amadey | aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23

Analysis

max time kernel
125s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe
Size

1.0MB
MD5

ffe87228285c9b840d805f25c56db520
SHA1

081eca1c8d3620f18b7d924e663e4ab0cc4b5731
SHA256

aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23
SHA512

10ea309dd6d0616d18d417018d625d9eb9fd6e9f8f202240ee4d0fef71e2952b513f3ee5bac2c2bc794f04fda4b59ecbddbc248a5caa76db18502808483499fe
SSDEEP

12288:xMrjy90HssON91wdknwOBvyeoLxhAEEILCo6mUd3wh3HXi3Nx2Zan8FOOeQD/xAP:OyPhwdknwSvdwxiKXkMXmuvHz1Z6

Score

10^/10

amadey redline liba redline rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

liba

176.113.115.145:4125

Attributes

auth_value
1a62e130767ad862d1fb9d7ab0115025

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Extracted

Family

redline

Botnet

Redline

85.31.54.183:43728

Attributes

auth_value
1666a0a46296c430de7ba5e70bd0c0f3

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz4216.exev5581rg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5581rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5581rg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5581rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5581rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5581rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5581rg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1552-210-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-212-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-214-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-209-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-216-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-218-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-220-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-222-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-224-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-226-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-228-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-230-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-232-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-234-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-236-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-238-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-240-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/1552-242-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y36mY02.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y36mY02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 12 IoCs

Processes:

zap5576.exezap2599.exezap3295.exetz4216.exev5581rg.exew97HV33.exexupxV98.exey36mY02.exeoneetx.exeRedline2.exeoneetx.exeoneetx.exe

pid	process
1852	zap5576.exe
4412	zap2599.exe
3152	zap3295.exe
4000	tz4216.exe
4104	v5581rg.exe
1552	w97HV33.exe
3024	xupxV98.exe
2660	y36mY02.exe
5044	oneetx.exe
3716	Redline2.exe
1436	oneetx.exe
4920	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1916 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1916	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4216.exev5581rg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4216.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5581rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5581rg.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exezap5576.exezap2599.exezap3295.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap5576.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2599.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3295.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2940 4104 WerFault.exe v5581rg.exe
1132 1552 WerFault.exe w97HV33.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2100 schtasks.exe

pid	pid_target	process	target process
2940	4104	WerFault.exe	v5581rg.exe
1132	1552	WerFault.exe	w97HV33.exe

pid	process
2100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz4216.exev5581rg.exew97HV33.exexupxV98.exeRedline2.exe

pid	process
4000	tz4216.exe
4000	tz4216.exe
4104	v5581rg.exe
4104	v5581rg.exe
1552	w97HV33.exe
1552	w97HV33.exe
3024	xupxV98.exe
3024	xupxV98.exe
3716	Redline2.exe
3716	Redline2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz4216.exev5581rg.exew97HV33.exexupxV98.exeRedline2.exe

description	pid	process
Token: SeDebugPrivilege	4000	tz4216.exe
Token: SeDebugPrivilege	4104	v5581rg.exe
Token: SeDebugPrivilege	1552	w97HV33.exe
Token: SeDebugPrivilege	3024	xupxV98.exe
Token: SeDebugPrivilege	3716	Redline2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y36mY02.exe

pid process

2660 y36mY02.exe

pid	process
2660	y36mY02.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exezap5576.exezap2599.exezap3295.exey36mY02.exeoneetx.execmd.exe

