amadey | 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8

Analysis

max time kernel
300s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-06-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
Size

1.8MB
MD5

7558819d7d8c4a51720952fedd9758fa
SHA1

b812b6495c1df9ea4019ac3bb510d535cf2415aa
SHA256

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8
SHA512

8b8aa1d8d39a09620774c9585ba6fadd233ef1dae6e2533ce15f586af2ddc03b34a88f036070a6be5094f9d5ed8eb02d532895fe307cbf3ff8e335dc8d6248cd
SSDEEP

49152:GdtfeaiBlh7ioEbm9khHiTfitx+/7sNIKE0jc:G6Nv7ioEbm9wCj64/xh0j

Score

10^/10

amadey lumma redline xmrig 123 e76b71 discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

123

185.215.113.67:40960

Extracted

Family

lumma

https://harmfullyelobardek.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline
behavioral2/memory/2032-75-0x0000000000620000-0x0000000000670000-memory.dmp family_redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe	family_redline
behavioral2/memory/2032-75-0x0000000000620000-0x0000000000670000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/624-385-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/624-379-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/624-383-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/624-381-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/624-384-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/624-382-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/624-378-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2628 powershell.exe
2064 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2628	powershell.exe
2064	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 12 IoCs

Processes:

axplong.execrypted.exeNewLatest.exeHkbsse.exe123.exe1.exeHkbsse.exeHkbsse.exeFirstZ.exeHkbsse.exereakuqnanrkn.exeHkbsse.exe

pid process

380 axplong.exe
4516 crypted.exe
5020 NewLatest.exe
4180 Hkbsse.exe
2032 123.exe
4080 1.exe
208 Hkbsse.exe
2376 Hkbsse.exe
664 FirstZ.exe
4480 Hkbsse.exe
3640 reakuqnanrkn.exe
3388 Hkbsse.exe

pid	process
380	axplong.exe
4516	crypted.exe
5020	NewLatest.exe
4180	Hkbsse.exe
2032	123.exe
4080	1.exe
208	Hkbsse.exe
2376	Hkbsse.exe
664	FirstZ.exe
4480	Hkbsse.exe
3640	reakuqnanrkn.exe
3388	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	axplong.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/624-373-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-374-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-385-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-383-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-381-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-384-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-382-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-378-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-377-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-376-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/624-375-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

93 bitbucket.org
98 pastebin.com
99 pastebin.com
29 bitbucket.org
36 bitbucket.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4532 powercfg.exe
4724 powercfg.exe
920 powercfg.exe
600 powercfg.exe
420 powercfg.exe
872 powercfg.exe
564 powercfg.exe
4040 powercfg.exe

flow	ioc
93	bitbucket.org
98	pastebin.com
99	pastebin.com
29	bitbucket.org
36	bitbucket.org

pid	process
4532	powercfg.exe
4724	powercfg.exe
920	powercfg.exe
600	powercfg.exe
420	powercfg.exe
872	powercfg.exe
564	powercfg.exe
4040	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

FirstZ.exepowershell.exereakuqnanrkn.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exe

pid process

3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
380 axplong.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

crypted.exereakuqnanrkn.exe

description	pid	process	target process
PID 4516 set thread context of 4488	4516	crypted.exe	RegAsm.exe
PID 3640 set thread context of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 set thread context of 624	3640	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeNewLatest.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4076 sc.exe
1092 sc.exe
3936 sc.exe
2416 sc.exe
1768 sc.exe
4408 sc.exe
584 sc.exe
200 sc.exe
4492 sc.exe
864 sc.exe
2628 sc.exe
4868 sc.exe
3196 sc.exe
3192 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3580 4516 WerFault.exe crypted.exe
1984 4080 WerFault.exe 1.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

pid	process
4076	sc.exe
1092	sc.exe
3936	sc.exe
2416	sc.exe
1768	sc.exe
4408	sc.exe
584	sc.exe
200	sc.exe
4492	sc.exe
864	sc.exe
2628	sc.exe
4868	sc.exe
3196	sc.exe
3192	sc.exe

pid	pid_target	process	target process
3580	4516	WerFault.exe	crypted.exe
1984	4080	WerFault.exe	1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exe123.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exe

pid	process
3620	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
3620	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
380	axplong.exe
380	axplong.exe
2032	123.exe
2032	123.exe
2032	123.exe
664	FirstZ.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
664	FirstZ.exe
3640	reakuqnanrkn.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
3640	reakuqnanrkn.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

