amadey | 55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f

Analysis

max time kernel
125s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe
Size

999KB
MD5

be00553c8f4563d93f58977efa16bb48
SHA1

fbe3beab6390b01ee2840a40141165d50bace271
SHA256

55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f
SHA512

d6e636913da4fb0ad84743a22ce21131d4ab4fc775ef2529ae20b5c42b814e6922cf594653c2ac91c0ac1c7b5482b5527e41c88b26214729ccb317315a0f7f19
SSDEEP

24576:4yKO+5hICs+ZjGb5jVNAFhthYpdGCRNxiddGW9xv3oEX2:/EhICs+ZSbn+FhtKz08W7

Score

10^/10

amadey aurora redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1463.exev3305wf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3305wf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3305wf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3305wf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3305wf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1463.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1463.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1463.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3305wf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1463.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1463.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3305wf.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-209-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-210-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-212-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-214-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-216-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-218-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-220-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-222-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-224-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-226-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-228-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-230-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-232-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-234-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-238-0x0000000004BA0000-0x0000000004BB0000-memory.dmp	family_redline
behavioral1/memory/1996-239-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-242-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-244-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/1996-246-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y92Co46.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y92Co46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 12 IoCs

Processes:

zap0112.exezap4740.exezap7890.exetz1463.exev3305wf.exew49mi58.exexFpiR17.exey92Co46.exeoneetx.exe2023.exeoneetx.exeoneetx.exe

pid	process
3168	zap0112.exe
1116	zap4740.exe
2720	zap7890.exe
4756	tz1463.exe
2220	v3305wf.exe
1996	w49mi58.exe
1320	xFpiR17.exe
3888	y92Co46.exe
4604	oneetx.exe
3980	2023.exe
1536	oneetx.exe
4224	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3792 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3792	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1463.exev3305wf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3305wf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3305wf.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7890.exe55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exezap0112.exezap4740.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7890.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap0112.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4740.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3700 2220 WerFault.exe v3305wf.exe
1564 1996 WerFault.exe w49mi58.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2404 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1463.exev3305wf.exew49mi58.exexFpiR17.exe

pid process

4756 tz1463.exe
4756 tz1463.exe
2220 v3305wf.exe
2220 v3305wf.exe
1996 w49mi58.exe
1996 w49mi58.exe
1320 xFpiR17.exe
1320 xFpiR17.exe

pid	pid_target	process	target process
3700	2220	WerFault.exe	v3305wf.exe
1564	1996	WerFault.exe	w49mi58.exe

pid	process
2404	schtasks.exe

pid	process
4756	tz1463.exe
4756	tz1463.exe
2220	v3305wf.exe
2220	v3305wf.exe
1996	w49mi58.exe
1996	w49mi58.exe
1320	xFpiR17.exe
1320	xFpiR17.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1463.exev3305wf.exew49mi58.exexFpiR17.exe

description	pid	process
Token: SeDebugPrivilege	4756	tz1463.exe
Token: SeDebugPrivilege	2220	v3305wf.exe
Token: SeDebugPrivilege	1996	w49mi58.exe
Token: SeDebugPrivilege	1320	xFpiR17.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y92Co46.exe

pid process

3888 y92Co46.exe

pid	process
3888	y92Co46.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exezap0112.exezap4740.exezap7890.exey92Co46.exeoneetx.execmd.exe

