amadey | 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
Size

1.8MB
MD5

0b3d97b11e440029d52b34ae6798cfbc
SHA1

f6ec97cac5dd7fd597abc69befee89262b1d0ec1
SHA256

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d
SHA512

2ec03b588aa23728734423e6619cbd541c768c28d5630f195a58eab08153f783f8a301adf8c68c72cde7dcf1a9823b09fa5135bd4f7ea1eee539d249d1ebfca7
SSDEEP

49152:TEfZfgzCiQwmi93LJuL18dSTvE7VinUNCeqOEK5BW6a4+:Tm2Qo7JuLASTcCoCXK5BW6at

Score

10^/10

amadey asyncrat monster redline default e76b71 newbild discovery evasion infostealer rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

95.142.46.3:4449

95.142.46.3:7000

Mutex

zlgcqgmshzbvhurfz

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Detects Monster Stealer. 1 IoCs

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\onefile_2288_133634924358766000\stub.exe family_monster
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe family_redline
behavioral1/memory/2780-36-0x0000000000BE0000-0x0000000000C30000-memory.dmp family_redline

resource	yara_rule
\Users\Admin\AppData\Local\Temp\onefile_2288_133634924358766000\stub.exe	family_monster

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe	family_redline
behavioral1/memory/2780-36-0x0000000000BE0000-0x0000000000C30000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeaxplong.exeda_protected.exet_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	t_protected.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da_protected.exet_protected.exe5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	t_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	t_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 16 IoCs

Processes:

axplong.exeredline123123.exeupd.exedeep.exeda_protected.exegold.exelummac2.exedrivermanager.exeNewLatest.exeHkbsse.exe1.exemonster.exestub.exesjgikr.exet_protected.exelegs.exe

pid	process
2720	axplong.exe
2780	redline123123.exe
2140	upd.exe
1332	deep.exe
2256	da_protected.exe
1884	gold.exe
1412	lummac2.exe
1756	drivermanager.exe
3024	NewLatest.exe
2564	Hkbsse.exe
1568	1.exe
2288	monster.exe
3012	stub.exe
2044	sjgikr.exe
628	t_protected.exe
2052	legs.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exe5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe

Loads dropped DLL 35 IoCs

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeaxplong.exeWerFault.exedeep.exeWerFault.exeNewLatest.exeHkbsse.exemonster.exestub.exeda_protected.exesjgikr.exeWerFault.exe

pid	process
2992	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
2720	axplong.exe
2720	axplong.exe
2720	axplong.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2720	axplong.exe
1332	deep.exe
1332	deep.exe
1332	deep.exe
1332	deep.exe
2720	axplong.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
2720	axplong.exe
2720	axplong.exe
2720	axplong.exe
2720	axplong.exe
3024	NewLatest.exe
2564	Hkbsse.exe
2564	Hkbsse.exe
2720	axplong.exe
2288	monster.exe
3012	stub.exe
2256	da_protected.exe
2044	sjgikr.exe
2044	sjgikr.exe
2044	sjgikr.exe
2044	sjgikr.exe
2720	axplong.exe
2988	WerFault.exe
2988	WerFault.exe
2988	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\da_protected.exe	themida
behavioral1/memory/2256-242-0x0000000000A20000-0x0000000001378000-memory.dmp	themida
behavioral1/memory/2256-243-0x0000000000A20000-0x0000000001378000-memory.dmp	themida
\Program Files (x86)\%tepm%\t_protected.exe	themida
behavioral1/memory/628-648-0x00000000003E0000-0x0000000000D3C000-memory.dmp	themida
behavioral1/memory/628-649-0x00000000003E0000-0x0000000000D3C000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

da_protected.exet_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	t_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeaxplong.exeda_protected.exet_protected.exe

pid process

2992 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
2720 axplong.exe
2256 da_protected.exe
628 t_protected.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

drivermanager.exe

description pid process target process

PID 1756 set thread context of 1056 1756 drivermanager.exe MSBuild.exe

description	pid	process	target process
PID 1756 set thread context of 1056	1756	drivermanager.exe	MSBuild.exe

