amadey | 88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42

Analysis

max time kernel
144s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06/02/2023, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe
Size

632KB
MD5

e99e1cf3f2b55445917752c1efbecfbb
SHA1

b4bdac7cfefdcdf0b2ffb7856d51ed9c23eb0652
SHA256

88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
SHA512

9c133a58130f7b770193a0c0ce65ca67f7e6e64935f1c35e2689f769f7d5e7abafa19d4a5e6f134ab2ca55b8138c151041ebecec37b32b3efee64c31d729608f
SSDEEP

12288:kMrKy90CNNT060tPmTq0p8egEJl6kK5LiSl6WYoU41JAOvDyVe6i83:OyRzY60t+O0p8eguQj8gq4Ppr83

Score

10^/10

amadey redline rhadamanthys bilod ringo ringo1 temposs6678 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

8.9.31.171:21237

Attributes

auth_value
a45e539240f6577c0a8f730c3eef20a1

Extracted

Family

redline

Botnet

bilod

193.233.20.7:4138

Attributes

auth_value
407a8c8d5a1f9a3348afc8c6b0155512

Extracted

Family

amadey

Version

3.66

62.204.41.5/Bu58Ngs/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

temposs6678

82.115.223.9:15486

Attributes

auth_value
af399e6a2fe66f67025541cf71c64313

Extracted

Family

redline

Botnet

ringo

176.113.115.16:4122

Attributes

auth_value
b8f864b25d84b5ed5591e4bfa647cdbe

Extracted

Family

redline

Botnet

ringo1

176.113.115.16:4122

Attributes

auth_value
373b070fb57b7689445f097000cbd6c2

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral1/memory/5052-1050-0x00000000001D0000-0x00000000001ED000-memory.dmp	family_rhadamanthys
behavioral1/memory/5052-1419-0x0000000002410000-0x0000000003410000-memory.dmp	family_rhadamanthys
behavioral1/memory/5052-1633-0x00000000001D0000-0x00000000001ED000-memory.dmp	family_rhadamanthys

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mika.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/3604-274-0x0000000004AA0000-0x0000000004AE6000-memory.dmp	family_redline
behavioral1/memory/3604-280-0x0000000004B20000-0x0000000004B64000-memory.dmp	family_redline
behavioral1/memory/5052-1097-0x0000000002410000-0x0000000003410000-memory.dmp	family_redline
behavioral1/memory/5052-1419-0x0000000002410000-0x0000000003410000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
1440	cJWn.exe
3604	aJWx.exe
5052	mika.exe
3812	vona.exe
1576	mnolyk.exe
4668	zima.exe
4356	ringo1.exe
3184	trebo.exe
5052	trebo1.exe
4192	lebro.exe
344	ringo.exe
4416	nbveek.exe
3868	Renumbered.exe
2092	Renumbered.exe
2292	mnolyk.exe
3644	nbveek.exe