description	pid	process	target process
PID 4980 wrote to memory of 3168	4980	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe	zap0112.exe
PID 4980 wrote to memory of 3168	4980	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe	zap0112.exe
PID 4980 wrote to memory of 3168	4980	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe	zap0112.exe
PID 3168 wrote to memory of 1116	3168	zap0112.exe	zap4740.exe
PID 3168 wrote to memory of 1116	3168	zap0112.exe	zap4740.exe
PID 3168 wrote to memory of 1116	3168	zap0112.exe	zap4740.exe
PID 1116 wrote to memory of 2720	1116	zap4740.exe	zap7890.exe
PID 1116 wrote to memory of 2720	1116	zap4740.exe	zap7890.exe
PID 1116 wrote to memory of 2720	1116	zap4740.exe	zap7890.exe
PID 2720 wrote to memory of 4756	2720	zap7890.exe	tz1463.exe
PID 2720 wrote to memory of 4756	2720	zap7890.exe	tz1463.exe
PID 2720 wrote to memory of 2220	2720	zap7890.exe	v3305wf.exe
PID 2720 wrote to memory of 2220	2720	zap7890.exe	v3305wf.exe
PID 2720 wrote to memory of 2220	2720	zap7890.exe	v3305wf.exe
PID 1116 wrote to memory of 1996	1116	zap4740.exe	w49mi58.exe
PID 1116 wrote to memory of 1996	1116	zap4740.exe	w49mi58.exe
PID 1116 wrote to memory of 1996	1116	zap4740.exe	w49mi58.exe
PID 3168 wrote to memory of 1320	3168	zap0112.exe	xFpiR17.exe
PID 3168 wrote to memory of 1320	3168	zap0112.exe	xFpiR17.exe
PID 3168 wrote to memory of 1320	3168	zap0112.exe	xFpiR17.exe
PID 4980 wrote to memory of 3888	4980	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe	y92Co46.exe
PID 4980 wrote to memory of 3888	4980	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe	y92Co46.exe
PID 4980 wrote to memory of 3888	4980	55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe	y92Co46.exe
PID 3888 wrote to memory of 4604	3888	y92Co46.exe	oneetx.exe
PID 3888 wrote to memory of 4604	3888	y92Co46.exe	oneetx.exe
PID 3888 wrote to memory of 4604	3888	y92Co46.exe	oneetx.exe
PID 4604 wrote to memory of 2404	4604	oneetx.exe	schtasks.exe
PID 4604 wrote to memory of 2404	4604	oneetx.exe	schtasks.exe
PID 4604 wrote to memory of 2404	4604	oneetx.exe	schtasks.exe
PID 4604 wrote to memory of 4928	4604	oneetx.exe	cmd.exe
PID 4604 wrote to memory of 4928	4604	oneetx.exe	cmd.exe
PID 4604 wrote to memory of 4928	4604	oneetx.exe	cmd.exe
PID 4928 wrote to memory of 1788	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 1788	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 1788	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 1960	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 1960	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 1960	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 2616	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 2616	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 2616	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 924	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 924	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 924	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 3616	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 3616	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 3616	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 2856	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 2856	4928	cmd.exe	cacls.exe
PID 4928 wrote to memory of 2856	4928	cmd.exe	cacls.exe
PID 4604 wrote to memory of 3980	4604	oneetx.exe	2023.exe
PID 4604 wrote to memory of 3980	4604	oneetx.exe	2023.exe
PID 4604 wrote to memory of 3980	4604	oneetx.exe	2023.exe
PID 4604 wrote to memory of 3792	4604	oneetx.exe	rundll32.exe
PID 4604 wrote to memory of 3792	4604	oneetx.exe	rundll32.exe
PID 4604 wrote to memory of 3792	4604	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe
"C:\Users\Admin\AppData\Local\Temp\55f86bd3f085fbeabe5d1eef7b6066ecd3bab1024dcbdb2bfce2f0179d7b4f2f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0112.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0112.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4740.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4740.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7890.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7890.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1463.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1463.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3305wf.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3305wf.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1076
6⤵
- Program crash
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49mi58.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49mi58.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1520
5⤵
- Program crash
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFpiR17.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFpiR17.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Co46.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Co46.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1788

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1960

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:924

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3616

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe"
4⤵
- Executes dropped EXE
PID:3980

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2220 -ip 2220
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1996 -ip 1996
1⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Co46.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Co46.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0112.exe
Filesize
818KB

MD5
8ddd827abc68af3b17bc656d989b1352

SHA1
99fea981d136f94f535c098c52c79668994cf0d3

SHA256
5e78b874ff26625ec50d35cdb2339ef52d749c26362b15f55b9ad00d547c413e

SHA512
a08630ed70a6cf19108098909708bd0b93c5116f135f0602ca30dcaf421b33a4ae4c2a2ffbad874f44118e6061992cde85d4826244f9039d3a475d3937a06f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0112.exe
Filesize
818KB