Drops file in Program Files directory 4 IoCs

Processes:

sjgikr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\%tepm%	sjgikr.exe
File created	C:\Program Files (x86)\%tepm%\__tmp_rar_sfx_access_check_259438773	sjgikr.exe
File created	C:\Program Files (x86)\%tepm%\t_protected.exe	sjgikr.exe
File opened for modification	C:\Program Files (x86)\%tepm%\t_protected.exe	sjgikr.exe

Drops file in Windows directory 2 IoCs

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeNewLatest.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2384 2140 WerFault.exe upd.exe
560 1884 WerFault.exe gold.exe
2988 2052 WerFault.exe legs.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

pid	pid_target	process	target process
2384	2140	WerFault.exe	upd.exe
560	1884	WerFault.exe	gold.exe
2988	2052	WerFault.exe	legs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeaxplong.exeredline123123.exe1.exe

pid	process
2992	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
2720	axplong.exe
2780	redline123123.exe
2780	redline123123.exe
2780	redline123123.exe
1568	1.exe
1568	1.exe
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088
1088

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1.exe

pid process

1568 1.exe

pid	process
1568	1.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

redline123123.exedrivermanager.exeda_protected.exet_protected.exe

description	pid	process
Token: SeDebugPrivilege	2780	redline123123.exe
Token: SeDebugPrivilege	1756	drivermanager.exe
Token: SeDebugPrivilege	2256	da_protected.exe
Token: SeShutdownPrivilege	1088
Token: SeShutdownPrivilege	1088
Token: SeShutdownPrivilege	1088
Token: SeShutdownPrivilege	1088
Token: SeShutdownPrivilege	1088
Token: SeDebugPrivilege	628	t_protected.exe
Token: SeShutdownPrivilege	1088

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeNewLatest.exe

pid process

2992 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
3024 NewLatest.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

t_protected.exe

pid process

628 t_protected.exe

pid	process
628	t_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exeaxplong.exeupd.exedeep.exegold.exedrivermanager.exeNewLatest.exeHkbsse.exe

