amadey | e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0

Analysis

max time kernel
298s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
Size

1.9MB
MD5

5ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA1

47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
SHA512

8c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163
SSDEEP

49152:izPvPgeS5GaqaHrxCTZtEsO/kLMUunFvGA0WyUAD:YfgbNHrxCTkRWunZRyUA

Score

10^/10

amadey lumma redline stealc e76b71 jopa livetraffoc newbuild zov discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

jopa

http://65.21.175.0

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Extracted

Family

lumma

https://groundsmooors.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/852-132-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe	family_redline
behavioral2/memory/1836-198-0x0000000000370000-0x00000000003C0000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exeaxplong.exee5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exee5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe

Executes dropped EXE 21 IoCs

Processes:

axplong.exestreamer.exeTpWWMUpe0LEV.exeaxplong.exeFreshbuild.execrypt6.exeHkbsse.exenewlogs.exestealc_zov.exe1.exenewbuild.exerealtekdriver.exerealtekdriver.exeaxplong.exeHkbsse.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exeHkbsse.exeaxplong.exe

pid	process
4544	axplong.exe
5044	streamer.exe
4664	TpWWMUpe0LEV.exe
1428	axplong.exe
5024	Freshbuild.exe
4512	crypt6.exe
4856	Hkbsse.exe
2208	newlogs.exe
2712	stealc_zov.exe
4896	1.exe
1836	newbuild.exe
4352	realtekdriver.exe
5480	realtekdriver.exe
5504	axplong.exe
5580	Hkbsse.exe
2888	Hkbsse.exe
168	axplong.exe
4108	axplong.exe
5252	Hkbsse.exe
5560	Hkbsse.exe
5212	axplong.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe

Loads dropped DLL 1 IoCs

Processes:

TpWWMUpe0LEV.exe

pid process

4664 TpWWMUpe0LEV.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4664	TpWWMUpe0LEV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

realtekdriver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScannerService = "C:\\Users\\Admin\\AppData\\Roaming\\ScannerService.exe"	realtekdriver.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 bitbucket.org
3 bitbucket.org
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

pid process

2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
4544 axplong.exe
1428 axplong.exe
5504 axplong.exe
168 axplong.exe
4108 axplong.exe
5212 axplong.exe

flow	ioc
2	bitbucket.org
3	bitbucket.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

TpWWMUpe0LEV.execrypt6.exestreamer.exerealtekdriver.exe

description	pid	process	target process
PID 4664 set thread context of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4512 set thread context of 852	4512	crypt6.exe	RegAsm.exe
PID 5044 set thread context of 3056	5044	streamer.exe	BitLockerToGo.exe
PID 4352 set thread context of 5480	4352	realtekdriver.exe	realtekdriver.exe

Drops file in Windows directory 3 IoCs

Processes:

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeFreshbuild.exerealtekdriver.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
File created	C:\Windows\Tasks\Hkbsse.job	Freshbuild.exe
File created	C:\Windows\Tasks\Test Task17.job	realtekdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1276 4512 WerFault.exe crypt6.exe
4848 4896 WerFault.exe 1.exe
3844 2216 WerFault.exe aspnet_regiis.exe

pid	pid_target	process	target process
1276	4512	WerFault.exe	crypt6.exe
4848	4896	WerFault.exe	1.exe
3844	2216	WerFault.exe	aspnet_regiis.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_regiis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_regiis.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeRegAsm.exepowershell.exeaxplong.exeaspnet_regiis.exeaxplong.exeaxplong.exeaxplong.exe

pid	process
2584	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
2584	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
4544	axplong.exe
4544	axplong.exe
1428	axplong.exe
1428	axplong.exe
852	RegAsm.exe
852	RegAsm.exe
852	RegAsm.exe
3740	powershell.exe
3740	powershell.exe
3740	powershell.exe
5504	axplong.exe
5504	axplong.exe
2216	aspnet_regiis.exe
2216	aspnet_regiis.exe
168	axplong.exe
168	axplong.exe
4108	axplong.exe
4108	axplong.exe
5212	axplong.exe
5212	axplong.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

realtekdriver.exeRegAsm.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4352 realtekdriver.exe
Token: SeDebugPrivilege 852 RegAsm.exe
Token: SeDebugPrivilege 4352 realtekdriver.exe
Token: SeDebugPrivilege 3740 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4352	realtekdriver.exe
Token: SeDebugPrivilege	852	RegAsm.exe
Token: SeDebugPrivilege	4352	realtekdriver.exe
Token: SeDebugPrivilege	3740	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exestreamer.exerealtekdriver.exe