Loads dropped DLL 4 IoCs

pid	Process
4300	rundll32.exe
4508	rundll32.exe
4712	rundll32.exe
3424	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	mika.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cJWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cJWn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5052	trebo1.exe
5052	trebo1.exe
5052	trebo1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 680	4356	ringo1.exe	88
PID 3868 set thread context of 2092	3868	Renumbered.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	4712	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trebo1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	trebo1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	trebo1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	trebo1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	trebo1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
216	schtasks.exe
3824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3604	aJWx.exe
3604	aJWx.exe
5052	mika.exe
5052	mika.exe
3184	trebo.exe
4668	zima.exe
4668	zima.exe
344	ringo.exe
3184	trebo.exe
344	ringo.exe
680	AppLaunch.exe
680	AppLaunch.exe
2092	Renumbered.exe
2092	Renumbered.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	aJWx.exe
Token: SeDebugPrivilege	5052	mika.exe
Token: SeDebugPrivilege	4668	zima.exe
Token: SeDebugPrivilege	3184	trebo.exe
Token: SeShutdownPrivilege	5052	trebo1.exe
Token: SeCreatePagefilePrivilege	5052	trebo1.exe
Token: SeDebugPrivilege	344	ringo.exe
Token: SeDebugPrivilege	680	AppLaunch.exe
Token: SeDebugPrivilege	2092	Renumbered.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1440	2664	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe	66
PID 2664 wrote to memory of 1440	2664	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe	66
PID 2664 wrote to memory of 1440	2664	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe	66
PID 1440 wrote to memory of 3604	1440	cJWn.exe	67
PID 1440 wrote to memory of 3604	1440	cJWn.exe	67
PID 1440 wrote to memory of 3604	1440	cJWn.exe	67
PID 1440 wrote to memory of 5052	1440	cJWn.exe	69
PID 1440 wrote to memory of 5052	1440	cJWn.exe	69
PID 2664 wrote to memory of 3812	2664	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe	70
PID 2664 wrote to memory of 3812	2664	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe	70
PID 2664 wrote to memory of 3812	2664	88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe	70
PID 3812 wrote to memory of 1576	3812	vona.exe	71
PID 3812 wrote to memory of 1576	3812	vona.exe	71
PID 3812 wrote to memory of 1576	3812	vona.exe	71
PID 1576 wrote to memory of 216	1576	mnolyk.exe	72
PID 1576 wrote to memory of 216	1576	mnolyk.exe	72
PID 1576 wrote to memory of 216	1576	mnolyk.exe	72
PID 1576 wrote to memory of 340	1576	mnolyk.exe	73
PID 1576 wrote to memory of 340	1576	mnolyk.exe	73
PID 1576 wrote to memory of 340	1576	mnolyk.exe	73
PID 340 wrote to memory of 3864	340	cmd.exe	76
PID 340 wrote to memory of 3864	340	cmd.exe	76
PID 340 wrote to memory of 3864	340	cmd.exe	76
PID 340 wrote to memory of 2752	340	cmd.exe	77
PID 340 wrote to memory of 2752	340	cmd.exe	77
PID 340 wrote to memory of 2752	340	cmd.exe	77
PID 1576 wrote to memory of 4668	1576	mnolyk.exe	78
PID 1576 wrote to memory of 4668	1576	mnolyk.exe	78
PID 1576 wrote to memory of 4668	1576	mnolyk.exe	78
PID 340 wrote to memory of 3716	340	cmd.exe	79
PID 340 wrote to memory of 3716	340	cmd.exe	79
PID 340 wrote to memory of 3716	340	cmd.exe	79
PID 340 wrote to memory of 4016	340	cmd.exe	80
PID 340 wrote to memory of 4016	340	cmd.exe	80
PID 340 wrote to memory of 4016	340	cmd.exe	80
PID 340 wrote to memory of 584	340	cmd.exe	81
PID 340 wrote to memory of 584	340	cmd.exe	81
PID 340 wrote to memory of 584	340	cmd.exe	81
PID 1576 wrote to memory of 4356	1576	mnolyk.exe	82
PID 1576 wrote to memory of 4356	1576	mnolyk.exe	82
PID 1576 wrote to memory of 4356	1576	mnolyk.exe	82
PID 1576 wrote to memory of 3184	1576	mnolyk.exe	84
PID 1576 wrote to memory of 3184	1576	mnolyk.exe	84
PID 1576 wrote to memory of 3184	1576	mnolyk.exe	84
PID 1576 wrote to memory of 5052	1576	mnolyk.exe	85
PID 1576 wrote to memory of 5052	1576	mnolyk.exe	85
PID 1576 wrote to memory of 5052	1576	mnolyk.exe	85
PID 1576 wrote to memory of 4192	1576	mnolyk.exe	86
PID 1576 wrote to memory of 4192	1576	mnolyk.exe	86
PID 1576 wrote to memory of 4192	1576	mnolyk.exe	86
PID 1576 wrote to memory of 344	1576	mnolyk.exe	87
PID 1576 wrote to memory of 344	1576	mnolyk.exe	87
PID 1576 wrote to memory of 344	1576	mnolyk.exe	87
PID 4356 wrote to memory of 680	4356	ringo1.exe	88
PID 4356 wrote to memory of 680	4356	ringo1.exe	88
PID 4356 wrote to memory of 680	4356	ringo1.exe	88
PID 4356 wrote to memory of 680	4356	ringo1.exe	88
PID 4356 wrote to memory of 680	4356	ringo1.exe	88
PID 340 wrote to memory of 4124	340	cmd.exe	89
PID 340 wrote to memory of 4124	340	cmd.exe	89
PID 340 wrote to memory of 4124	340	cmd.exe	89
PID 4192 wrote to memory of 4416	4192	lebro.exe	90
PID 4192 wrote to memory of 4416	4192	lebro.exe	90
PID 4192 wrote to memory of 4416	4192	lebro.exe	90

C:\Users\Admin\AppData\Local\Temp\88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe
"C:\Users\Admin\AppData\Local\Temp\88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cJWn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cJWn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aJWx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aJWx.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
    "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        5⤵
        