description	pid	process	target process
PID 2992 wrote to memory of 2720	2992	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	axplong.exe
PID 2992 wrote to memory of 2720	2992	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	axplong.exe
PID 2992 wrote to memory of 2720	2992	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	axplong.exe
PID 2992 wrote to memory of 2720	2992	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	axplong.exe
PID 2720 wrote to memory of 2780	2720	axplong.exe	redline123123.exe
PID 2720 wrote to memory of 2780	2720	axplong.exe	redline123123.exe
PID 2720 wrote to memory of 2780	2720	axplong.exe	redline123123.exe
PID 2720 wrote to memory of 2780	2720	axplong.exe	redline123123.exe
PID 2720 wrote to memory of 2140	2720	axplong.exe	upd.exe
PID 2720 wrote to memory of 2140	2720	axplong.exe	upd.exe
PID 2720 wrote to memory of 2140	2720	axplong.exe	upd.exe
PID 2720 wrote to memory of 2140	2720	axplong.exe	upd.exe
PID 2140 wrote to memory of 2384	2140	upd.exe	WerFault.exe
PID 2140 wrote to memory of 2384	2140	upd.exe	WerFault.exe
PID 2140 wrote to memory of 2384	2140	upd.exe	WerFault.exe
PID 2140 wrote to memory of 2384	2140	upd.exe	WerFault.exe
PID 2720 wrote to memory of 1332	2720	axplong.exe	deep.exe
PID 2720 wrote to memory of 1332	2720	axplong.exe	deep.exe
PID 2720 wrote to memory of 1332	2720	axplong.exe	deep.exe
PID 2720 wrote to memory of 1332	2720	axplong.exe	deep.exe
PID 1332 wrote to memory of 2256	1332	deep.exe	da_protected.exe
PID 1332 wrote to memory of 2256	1332	deep.exe	da_protected.exe
PID 1332 wrote to memory of 2256	1332	deep.exe	da_protected.exe
PID 1332 wrote to memory of 2256	1332	deep.exe	da_protected.exe
PID 2720 wrote to memory of 1884	2720	axplong.exe	gold.exe
PID 2720 wrote to memory of 1884	2720	axplong.exe	gold.exe
PID 2720 wrote to memory of 1884	2720	axplong.exe	gold.exe
PID 2720 wrote to memory of 1884	2720	axplong.exe	gold.exe
PID 1884 wrote to memory of 560	1884	gold.exe	WerFault.exe
PID 1884 wrote to memory of 560	1884	gold.exe	WerFault.exe
PID 1884 wrote to memory of 560	1884	gold.exe	WerFault.exe
PID 1884 wrote to memory of 560	1884	gold.exe	WerFault.exe
PID 2720 wrote to memory of 1412	2720	axplong.exe	lummac2.exe
PID 2720 wrote to memory of 1412	2720	axplong.exe	lummac2.exe
PID 2720 wrote to memory of 1412	2720	axplong.exe	lummac2.exe
PID 2720 wrote to memory of 1412	2720	axplong.exe	lummac2.exe
PID 2720 wrote to memory of 1756	2720	axplong.exe	drivermanager.exe
PID 2720 wrote to memory of 1756	2720	axplong.exe	drivermanager.exe
PID 2720 wrote to memory of 1756	2720	axplong.exe	drivermanager.exe
PID 2720 wrote to memory of 1756	2720	axplong.exe	drivermanager.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 1756 wrote to memory of 1056	1756	drivermanager.exe	MSBuild.exe
PID 2720 wrote to memory of 3024	2720	axplong.exe	NewLatest.exe
PID 2720 wrote to memory of 3024	2720	axplong.exe	NewLatest.exe
PID 2720 wrote to memory of 3024	2720	axplong.exe	NewLatest.exe
PID 2720 wrote to memory of 3024	2720	axplong.exe	NewLatest.exe
PID 3024 wrote to memory of 2564	3024	NewLatest.exe	Hkbsse.exe
PID 3024 wrote to memory of 2564	3024	NewLatest.exe	Hkbsse.exe
PID 3024 wrote to memory of 2564	3024	NewLatest.exe	Hkbsse.exe
PID 3024 wrote to memory of 2564	3024	NewLatest.exe	Hkbsse.exe
PID 2564 wrote to memory of 1568	2564	Hkbsse.exe	1.exe
PID 2564 wrote to memory of 1568	2564	Hkbsse.exe	1.exe
PID 2564 wrote to memory of 1568	2564	Hkbsse.exe	1.exe
PID 2564 wrote to memory of 1568	2564	Hkbsse.exe	1.exe
PID 2720 wrote to memory of 2288	2720	axplong.exe	monster.exe
PID 2720 wrote to memory of 2288	2720	axplong.exe	monster.exe

C:\Users\Admin\AppData\Local\Temp\5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
"C:\Users\Admin\AppData\Local\Temp\5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 52
4⤵
- Loads dropped DLL
- Program crash
PID:2384

C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe
"C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\da_protected.exe
"C:\Users\Admin\AppData\Local\Temp\da_protected.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Users\Admin\AppData\Local\Temp\sjgikr.exe
"C:\Users\Admin\AppData\Local\Temp\sjgikr.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2044

C:\Program Files (x86)\%tepm%\t_protected.exe
"C:\Program Files (x86)\%tepm%\t_protected.exe"
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:628

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 84
4⤵
- Loads dropped DLL
- Program crash
PID:560

C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
3⤵
- Executes dropped EXE
PID:1412

C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
"C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288

C:\Users\Admin\AppData\Local\Temp\onefile_2288_133634924358766000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 64
4⤵
- Loads dropped DLL
- Program crash
PID:2988

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ff0f6e21c37db91bf5f1c233b70c7ae7