description	pid	process	target process
PID 2584 wrote to memory of 4544	2584	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe	axplong.exe
PID 2584 wrote to memory of 4544	2584	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe	axplong.exe
PID 2584 wrote to memory of 4544	2584	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe	axplong.exe
PID 4544 wrote to memory of 5044	4544	axplong.exe	streamer.exe
PID 4544 wrote to memory of 5044	4544	axplong.exe	streamer.exe
PID 4544 wrote to memory of 4664	4544	axplong.exe	TpWWMUpe0LEV.exe
PID 4544 wrote to memory of 4664	4544	axplong.exe	TpWWMUpe0LEV.exe
PID 4544 wrote to memory of 4664	4544	axplong.exe	TpWWMUpe0LEV.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4664 wrote to memory of 2216	4664	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4544 wrote to memory of 5024	4544	axplong.exe	Freshbuild.exe
PID 4544 wrote to memory of 5024	4544	axplong.exe	Freshbuild.exe
PID 4544 wrote to memory of 5024	4544	axplong.exe	Freshbuild.exe
PID 4544 wrote to memory of 4512	4544	axplong.exe	crypt6.exe
PID 4544 wrote to memory of 4512	4544	axplong.exe	crypt6.exe
PID 4544 wrote to memory of 4512	4544	axplong.exe	crypt6.exe
PID 5024 wrote to memory of 4856	5024	Freshbuild.exe	Hkbsse.exe
PID 5024 wrote to memory of 4856	5024	Freshbuild.exe	Hkbsse.exe
PID 5024 wrote to memory of 4856	5024	Freshbuild.exe	Hkbsse.exe
PID 4512 wrote to memory of 3780	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 3780	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 3780	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4512 wrote to memory of 852	4512	crypt6.exe	RegAsm.exe
PID 4544 wrote to memory of 2208	4544	axplong.exe	newlogs.exe
PID 4544 wrote to memory of 2208	4544	axplong.exe	newlogs.exe
PID 4544 wrote to memory of 2208	4544	axplong.exe	newlogs.exe
PID 4544 wrote to memory of 2712	4544	axplong.exe	stealc_zov.exe
PID 4544 wrote to memory of 2712	4544	axplong.exe	stealc_zov.exe
PID 4544 wrote to memory of 2712	4544	axplong.exe	stealc_zov.exe
PID 4856 wrote to memory of 4896	4856	Hkbsse.exe	1.exe
PID 4856 wrote to memory of 4896	4856	Hkbsse.exe	1.exe
PID 4856 wrote to memory of 4896	4856	Hkbsse.exe	1.exe
PID 4544 wrote to memory of 1836	4544	axplong.exe	newbuild.exe
PID 4544 wrote to memory of 1836	4544	axplong.exe	newbuild.exe
PID 4544 wrote to memory of 1836	4544	axplong.exe	newbuild.exe
PID 4544 wrote to memory of 4352	4544	axplong.exe	realtekdriver.exe
PID 4544 wrote to memory of 4352	4544	axplong.exe	realtekdriver.exe
PID 4544 wrote to memory of 4352	4544	axplong.exe	realtekdriver.exe
PID 5044 wrote to memory of 3056	5044	streamer.exe	BitLockerToGo.exe
PID 5044 wrote to memory of 3056	5044	streamer.exe	BitLockerToGo.exe
PID 5044 wrote to memory of 3056	5044	streamer.exe	BitLockerToGo.exe
PID 5044 wrote to memory of 3056	5044	streamer.exe	BitLockerToGo.exe
PID 5044 wrote to memory of 3056	5044	streamer.exe	BitLockerToGo.exe
PID 4352 wrote to memory of 3740	4352	realtekdriver.exe	powershell.exe
PID 4352 wrote to memory of 3740	4352	realtekdriver.exe	powershell.exe
PID 4352 wrote to memory of 3740	4352	realtekdriver.exe	powershell.exe
PID 4352 wrote to memory of 5480	4352	realtekdriver.exe	realtekdriver.exe
PID 4352 wrote to memory of 5480	4352	realtekdriver.exe	realtekdriver.exe
PID 4352 wrote to memory of 5480	4352	realtekdriver.exe	realtekdriver.exe
PID 4352 wrote to memory of 5480	4352	realtekdriver.exe	realtekdriver.exe