MD5
8ddd827abc68af3b17bc656d989b1352

SHA1
99fea981d136f94f535c098c52c79668994cf0d3

SHA256
5e78b874ff26625ec50d35cdb2339ef52d749c26362b15f55b9ad00d547c413e

SHA512
a08630ed70a6cf19108098909708bd0b93c5116f135f0602ca30dcaf421b33a4ae4c2a2ffbad874f44118e6061992cde85d4826244f9039d3a475d3937a06f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFpiR17.exe
Filesize
175KB

MD5
0f206465395d2ef243ef5466bbbacb9c

SHA1
47f41d31043ce6df8383efbed5c6143ad5eecbdb

SHA256
c0118da480b44a427a9cd9ead4e786c744575f70fb9e9a413cb1a9faea2d7b22

SHA512
5de9431dcf8002c637257a02f10413fe88d90c22a2fb8efb15635ae08af805e098c62ad35501600b6050c9848bf69dc87fffc3a8a4739b521eb2dada49143c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFpiR17.exe
Filesize
175KB

MD5
0f206465395d2ef243ef5466bbbacb9c

SHA1
47f41d31043ce6df8383efbed5c6143ad5eecbdb

SHA256
c0118da480b44a427a9cd9ead4e786c744575f70fb9e9a413cb1a9faea2d7b22

SHA512
5de9431dcf8002c637257a02f10413fe88d90c22a2fb8efb15635ae08af805e098c62ad35501600b6050c9848bf69dc87fffc3a8a4739b521eb2dada49143c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4740.exe
Filesize
676KB

MD5
fdf8eeab58e285f4f3d1f761128aacb6

SHA1
47744e25fcedca444e76d94d8fde2c2208670820

SHA256
f30cf0a32dac8c888adbe1db5653b969622afd1ceab2cda47613307756cba22f

SHA512
ff0fdf6d2988780becfc1b8e7d15452542fd38a05ec282c52de592fe864914de83021647f05bfd711693616f796fabec9519d091ea1de220ddd75c795e1bef49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4740.exe
Filesize
676KB

MD5
fdf8eeab58e285f4f3d1f761128aacb6

SHA1
47744e25fcedca444e76d94d8fde2c2208670820

SHA256
f30cf0a32dac8c888adbe1db5653b969622afd1ceab2cda47613307756cba22f

SHA512
ff0fdf6d2988780becfc1b8e7d15452542fd38a05ec282c52de592fe864914de83021647f05bfd711693616f796fabec9519d091ea1de220ddd75c795e1bef49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49mi58.exe
Filesize
319KB

MD5
2cdcfe4444520b126ef6b1c9b2124fa2

SHA1
1db664a1431436fc5a1eafe5f919dc99c637c595

SHA256
b50e1d1b7681d70c390f4130d03a24918cc3c0832e41ea659e5cdd7cbd770f0f

SHA512
c549e99d71ce389eed3c3b21b048019c22358b8dc92601fedf1feaf520051c3607b8543f0ebac646477dfa630cdd52e56563ad19b3fddfcae5f4d4d81fa50b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49mi58.exe
Filesize
319KB

MD5
2cdcfe4444520b126ef6b1c9b2124fa2

SHA1
1db664a1431436fc5a1eafe5f919dc99c637c595

SHA256
b50e1d1b7681d70c390f4130d03a24918cc3c0832e41ea659e5cdd7cbd770f0f

SHA512
c549e99d71ce389eed3c3b21b048019c22358b8dc92601fedf1feaf520051c3607b8543f0ebac646477dfa630cdd52e56563ad19b3fddfcae5f4d4d81fa50b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7890.exe
Filesize
335KB

MD5
7f15f285cf436579be60309a5b8079bd

SHA1
8f05611a556449d6a56525de2066181955da19cd

SHA256
b9e2c05ddcf28a55f724e50b65eecf3753268b16d7f6c5495a365edfc7bf34d4

SHA512
0421357be14aa5fd946fd1fed08dbf01187d3243278bfde9f432143943de49e2e9077fc82f7feb3128c654300520ed53a5e15fc492effe96e41f05e929c1c7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7890.exe
Filesize
335KB