        PID:3716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5eb6b96734" /P "Admin:N"
        5⤵
        
        PID:584
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5eb6b96734" /P "Admin:R" /E
        5⤵
        
        PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\zima.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\zima.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\ringo1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\ringo1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
  - - C:\Users\Admin\AppData\Local\Temp\1000006001\trebo.exe
      "C:\Users\Admin\AppData\Local\Temp\1000006001\trebo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\1000007001\trebo1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000007001\trebo1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe
      "C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
        5⤵
        Executes dropped EXE
        
        PID:4416
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3824
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        7⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        7⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\9e0894bcc4" /P "Admin:N"
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\9e0894bcc4" /P "Admin:R" /E
        7⤵
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4508
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4712
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4712 -s 648
        8⤵
        Program crash
        
        PID:1800
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\1000009001\ringo.exe
      "C:\Users\Admin\AppData\Local\Temp\1000009001\ringo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:344
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4300

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1⤵
- Executes dropped EXE
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Renumbered.exe.log

Filesize
1KB

MD5
8268d0ebb3b023f56d9a27f3933f124f

SHA1
def43e831ca0fcbc1df8a1e11a41fe3ea1734f3b

SHA256
2fdfee92c5ce81220a0b66cf0ec1411c923d48ae89232406c237e1bc5204392d

SHA512
c61c2f8df84e4bbcb6f871befd4dde44188cf106c4af91a56b33a45692b83d1c52a953477f14f4239726b66ecab66842e910c2996631137355a4aba4ea793c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\zima.exe

Filesize
406KB

MD5
a3ea7ddc9568c1c7fc4bc205e0714a40

SHA1
e8328c960e000c606b36a3887bc5d154afcfc141

SHA256
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

SHA512
279e2caf4085de062f07efa10378fb010f382abb0c555b6f56c7439317b5fff7c8ab3a7646620b6e8834647acba78ee06cd5a4bd377dffc41303448c89dcbf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\zima.exe

Filesize
406KB

MD5
a3ea7ddc9568c1c7fc4bc205e0714a40

SHA1
e8328c960e000c606b36a3887bc5d154afcfc141

SHA256
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

SHA512
279e2caf4085de062f07efa10378fb010f382abb0c555b6f56c7439317b5fff7c8ab3a7646620b6e8834647acba78ee06cd5a4bd377dffc41303448c89dcbf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\ringo1.exe

Filesize
3.6MB

MD5
3db5b3c6e6e98e56271d016946d638c9

SHA1
e5af6fc83bdb31f02d81614fe3d5152c2c0be13e

SHA256
e6c73532d36c90b32f2e7633fd41cefad7d4b87292f6b60a41ad24e859ecbca1

SHA512
3af665c9546dd342f13696e807e2f66ebabad92e5e6cff3d50ae0860af5dd1398826ec936dbc37a42521c74750094decd139c01f7906b9a9fb808641dcb4f9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\ringo1.exe

Filesize
3.6MB

MD5
3db5b3c6e6e98e56271d016946d638c9

SHA1
e5af6fc83bdb31f02d81614fe3d5152c2c0be13e

SHA256
e6c73532d36c90b32f2e7633fd41cefad7d4b87292f6b60a41ad24e859ecbca1

SHA512
3af665c9546dd342f13696e807e2f66ebabad92e5e6cff3d50ae0860af5dd1398826ec936dbc37a42521c74750094decd139c01f7906b9a9fb808641dcb4f9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\trebo.exe

Filesize
175KB

MD5
acf54cfad4852b63202ba4b97effdd9e

SHA1
cc7456e4b78957fc2d013cec39b30ea7ed8dbaa2

SHA256
f4bfa9f592a953ba496c92d14b1ef1698ada62b9cb547e6a0843ced061fb6e8e

SHA512
d9f3d31b55b60f9f09dd7fe26f0f40db21db9b3253fef1c416ced30bab396d161e89375096032311f6c4199fabd156f75670fd6598789868bd8cf1e9f463699b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\trebo.exe

Filesize
175KB

MD5
acf54cfad4852b63202ba4b97effdd9e

SHA1
cc7456e4b78957fc2d013cec39b30ea7ed8dbaa2

SHA256
f4bfa9f592a953ba496c92d14b1ef1698ada62b9cb547e6a0843ced061fb6e8e

SHA512
d9f3d31b55b60f9f09dd7fe26f0f40db21db9b3253fef1c416ced30bab396d161e89375096032311f6c4199fabd156f75670fd6598789868bd8cf1e9f463699b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\trebo1.exe

Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\trebo1.exe

Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\ringo.exe

Filesize
175KB

MD5
c76e3716d9d343b0872cf797ce01f709

SHA1
0417c50355a6bad66d259b3f13a9a60909456eee

SHA256
303f13b5ed84a78dc78632d8cee77b8908e102729678e876cbe152546b28b128

SHA512
5da6e027f25f2ff1b28a0e36f07b185fe7b2c83d3620eef08eb2fc94dda7bf432ff9d719ab6bb0ab5f1acc5efc99af9d78236fc9d2db78f6adfac69020b63151

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\ringo.exe

Filesize
175KB

MD5
c76e3716d9d343b0872cf797ce01f709

SHA1
0417c50355a6bad66d259b3f13a9a60909456eee

SHA256
303f13b5ed84a78dc78632d8cee77b8908e102729678e876cbe152546b28b128

SHA512
5da6e027f25f2ff1b28a0e36f07b185fe7b2c83d3620eef08eb2fc94dda7bf432ff9d719ab6bb0ab5f1acc5efc99af9d78236fc9d2db78f6adfac69020b63151

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe

Filesize
897KB

MD5
c1c43012aff2576fe55079a8c4571e0a

SHA1
26ba36a18e7614a057bbc0e537afa4e17900c651

SHA256
69e92aca5216819f5ae97a6461c3e8d125421af08fab8b68acb69755a715fe8f

SHA512
928595e3a16357d12a2962de4e3dca91b987a0a240389c537799025a15ea7777df31a7df8887ee919c0e29758cf652d7e9f4931a208ce67ca5f29b37f90c6a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe

Filesize
897KB

MD5
c1c43012aff2576fe55079a8c4571e0a

SHA1
26ba36a18e7614a057bbc0e537afa4e17900c651

SHA256
69e92aca5216819f5ae97a6461c3e8d125421af08fab8b68acb69755a715fe8f

SHA512
928595e3a16357d12a2962de4e3dca91b987a0a240389c537799025a15ea7777df31a7df8887ee919c0e29758cf652d7e9f4931a208ce67ca5f29b37f90c6a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\Renumbered.exe

Filesize
897KB

MD5
c1c43012aff2576fe55079a8c4571e0a

SHA1
26ba36a18e7614a057bbc0e537afa4e17900c651

SHA256
69e92aca5216819f5ae97a6461c3e8d125421af08fab8b68acb69755a715fe8f

SHA512
928595e3a16357d12a2962de4e3dca91b987a0a240389c537799025a15ea7777df31a7df8887ee919c0e29758cf652d7e9f4931a208ce67ca5f29b37f90c6a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cJWn.exe

Filesize
445KB

MD5
a61b93662313b604b8bbfbb2ce7c8ff1

SHA1
7305a2f5808b82010e7b2b7933376f025e8e8a56

SHA256
71b1905949105b43e02f64e5023835bca1e23cba0d25e79fba27fceaeabb0357

SHA512
0379790272ac68d2d4d85cac6026645797f1c73e6584b26cc1ab362c9cd0871ff3d3297473518471794662908f3a553caa33b76311bb77235c84899bb6256217

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cJWn.exe

Filesize
445KB

MD5
a61b93662313b604b8bbfbb2ce7c8ff1

SHA1
7305a2f5808b82010e7b2b7933376f025e8e8a56

SHA256
71b1905949105b43e02f64e5023835bca1e23cba0d25e79fba27fceaeabb0357

SHA512
0379790272ac68d2d4d85cac6026645797f1c73e6584b26cc1ab362c9cd0871ff3d3297473518471794662908f3a553caa33b76311bb77235c84899bb6256217

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aJWx.exe

Filesize
406KB

MD5
a3ea7ddc9568c1c7fc4bc205e0714a40

SHA1
e8328c960e000c606b36a3887bc5d154afcfc141

SHA256
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

SHA512
279e2caf4085de062f07efa10378fb010f382abb0c555b6f56c7439317b5fff7c8ab3a7646620b6e8834647acba78ee06cd5a4bd377dffc41303448c89dcbf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aJWx.exe