C:\Users\Admin\AppData\Local\Temp\e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
"C:\Users\Admin\AppData\Local\Temp\e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 756
5⤵
- Program crash
PID:3844

C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 504
6⤵
- Program crash
PID:4848

C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
"C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 328
4⤵
- Program crash
PID:1276

C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
3⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
3⤵
- Executes dropped EXE
PID:2712

C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
3⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe
"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAAxADMANQAwADAAMQBcAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFMAYwBhAG4AbgBlAHIAUwBlAHIAdgBpAGMAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUwBjAGEAbgBuAGUAcgBTAGUAcgB2AGkAYwBlAC4AZQB4AGUA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe
"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5480

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5504

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5580

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:168

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5252

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5212

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5560

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe
Filesize
240KB

MD5
b5b04a1ea6d55d9b62d90de0d89a0199

SHA1
567cb7d6182173e4a00356bd7d770c2625cfc0f5

SHA256
5c14b695450b36c84924c067f8e38374ca05d814293d26ca2e0d0ac02ec4eaa8

SHA512
d398d441e71bf1176a12e8834674d3c19e95c29824ffc718acb4bc114d7318b7bc6d859dd60710062150142afa4336acd8fbb5c5a600465c4799b833cc9bacef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
6.2MB

MD5
b9265c31743db2e9698a08df7b0c5e9d

SHA1
aa01367b13f827a5773d0781692809ae175bc718

SHA256
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af

SHA512
1678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
Filesize
26KB

MD5
a5ff7cd55cdc3a6ac2b92921e077af48

SHA1
06b92c48dc2274012cab6f1cc1cb90c37d9bd295

SHA256
1668caa20d824d4a448e8847f14e1f57fcb01b3da432b78e95c85c29a833577c

SHA512
3dc75cda233b7727726090e9bde331c784b0384afde76b393b90df950cb1f2171d41767c9238c0e32bb455c8c0ed7cb89523b197dbed1ee4bd860e37a4717c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\FILE1.exe
Filesize
26KB

MD5
72b1f323bf152711ab422044c089a33f

SHA1
2e1aa28d553e54331d4d90a8dfddcaef7da71f61

SHA256
5761dc942ec9b0c00dd9aa179a04c458b9e9fc738d093a376b97a6e199b71833

SHA512
429150a8e81d17329bb9823fd8cafb56f2529ac3668d79bed149b6170a74c68b6ea30f4c7dcbbc67821ef2455807e4ff5b2ad4f3e0bc0838950001efac4f67f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe
Filesize
2.1MB

MD5
662404ed188bfab5386fc73a0a7732d4

SHA1
79ccf9c9015384fe6d7b0245720a2a59a27cebfb

SHA256
601c31115b7c8db7e45d8a4386252f8b4a09d49b7d55eb25c9c49932828d718c

SHA512
ae90c377177528db849026192e93b0558e0ea5e84953b61e591910c69d2453f5fb73cc431853531bbf6a5c33e2a711620ca6e8e6f061eab7f93f5a8f1caf46d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.9MB

MD5
5ad5e4f1f3126c5d6cfdbfbbe5597c84

SHA1
47b46cbe987e0e33c9d23f4c6cc304d116e5e80f

SHA256
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0

SHA512
8c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbfxle2z.2tq.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
memory/168-5422-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/852-145-0x0000000007A50000-0x0000000007B5A000-memory.dmp

Filesize
1.0MB

Download
memory/852-136-0x00000000061F0000-0x00000000067F6000-memory.dmp

Filesize
6.0MB

Download
memory/852-151-0x00000000079C0000-0x0000000007A0B000-memory.dmp

Filesize
300KB

Download
memory/852-150-0x0000000007980000-0x00000000079BE000-memory.dmp

Filesize
248KB

Download
memory/852-5092-0x0000000008B00000-0x0000000008CC2000-memory.dmp

Filesize
1.8MB

Download
memory/852-310-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/852-146-0x00000000061C0000-0x00000000061D2000-memory.dmp

Filesize
72KB

Download
memory/852-1266-0x00000000088E0000-0x0000000008930000-memory.dmp

Filesize
320KB

Download
memory/852-5093-0x0000000009200000-0x000000000972C000-memory.dmp

Filesize
5.2MB

Download
memory/852-132-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/852-133-0x00000000052E0000-0x00000000057DE000-memory.dmp

Filesize
5.0MB

Download
memory/852-134-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/852-135-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/1428-110-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/1428-84-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/1836-198-0x0000000000370000-0x00000000003C0000-memory.dmp