MD5
7f15f285cf436579be60309a5b8079bd

SHA1
8f05611a556449d6a56525de2066181955da19cd

SHA256
b9e2c05ddcf28a55f724e50b65eecf3753268b16d7f6c5495a365edfc7bf34d4

SHA512
0421357be14aa5fd946fd1fed08dbf01187d3243278bfde9f432143943de49e2e9077fc82f7feb3128c654300520ed53a5e15fc492effe96e41f05e929c1c7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1463.exe
Filesize
11KB

MD5
2fc0276a6f5ee11e3217390601053e41

SHA1
e993d3d0d7b88dabc56adc4fb216f6e863adad45

SHA256
1de760fef33f5a0c19224be75e426ff871fe7e998033bd577ca97f6cd0caa1a7

SHA512
a45894b7a54f0321efb3a5cb5cefb935d9fbc09b41195a4ea462bb7c920fd84114b23887fda14ec04c86efb1daea8bff32e4db93e75841dae7a9896c673a8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1463.exe
Filesize
11KB

MD5
2fc0276a6f5ee11e3217390601053e41

SHA1
e993d3d0d7b88dabc56adc4fb216f6e863adad45

SHA256
1de760fef33f5a0c19224be75e426ff871fe7e998033bd577ca97f6cd0caa1a7

SHA512
a45894b7a54f0321efb3a5cb5cefb935d9fbc09b41195a4ea462bb7c920fd84114b23887fda14ec04c86efb1daea8bff32e4db93e75841dae7a9896c673a8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3305wf.exe
Filesize
260KB

MD5
f01f511811a58fea4b366c6113d74bfa

SHA1
225b256c3ac623cdf594e31ae87f7cbf4716cb7b

SHA256
8d3760a074215a876b6272c2b1b2c65ef1ed117088f637eeefc5ad1bdc751930

SHA512
0951100514aa87d20180a626fd2da8ced8b40db9bd393fdbf33133dff86e798c480814250f89856747ed8d1512a526abe0f87706bf874d326e06475dbffeddd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3305wf.exe
Filesize
260KB

MD5
f01f511811a58fea4b366c6113d74bfa

SHA1
225b256c3ac623cdf594e31ae87f7cbf4716cb7b

SHA256
8d3760a074215a876b6272c2b1b2c65ef1ed117088f637eeefc5ad1bdc751930

SHA512
0951100514aa87d20180a626fd2da8ced8b40db9bd393fdbf33133dff86e798c480814250f89856747ed8d1512a526abe0f87706bf874d326e06475dbffeddd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29ec53516ffe2a58c1224f1baa723354

SHA1
1eed5bc888a4e04eb8016d8dabd98d0e956cb655

SHA256
1303194e7e355dc4a8419814b3ae7599ddfc2282210d95daeacdf8ed337c0dc9

SHA512
6a0cac498255179bf3280424702c3f9721345a1ade6520ebcd46558bfd63e7036c9864545c15c4379989892e1cb18935ba8381d1355ab765e28c208815d50af5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1320-1141-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1320-1140-0x0000000000240000-0x0000000000272000-memory.dmp

Filesize
200KB

Download
memory/1996-1130-0x0000000006590000-0x0000000006606000-memory.dmp

Filesize
472KB

Download
memory/1996-1121-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/1996-1134-0x00000000069C0000-0x0000000006EEC000-memory.dmp

Filesize
5.2MB

Download
memory/1996-1133-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-1132-0x00000000067F0000-0x00000000069B2000-memory.dmp

Filesize
1.8MB

Download
memory/1996-1131-0x0000000006620000-0x0000000006670000-memory.dmp

Filesize
320KB

Download
memory/1996-1129-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-209-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-210-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-212-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-214-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-216-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-218-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-220-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-222-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-224-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-226-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-228-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-230-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-232-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-235-0x0000000000660000-0x00000000006AB000-memory.dmp

Filesize
300KB

Download
memory/1996-234-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-238-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-237-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-241-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-239-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-242-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-244-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-246-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/1996-1119-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/1996-1120-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/1996-1128-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-1122-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1996-1123-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/1996-1124-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/1996-1125-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1996-1127-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2220-183-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2220-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2220-199-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-181-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-202-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2220-201-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2220-179-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-191-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-189-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-187-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-185-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-195-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-197-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-193-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-177-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-175-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-173-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-172-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2220-171-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2220-169-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2220-170-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2220-168-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/2220-167-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/4756-161-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download