SHA1
3fa5e3044e9897dd31ab4965d694c3767c876a74

SHA256
1667cf17111061a14018b48be4cd59c11e314de1ab71945393786d92fe190c97

SHA512
08fc5da49dffe45a970072e8d3fbe227a8e8ad2bbff449cade56a8048b3dfe82ecf1dce1b2c78a3a7bb400622e89cc291a37de9cc49bb619bd3687bf59f60703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
be3be841924b66fa3e7bd99308cc10c5

SHA1
beec8f03bf11b99d83a86412e7cde1a74a9098c7

SHA256
5b6d0fcf433b4bd79891803bad9245be1aa94f34cb1feb05a8de2a08c6b5efd5

SHA512
aba7d071517a9b9cb0136d64367fa57452035c9ea86c69ca46f82bbef0879dacb94e8f7769c5d9e54d7b5159362fa9568dc7c304f865c2fbc4ef26523f32c107

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
Filesize
1.7MB

MD5
e8a7d0c6dedce0d4a403908a29273d43

SHA1
8289c35dabaee32f61c74de6a4e8308dc98eb075

SHA256
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

SHA512
c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe
Filesize
239KB

MD5
e0a475f2ac0e9c3dad905d8ce84f62cb

SHA1
6b789faafed3e4e2d318c9ec9300f9ba3c865374

SHA256
b59e52b83b0a0cde0085b3ba306316a86a845a974cbeaf45da905476b6db53bb

SHA512
a23d30a9fc9d2560fe37b6d9ab334576e956412ca7841f63f051a54aa77a4e3bcf6b1b5e4e28304b06fde02028b20c6ff1297f750c4735281168164d3397cf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe
Filesize
3.6MB

MD5
864d1a4e41a56c8f2e7e7eec89a47638

SHA1
1f2cb906b92a945c7346c7139c7722230005c394

SHA256
1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8

SHA512
547a441369636e2548c7f8f94c3972269e04d80ee5a26803cc222942b28e457be908126fb4ff6bfde2a063ea1ef74ecba2aaceb58c68fba5c4fddcea5fbd91d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8212.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2288_133634924358766000\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Program Files (x86)\%tepm%\t_protected.exe
Filesize
3.2MB

MD5
3749aab78d4fe372863ce1dbc98ff9b3

SHA1
a73c0b080499eb21a3df34f099e26980b3c21a08

SHA256
cd7fce0b350f192e68e533552837e6c8c63c4a8c6c6ef45f36c1e2427b10032a

SHA512
7f5cd37a4fbbd060c324c60f7e10fe7f874ed497e35a5d0eb75861069cd00f68abd10a7484853f9fb48f9ceb5e67a70818be9bca9a9488cad44a7ad3771f6b64

Download Submit
\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
0b3d97b11e440029d52b34ae6798cfbc

SHA1
f6ec97cac5dd7fd597abc69befee89262b1d0ec1

SHA256
5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d

SHA512
2ec03b588aa23728734423e6619cbd541c768c28d5630f195a58eab08153f783f8a301adf8c68c72cde7dcf1a9823b09fa5135bd4f7ea1eee539d249d1ebfca7

Download Submit
\Users\Admin\AppData\Local\Temp\da_protected.exe
Filesize
3.2MB

MD5
3d21c714fbb98a6a3c72919928c9525c

SHA1
bf628293920b8f0418de008acc8f3506eaeff3cb

SHA256
811be420db2f390e60a291018126a8aa45c8c5182c050b13076c80d3f80d153c

SHA512
3b21fda899cf197a740dd4f2844c99c772a16ffe20581fe78e801c193f29714fbfa23843059ee34baf6176e71434f0ed7506d75de91b87348bcf9cc4b999575a

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2288_133634924358766000\stub.exe
Filesize
18.0MB

MD5
ed9d600d2e640eaa1c915dc516da9988

SHA1
9c10629bc0255009434e64deaee5b898fc3711e2

SHA256
2b8a2a3c53a019ca674287e1513a8e0851f2181699e37f385541537801ed1d41

SHA512
9001454bfabf2d9621ad997726aad281638c4b2e8dc134994f479d391bae91c5d0aa24317e85e8e91956cc34357e1ed9d6682f2fe9a023d74b003a420325db68