Filesize
320KB

Download
memory/2216-72-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2216-68-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2584-5-0x0000000001090000-0x0000000001568000-memory.dmp

Filesize
4.8MB

Download
memory/2584-13-0x0000000001090000-0x0000000001568000-memory.dmp

Filesize
4.8MB

Download
memory/2584-3-0x0000000001090000-0x0000000001568000-memory.dmp

Filesize
4.8MB

Download
memory/2584-2-0x0000000001091000-0x00000000010BF000-memory.dmp

Filesize
184KB

Download
memory/2584-1-0x0000000077854000-0x0000000077855000-memory.dmp

Filesize
4KB

Download
memory/2584-0-0x0000000001090000-0x0000000001568000-memory.dmp

Filesize
4.8MB

Download
memory/2712-164-0x0000000001000000-0x000000000123C000-memory.dmp

Filesize
2.2MB

Download
memory/2712-5463-0x0000000001000000-0x000000000123C000-memory.dmp

Filesize
2.2MB

Download
memory/3740-5355-0x0000000009BE0000-0x0000000009BE8000-memory.dmp

Filesize
32KB

Download
memory/3740-5150-0x000000006BB90000-0x000000006BBDB000-memory.dmp

Filesize
300KB

Download
memory/3740-5149-0x0000000009940000-0x0000000009973000-memory.dmp

Filesize
204KB

Download
memory/3740-5151-0x0000000009920000-0x000000000993E000-memory.dmp

Filesize
120KB

Download
memory/3740-5130-0x0000000008860000-0x00000000088D6000-memory.dmp

Filesize
472KB

Download
memory/3740-5129-0x0000000008590000-0x00000000085AC000-memory.dmp

Filesize
112KB

Download
memory/3740-5128-0x0000000008240000-0x0000000008590000-memory.dmp

Filesize
3.3MB

Download
memory/3740-5127-0x00000000081D0000-0x0000000008236000-memory.dmp

Filesize
408KB

Download
memory/3740-5126-0x00000000077B0000-0x00000000077D2000-memory.dmp

Filesize
136KB

Download
memory/3740-5125-0x0000000007940000-0x0000000007F68000-memory.dmp

Filesize
6.2MB

Download
memory/3740-5123-0x0000000004D40000-0x0000000004D76000-memory.dmp

Filesize
216KB

Download
memory/3740-5156-0x0000000009A70000-0x0000000009B15000-memory.dmp

Filesize
660KB

Download
memory/3740-5157-0x0000000009C50000-0x0000000009CE4000-memory.dmp

Filesize
592KB

Download
memory/3740-5350-0x0000000009BF0000-0x0000000009C0A000-memory.dmp

Filesize
104KB

Download
memory/4108-5450-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4352-254-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-252-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-236-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-232-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-230-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-226-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-224-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-244-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-234-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-228-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-223-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-264-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-268-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-278-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-246-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-276-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-274-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-272-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-266-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-262-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-270-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-248-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-5091-0x0000000006E40000-0x0000000006E8C000-memory.dmp

Filesize
304KB

Download
memory/4352-5090-0x0000000006DE0000-0x0000000006E3A000-memory.dmp

Filesize
360KB

Download
memory/4352-250-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-242-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-5113-0x0000000007880000-0x00000000078D4000-memory.dmp

Filesize
336KB

Download
memory/4352-256-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-258-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-260-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-240-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-238-0x00000000068B0000-0x0000000006AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4352-222-0x00000000068B0000-0x0000000006ACC000-memory.dmp

Filesize
2.1MB

Download
memory/4352-221-0x0000000005560000-0x000000000577A000-memory.dmp

Filesize
2.1MB

Download
memory/4352-217-0x0000000000A00000-0x0000000000C26000-memory.dmp

Filesize
2.1MB

Download
memory/4544-18-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-17-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-218-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-220-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-120-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-47-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-15-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/4544-16-0x0000000001321000-0x000000000134F000-memory.dmp

Filesize
184KB

Download
memory/4664-61-0x0000000000410000-0x0000000000542000-memory.dmp

Filesize
1.2MB

Download
memory/5044-219-0x00007FF673AB0000-0x00007FF674146000-memory.dmp

Filesize
6.6MB

Download
memory/5212-5478-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/5212-5480-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/5504-5393-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download
memory/5504-5391-0x0000000001320000-0x00000000017F8000-memory.dmp

Filesize
4.8MB

Download