123.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeexplorer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2032	123.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeIncreaseQuotaPrivilege	2628	powershell.exe
Token: SeSecurityPrivilege	2628	powershell.exe
Token: SeTakeOwnershipPrivilege	2628	powershell.exe
Token: SeLoadDriverPrivilege	2628	powershell.exe
Token: SeSystemProfilePrivilege	2628	powershell.exe
Token: SeSystemtimePrivilege	2628	powershell.exe
Token: SeProfSingleProcessPrivilege	2628	powershell.exe
Token: SeIncBasePriorityPrivilege	2628	powershell.exe
Token: SeCreatePagefilePrivilege	2628	powershell.exe
Token: SeBackupPrivilege	2628	powershell.exe
Token: SeRestorePrivilege	2628	powershell.exe
Token: SeShutdownPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeSystemEnvironmentPrivilege	2628	powershell.exe
Token: SeRemoteShutdownPrivilege	2628	powershell.exe
Token: SeUndockPrivilege	2628	powershell.exe
Token: SeManageVolumePrivilege	2628	powershell.exe
Token: 33	2628	powershell.exe
Token: 34	2628	powershell.exe
Token: 35	2628	powershell.exe
Token: 36	2628	powershell.exe
Token: SeShutdownPrivilege	600	powercfg.exe
Token: SeCreatePagefilePrivilege	600	powercfg.exe
Token: SeShutdownPrivilege	564	powercfg.exe
Token: SeCreatePagefilePrivilege	564	powercfg.exe
Token: SeShutdownPrivilege	420	powercfg.exe
Token: SeCreatePagefilePrivilege	420	powercfg.exe
Token: SeShutdownPrivilege	872	powercfg.exe
Token: SeCreatePagefilePrivilege	872	powercfg.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2064	powershell.exe
Token: SeIncreaseQuotaPrivilege	2064	powershell.exe
Token: SeSecurityPrivilege	2064	powershell.exe
Token: SeTakeOwnershipPrivilege	2064	powershell.exe
Token: SeLoadDriverPrivilege	2064	powershell.exe
Token: SeSystemtimePrivilege	2064	powershell.exe
Token: SeBackupPrivilege	2064	powershell.exe
Token: SeRestorePrivilege	2064	powershell.exe
Token: SeShutdownPrivilege	2064	powershell.exe
Token: SeSystemEnvironmentPrivilege	2064	powershell.exe
Token: SeUndockPrivilege	2064	powershell.exe
Token: SeManageVolumePrivilege	2064	powershell.exe
Token: SeLockMemoryPrivilege	624	explorer.exe
Token: SeShutdownPrivilege	4724	powercfg.exe
Token: SeCreatePagefilePrivilege	4724	powercfg.exe
Token: SeShutdownPrivilege	4040	powercfg.exe
Token: SeCreatePagefilePrivilege	4040	powercfg.exe
Token: SeShutdownPrivilege	920	powercfg.exe
Token: SeCreatePagefilePrivilege	920	powercfg.exe
Token: SeShutdownPrivilege	4532	powercfg.exe
Token: SeCreatePagefilePrivilege	4532	powercfg.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.execrypted.exeNewLatest.exeHkbsse.execmd.execmd.exereakuqnanrkn.exe

description	pid	process	target process
PID 3620 wrote to memory of 380	3620	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe	axplong.exe
PID 3620 wrote to memory of 380	3620	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe	axplong.exe
PID 3620 wrote to memory of 380	3620	791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe	axplong.exe
PID 380 wrote to memory of 4516	380	axplong.exe	crypted.exe
PID 380 wrote to memory of 4516	380	axplong.exe	crypted.exe
PID 380 wrote to memory of 4516	380	axplong.exe	crypted.exe
PID 4516 wrote to memory of 5100	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 5100	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 5100	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 4516 wrote to memory of 4488	4516	crypted.exe	RegAsm.exe
PID 380 wrote to memory of 5020	380	axplong.exe	NewLatest.exe
PID 380 wrote to memory of 5020	380	axplong.exe	NewLatest.exe
PID 380 wrote to memory of 5020	380	axplong.exe	NewLatest.exe
PID 5020 wrote to memory of 4180	5020	NewLatest.exe	Hkbsse.exe
PID 5020 wrote to memory of 4180	5020	NewLatest.exe	Hkbsse.exe
PID 5020 wrote to memory of 4180	5020	NewLatest.exe	Hkbsse.exe
PID 380 wrote to memory of 2032	380	axplong.exe	123.exe
PID 380 wrote to memory of 2032	380	axplong.exe	123.exe
PID 380 wrote to memory of 2032	380	axplong.exe	123.exe
PID 4180 wrote to memory of 4080	4180	Hkbsse.exe	1.exe
PID 4180 wrote to memory of 4080	4180	Hkbsse.exe	1.exe
PID 4180 wrote to memory of 4080	4180	Hkbsse.exe	1.exe
PID 4180 wrote to memory of 664	4180	Hkbsse.exe	FirstZ.exe
PID 4180 wrote to memory of 664	4180	Hkbsse.exe	FirstZ.exe
PID 4576 wrote to memory of 4308	4576	cmd.exe	wusa.exe
PID 4576 wrote to memory of 4308	4576	cmd.exe	wusa.exe
PID 2620 wrote to memory of 224	2620	cmd.exe	wusa.exe
PID 2620 wrote to memory of 224	2620	cmd.exe	wusa.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 4056	3640	reakuqnanrkn.exe	conhost.exe
PID 3640 wrote to memory of 624	3640	reakuqnanrkn.exe	explorer.exe
PID 3640 wrote to memory of 624	3640	reakuqnanrkn.exe	explorer.exe
PID 3640 wrote to memory of 624	3640	reakuqnanrkn.exe	explorer.exe
PID 3640 wrote to memory of 624	3640	reakuqnanrkn.exe	explorer.exe
PID 3640 wrote to memory of 624	3640	reakuqnanrkn.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
"C:\Users\Admin\AppData\Local\Temp\791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 324
4⤵
- Program crash
PID:3580

