e47ba4815e

SHA1
a023339baaea904f78d73c5b440ffa764aa9b6a2

SHA256
54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a

SHA512
ab31ab9d52efb5955003f62ec7d87dd706daf322d154a03bbe3533c385f9802777b1e939b9cfdbe9acd4431e7855907ae0d3c88a89ced8b20fb30a008550d42e

Download Submit
\Users\Admin\AppData\Roaming\10000180100\sha256.exe

Filesize
2.1MB

MD5
817caec31605801a67c847f63ce7bb20

SHA1
f023444245b780be58b0c6672a56a7deb8597424

SHA256
162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

SHA512
ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

Download Submit
memory/548-606-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/548-608-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/648-768-0x0000000000350000-0x00000000009EA000-memory.dmp

Filesize
6.6MB

Download
memory/1012-129-0x0000000000150000-0x00000000005FA000-memory.dmp

Filesize
4.7MB

Download
memory/1012-79-0x0000000000150000-0x00000000005FA000-memory.dmp

Filesize
4.7MB

Download
memory/1052-5-0x0000000000A50000-0x0000000000F02000-memory.dmp

Filesize
4.7MB

Download
memory/1052-20-0x0000000006D00000-0x00000000071B2000-memory.dmp

Filesize
4.7MB

Download
memory/1052-3-0x0000000000A50000-0x0000000000F02000-memory.dmp

Filesize
4.7MB

Download
memory/1052-2-0x0000000000A51000-0x0000000000AB9000-memory.dmp

Filesize
416KB

Download
memory/1052-18-0x0000000006D00000-0x00000000071B2000-memory.dmp

Filesize
4.7MB

Download
memory/1052-22-0x0000000000A51000-0x0000000000AB9000-memory.dmp

Filesize
416KB

Download
memory/1052-17-0x0000000000A50000-0x0000000000F02000-memory.dmp

Filesize
4.7MB

Download
memory/1052-1-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/1052-0-0x0000000000A50000-0x0000000000F02000-memory.dmp

Filesize
4.7MB

Download
memory/1632-551-0x0000000001190000-0x0000000001BAD000-memory.dmp

Filesize
10.1MB

Download
memory/1632-575-0x0000000001190000-0x0000000001BAD000-memory.dmp

Filesize
10.1MB

Download
memory/1632-571-0x0000000001190000-0x0000000001BAD000-memory.dmp

Filesize
10.1MB

Download
memory/1632-592-0x0000000001190000-0x0000000001BAD000-memory.dmp

Filesize
10.1MB

Download
memory/1672-503-0x00000000004A0000-0x00000000004C6000-memory.dmp

Filesize
152KB

Download
memory/1672-505-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/1672-504-0x0000000000750000-0x000000000076A000-memory.dmp

Filesize
104KB

Download
memory/1672-501-0x00000000011A0000-0x000000000183A000-memory.dmp

Filesize
6.6MB

Download
memory/1900-535-0x00000000000E0000-0x0000000000770000-memory.dmp

Filesize
6.6MB

Download
memory/1900-533-0x00000000000E0000-0x0000000000770000-memory.dmp

Filesize
6.6MB

Download
memory/1908-624-0x0000000000FA0000-0x00000000019BD000-memory.dmp

Filesize
10.1MB

Download
memory/1908-619-0x0000000000FA0000-0x00000000019BD000-memory.dmp

Filesize
10.1MB

Download
memory/2080-620-0x0000000005310000-0x0000000005D2D000-memory.dmp

Filesize
10.1MB

Download
memory/2080-549-0x0000000005310000-0x00000000059A0000-memory.dmp

Filesize
6.6MB

Download
memory/2080-530-0x0000000005310000-0x00000000059A0000-memory.dmp

Filesize
6.6MB

Download
memory/2080-531-0x0000000005310000-0x00000000059A0000-memory.dmp

Filesize
6.6MB

Download
memory/2080-552-0x0000000005310000-0x00000000059A0000-memory.dmp

Filesize
6.6MB

Download
memory/2080-588-0x0000000005310000-0x0000000005D2D000-memory.dmp

Filesize
10.1MB

Download
memory/2092-596-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-514-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2092-510-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-512-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-508-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-506-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-595-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-597-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2404-798-0x0000000001280000-0x00000000012B0000-memory.dmp

Filesize
192KB

Download
memory/2440-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-612-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2532-218-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-216-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-215-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-213-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-211-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-209-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-208-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-205-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2696-202-0x0000000001370000-0x00000000013CC000-memory.dmp

Filesize
368KB

Download
memory/2732-222-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-515-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-331-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-593-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-21-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-572-0x00000000062E0000-0x0000000006724000-memory.dmp

Filesize
4.3MB

Download
memory/2732-23-0x0000000000AF1000-0x0000000000B59000-memory.dmp

Filesize
416KB

Download
memory/2732-574-0x00000000062E0000-0x0000000006724000-memory.dmp

Filesize
4.3MB

Download
memory/2732-502-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-554-0x0000000006A20000-0x000000000743D000-memory.dmp

Filesize
10.1MB

Download
memory/2732-553-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-616-0x00000000062E0000-0x0000000006724000-memory.dmp

Filesize
4.3MB

Download
memory/2732-617-0x00000000062E0000-0x0000000006724000-memory.dmp

Filesize
4.3MB

Download
memory/2732-550-0x0000000006A20000-0x000000000743D000-memory.dmp

Filesize
10.1MB

Download
memory/2732-185-0x00000000062E0000-0x000000000678A000-memory.dmp

Filesize
4.7MB

Download
memory/2732-622-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-184-0x00000000062E0000-0x000000000678A000-memory.dmp

Filesize
4.7MB

Download
memory/2732-128-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-78-0x00000000062E0000-0x000000000678A000-memory.dmp

Filesize
4.7MB

Download
memory/2732-80-0x00000000062E0000-0x000000000678A000-memory.dmp

Filesize
4.7MB

Download
memory/2732-54-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-28-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-29-0x0000000000AF1000-0x0000000000B59000-memory.dmp

Filesize
416KB

Download
memory/2732-27-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-26-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2732-24-0x0000000000AF0000-0x0000000000FA2000-memory.dmp

Filesize
4.7MB

Download
memory/2908-573-0x0000000000300000-0x0000000000744000-memory.dmp

Filesize
4.3MB

Download
memory/2908-594-0x0000000000300000-0x0000000000744000-memory.dmp

Filesize
4.3MB

Download