Download Submit
\Users\Admin\AppData\Local\Temp\sjgikr.exe
Filesize
3.5MB

MD5
0ce7f9d2494b190678628616a6e3dab4

SHA1
ef77a7fa1b654c0fdf93fca0d862365f05c6fd9f

SHA256
39bccc832b167ea6418f9c095f867e77ce8ba5c53f660758aaa9b8f86f07404f

SHA512
40ed2afbf64619babc0a4ceff66869b1a8790f1d7568a70230518f6cf96286f56f0ca8b7959c75bd570c5aff239e8bba7425346394c2e0a577d396c24546b887

Download Submit
memory/628-648-0x00000000003E0000-0x0000000000D3C000-memory.dmp

Filesize
9.4MB

Download
memory/628-649-0x00000000003E0000-0x0000000000D3C000-memory.dmp

Filesize
9.4MB

Download
memory/1332-86-0x0000000003ED0000-0x0000000004828000-memory.dmp

Filesize
9.3MB

Download
memory/1332-87-0x0000000003ED0000-0x0000000004828000-memory.dmp

Filesize
9.3MB

Download
memory/1332-85-0x0000000003ED0000-0x0000000004828000-memory.dmp

Filesize
9.3MB

Download
memory/1756-184-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-156-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-140-0x0000000004B00000-0x0000000004C06000-memory.dmp

Filesize
1.0MB

Download
memory/1756-141-0x0000000005390000-0x000000000547C000-memory.dmp

Filesize
944KB

Download
memory/1756-142-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/1756-150-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-168-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-192-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-202-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-200-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-198-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-196-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-194-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-190-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-188-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-186-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-138-0x0000000000190000-0x000000000052C000-memory.dmp

Filesize
3.6MB

Download
memory/1756-182-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-180-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-178-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-176-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-174-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-172-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-170-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-166-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-164-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-162-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-160-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-158-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-143-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-154-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-152-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-148-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-146-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/1756-144-0x0000000000860000-0x0000000000875000-memory.dmp

Filesize
84KB

Download
memory/2044-626-0x0000000003D50000-0x00000000046AC000-memory.dmp

Filesize
9.4MB

Download
memory/2044-627-0x0000000003D50000-0x00000000046AC000-memory.dmp

Filesize
9.4MB

Download
memory/2140-53-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2256-89-0x0000000000A20000-0x0000000001378000-memory.dmp

Filesize
9.3MB

Download
memory/2256-242-0x0000000000A20000-0x0000000001378000-memory.dmp

Filesize
9.3MB

Download
memory/2256-243-0x0000000000A20000-0x0000000001378000-memory.dmp

Filesize
9.3MB

Download
memory/2256-478-0x0000000000A20000-0x0000000001378000-memory.dmp

Filesize
9.3MB

Download
memory/2720-19-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-123-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-264-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-17-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-21-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-139-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-263-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2720-18-0x00000000013B1000-0x00000000013DF000-memory.dmp

Filesize
184KB

Download
memory/2720-270-0x00000000013B0000-0x0000000001865000-memory.dmp

Filesize
4.7MB

Download
memory/2780-36-0x0000000000BE0000-0x0000000000C30000-memory.dmp

Filesize
320KB

Download
memory/2992-15-0x0000000000A50000-0x0000000000F05000-memory.dmp

Filesize
4.7MB

Download
memory/2992-0-0x0000000000A50000-0x0000000000F05000-memory.dmp

Filesize
4.7MB

Download
memory/2992-16-0x0000000007060000-0x0000000007515000-memory.dmp

Filesize
4.7MB

Download
memory/2992-5-0x0000000000A50000-0x0000000000F05000-memory.dmp

Filesize
4.7MB

Download
memory/2992-3-0x0000000000A50000-0x0000000000F05000-memory.dmp

Filesize
4.7MB

Download
memory/2992-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

Filesize
184KB

Download
memory/2992-1-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download