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 500
6⤵
- Program crash
PID:1984

C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:4308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:1768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:4868

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:4076

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:1092

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:3936

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:2416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:4408

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:3192

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:3196

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4480

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:224

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:584

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:200

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4492

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2628

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4056

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
Filesize
317KB

MD5
e1b59d2805b38262b9967bce3e719dbf

SHA1
4081416cfaa76941981c34518d45b60e8d4b2013

SHA256
d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173

SHA512
bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe
Filesize
529KB

MD5
efb9f7b4e6703ad5d5b179992a6c44f8

SHA1
6f51ff5a147570a141ec8ce662501c21ff8b3530

SHA256
6ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314

SHA512
389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
7558819d7d8c4a51720952fedd9758fa

SHA1
b812b6495c1df9ea4019ac3bb510d535cf2415aa

SHA256
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8

SHA512
8b8aa1d8d39a09620774c9585ba6fadd233ef1dae6e2533ce15f586af2ddc03b34a88f036070a6be5094f9d5ed8eb02d532895fe307cbf3ff8e335dc8d6248cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxrvbh4t.5no.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/380-127-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-123-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-17-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-18-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-24-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-25-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-26-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-27-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-15-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-393-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-391-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-42-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-389-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-144-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-142-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-140-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-138-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-160-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-131-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-16-0x0000000000D71000-0x0000000000D9F000-memory.dmp

Filesize
184KB

Download
memory/380-129-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-164-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-125-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-84-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-158-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-133-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-96-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-100-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-353-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/380-120-0x0000000000D70000-0x000000000121D000-memory.dmp

Filesize
4.7MB

Download
memory/624-384-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-374-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-380-0x00000000007D0000-0x00000000007F0000-memory.dmp

Filesize
128KB

Download
memory/624-385-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-383-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-381-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-373-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-375-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-382-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-378-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-377-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-376-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2032-80-0x0000000005950000-0x0000000005A5A000-memory.dmp

Filesize
1.0MB

Download
memory/2032-88-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/2032-135-0x00000000077B0000-0x0000000007972000-memory.dmp

Filesize
1.8MB

Download
memory/2032-75-0x0000000000620000-0x0000000000670000-memory.dmp

Filesize
320KB

Download
memory/2032-76-0x0000000005450000-0x000000000594E000-memory.dmp

Filesize
5.0MB

Download
memory/2032-77-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/2032-78-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/2032-79-0x0000000005F60000-0x0000000006566000-memory.dmp

Filesize
6.0MB

Download
memory/2032-81-0x0000000005260000-0x0000000005272000-memory.dmp

Filesize
72KB

Download
memory/2032-136-0x0000000007EB0000-0x00000000083DC000-memory.dmp

Filesize
5.2MB

Download
memory/2032-82-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2032-95-0x00000000069C0000-0x0000000006A10000-memory.dmp

Filesize
320KB

Download
memory/2032-83-0x0000000005300000-0x000000000534B000-memory.dmp

Filesize
300KB

Download
memory/2064-275-0x00000204D0C00000-0x00000204D0C0A000-memory.dmp

Filesize
40KB

Download
memory/2064-242-0x00000204D0DB0000-0x00000204D0E69000-memory.dmp

Filesize
740KB

Download
memory/2064-236-0x00000204D0BE0000-0x00000204D0BFC000-memory.dmp

Filesize
112KB

Download
memory/2628-170-0x000001FDF6480000-0x000001FDF64A2000-memory.dmp

Filesize
136KB

Download
memory/2628-173-0x000001FDF6AC0000-0x000001FDF6B36000-memory.dmp

Filesize
472KB

Download
memory/3620-2-0x0000000000801000-0x000000000082F000-memory.dmp

Filesize
184KB

Download
memory/3620-1-0x00000000770B4000-0x00000000770B5000-memory.dmp

Filesize
4KB

Download
memory/3620-3-0x0000000000800000-0x0000000000CAD000-memory.dmp

Filesize
4.7MB

Download
memory/3620-14-0x0000000000800000-0x0000000000CAD000-memory.dmp

Filesize
4.7MB

Download
memory/3620-5-0x0000000000800000-0x0000000000CAD000-memory.dmp

Filesize
4.7MB

Download
memory/3620-0-0x0000000000800000-0x0000000000CAD000-memory.dmp

Filesize
4.7MB

Download
memory/4056-365-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4056-367-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4056-369-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4056-366-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4056-368-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4056-372-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4080-122-0x0000000000400000-0x000000000236B000-memory.dmp

Filesize
31.4MB

Download
memory/4488-41-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4488-40-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download