Filesize
406KB

MD5
a3ea7ddc9568c1c7fc4bc205e0714a40

SHA1
e8328c960e000c606b36a3887bc5d154afcfc141

SHA256
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

SHA512
279e2caf4085de062f07efa10378fb010f382abb0c555b6f56c7439317b5fff7c8ab3a7646620b6e8834647acba78ee06cd5a4bd377dffc41303448c89dcbf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9221a421a3e777eb7d4ce55e474bcc4a

SHA1
c96d7bd7ccbf9352d50527bff472595b3dc5298e

SHA256
10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

SHA512
63ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9221a421a3e777eb7d4ce55e474bcc4a

SHA1
c96d7bd7ccbf9352d50527bff472595b3dc5298e

SHA256
10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

SHA512
63ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
memory/344-1019-0x0000000000390000-0x00000000003C2000-memory.dmp

Filesize
200KB

Download
memory/680-1084-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-170-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-182-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-168-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-169-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-185-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-172-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-173-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-176-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-177-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-179-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-180-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-183-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-184-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-181-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-178-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-175-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-186-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-171-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2092-1657-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2664-150-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-165-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-163-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-162-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-161-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-160-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-159-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-158-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-157-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-156-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-154-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-155-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-153-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-151-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-148-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-149-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-146-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-144-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-164-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-138-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-137-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-135-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-133-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-129-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-130-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-127-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/3184-837-0x0000000000A30000-0x0000000000A62000-memory.dmp

Filesize
200KB

Download
memory/3184-929-0x0000000005470000-0x00000000054BB000-memory.dmp

Filesize
300KB

Download
memory/3604-319-0x0000000006E60000-0x0000000006EB0000-memory.dmp

Filesize
320KB

Download
memory/3604-291-0x00000000050D0000-0x00000000056D6000-memory.dmp

Filesize
6.0MB

Download
memory/3604-303-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3604-304-0x0000000005BA0000-0x0000000005C32000-memory.dmp

Filesize
584KB

Download
memory/3604-298-0x0000000005A40000-0x0000000005A8B000-memory.dmp

Filesize
300KB

Download
memory/3604-265-0x0000000000832000-0x0000000000861000-memory.dmp

Filesize
188KB

Download
memory/3604-296-0x0000000005900000-0x000000000593E000-memory.dmp

Filesize
248KB

Download
memory/3604-294-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/3604-306-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/3604-266-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3604-267-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3604-274-0x0000000004AA0000-0x0000000004AE6000-memory.dmp

Filesize
280KB

Download
memory/3604-278-0x0000000004BD0000-0x00000000050CE000-memory.dmp

Filesize
5.0MB

Download
memory/3604-292-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/3604-314-0x0000000006440000-0x0000000006602000-memory.dmp

Filesize
1.8MB

Download
memory/3604-325-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3604-324-0x0000000000832000-0x0000000000861000-memory.dmp

Filesize
188KB

Download
memory/3604-280-0x0000000004B20000-0x0000000004B64000-memory.dmp

Filesize
272KB

Download
memory/3604-302-0x0000000000832000-0x0000000000861000-memory.dmp

Filesize
188KB

Download
memory/3604-318-0x0000000006DE0000-0x0000000006E56000-memory.dmp

Filesize
472KB

Download
memory/3604-315-0x0000000006630000-0x0000000006B5C000-memory.dmp

Filesize
5.2MB

Download
memory/3868-1404-0x00000000056F0000-0x0000000005A40000-memory.dmp

Filesize
3.3MB

Download
memory/3868-1399-0x0000000000C40000-0x0000000000D26000-memory.dmp

Filesize
920KB

Download
memory/4668-1317-0x0000000000762000-0x0000000000791000-memory.dmp

Filesize
188KB

Download
memory/4668-963-0x0000000001FE0000-0x000000000202B000-memory.dmp

Filesize
300KB

Download
memory/4668-959-0x0000000000762000-0x0000000000791000-memory.dmp

Filesize
188KB

Download
memory/4668-1934-0x0000000000762000-0x0000000000791000-memory.dmp

Filesize
188KB

Download
memory/4668-1935-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4668-968-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5052-1097-0x0000000002410000-0x0000000003410000-memory.dmp

Filesize
16.0MB

Download
memory/5052-1044-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/5052-1050-0x00000000001D0000-0x00000000001ED000-memory.dmp

Filesize
116KB

Download
memory/5052-1389-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/5052-1633-0x00000000001D0000-0x00000000001ED000-memory.dmp

Filesize
116KB

Download
memory/5052-329-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/5052-1419-0x0000000002410000-0x0000000003410000-memory.dmp

Filesize
16.0MB

Download