description	pid	process	target process
PID 5032 wrote to memory of 1852	5032	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe	zap5576.exe
PID 5032 wrote to memory of 1852	5032	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe	zap5576.exe
PID 5032 wrote to memory of 1852	5032	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe	zap5576.exe
PID 1852 wrote to memory of 4412	1852	zap5576.exe	zap2599.exe
PID 1852 wrote to memory of 4412	1852	zap5576.exe	zap2599.exe
PID 1852 wrote to memory of 4412	1852	zap5576.exe	zap2599.exe
PID 4412 wrote to memory of 3152	4412	zap2599.exe	zap3295.exe
PID 4412 wrote to memory of 3152	4412	zap2599.exe	zap3295.exe
PID 4412 wrote to memory of 3152	4412	zap2599.exe	zap3295.exe
PID 3152 wrote to memory of 4000	3152	zap3295.exe	tz4216.exe
PID 3152 wrote to memory of 4000	3152	zap3295.exe	tz4216.exe
PID 3152 wrote to memory of 4104	3152	zap3295.exe	v5581rg.exe
PID 3152 wrote to memory of 4104	3152	zap3295.exe	v5581rg.exe
PID 3152 wrote to memory of 4104	3152	zap3295.exe	v5581rg.exe
PID 4412 wrote to memory of 1552	4412	zap2599.exe	w97HV33.exe
PID 4412 wrote to memory of 1552	4412	zap2599.exe	w97HV33.exe
PID 4412 wrote to memory of 1552	4412	zap2599.exe	w97HV33.exe
PID 1852 wrote to memory of 3024	1852	zap5576.exe	xupxV98.exe
PID 1852 wrote to memory of 3024	1852	zap5576.exe	xupxV98.exe
PID 1852 wrote to memory of 3024	1852	zap5576.exe	xupxV98.exe
PID 5032 wrote to memory of 2660	5032	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe	y36mY02.exe
PID 5032 wrote to memory of 2660	5032	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe	y36mY02.exe
PID 5032 wrote to memory of 2660	5032	aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe	y36mY02.exe
PID 2660 wrote to memory of 5044	2660	y36mY02.exe	oneetx.exe
PID 2660 wrote to memory of 5044	2660	y36mY02.exe	oneetx.exe
PID 2660 wrote to memory of 5044	2660	y36mY02.exe	oneetx.exe
PID 5044 wrote to memory of 2100	5044	oneetx.exe	schtasks.exe
PID 5044 wrote to memory of 2100	5044	oneetx.exe	schtasks.exe
PID 5044 wrote to memory of 2100	5044	oneetx.exe	schtasks.exe
PID 5044 wrote to memory of 4408	5044	oneetx.exe	cmd.exe
PID 5044 wrote to memory of 4408	5044	oneetx.exe	cmd.exe
PID 5044 wrote to memory of 4408	5044	oneetx.exe	cmd.exe
PID 4408 wrote to memory of 4732	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 4732	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 4732	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 528	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 528	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 528	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 1476	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 1476	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 1476	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 3976	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 3976	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 3976	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 3556	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 3556	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 3556	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 1912	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 1912	4408	cmd.exe	cacls.exe
PID 4408 wrote to memory of 1912	4408	cmd.exe	cacls.exe
PID 5044 wrote to memory of 3716	5044	oneetx.exe	Redline2.exe
PID 5044 wrote to memory of 3716	5044	oneetx.exe	Redline2.exe
PID 5044 wrote to memory of 3716	5044	oneetx.exe	Redline2.exe
PID 5044 wrote to memory of 1916	5044	oneetx.exe	rundll32.exe
PID 5044 wrote to memory of 1916	5044	oneetx.exe	rundll32.exe
PID 5044 wrote to memory of 1916	5044	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe
"C:\Users\Admin\AppData\Local\Temp\aedd51f67478e96a8bbfddeb26de37fcafb96fd849fd74d6af93e47163b03a23.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5576.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5576.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2599.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2599.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3295.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3295.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4216.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4216.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5581rg.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5581rg.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1088
6⤵
- Program crash
PID:2940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97HV33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97HV33.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1352
5⤵
- Program crash
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xupxV98.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xupxV98.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36mY02.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36mY02.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4732

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:528

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3976

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3556

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\1000025001\Redline2.exe
"C:\Users\Admin\AppData\Local\Temp\1000025001\Redline2.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4104 -ip 4104
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1552 -ip 1552
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000025001\Redline2.exe
Filesize
175KB

MD5
07ed3cf75dcfb540175c949c271e936a

SHA1
fe5815dc4958eeace138dfc1fe880ed7566ff1b1

SHA256
16e3d760e83c103a378f1a4aeb58c398a12ffb702b55e7dea9ee12c052a14305

SHA512
ec7578223d22ff80029d36c27832016c7d7afbb42374545270cded42ddbf140b7cc13cadfa1863922b06b3e2e229e624614c3c7a46ec9cab2331a572d2112c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\Redline2.exe
Filesize
175KB

MD5
07ed3cf75dcfb540175c949c271e936a

SHA1
fe5815dc4958eeace138dfc1fe880ed7566ff1b1

SHA256
16e3d760e83c103a378f1a4aeb58c398a12ffb702b55e7dea9ee12c052a14305

SHA512
ec7578223d22ff80029d36c27832016c7d7afbb42374545270cded42ddbf140b7cc13cadfa1863922b06b3e2e229e624614c3c7a46ec9cab2331a572d2112c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\Redline2.exe
Filesize
175KB

MD5
07ed3cf75dcfb540175c949c271e936a

SHA1
fe5815dc4958eeace138dfc1fe880ed7566ff1b1

SHA256
16e3d760e83c103a378f1a4aeb58c398a12ffb702b55e7dea9ee12c052a14305

SHA512
ec7578223d22ff80029d36c27832016c7d7afbb42374545270cded42ddbf140b7cc13cadfa1863922b06b3e2e229e624614c3c7a46ec9cab2331a572d2112c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36mY02.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36mY02.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5576.exe
Filesize
843KB

MD5
65c30be723346a3fdbfb11092d188590

SHA1
baee72b101e1340bece4985744b79c3d70fd084d

SHA256
58a3f1ecd109658ec09da35bce07fd854a7bae046b0de82fc6591c76c51179bd

SHA512
5f8821cf32d990fc903d649565975687057214eec9c9afbd4f02c5d12b59cfb31856adf8bd92c45d23eb3ec63b68f9470dc03ede2184a5093c21aff1909173f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5576.exe
Filesize
843KB

MD5
65c30be723346a3fdbfb11092d188590

SHA1
baee72b101e1340bece4985744b79c3d70fd084d

SHA256
58a3f1ecd109658ec09da35bce07fd854a7bae046b0de82fc6591c76c51179bd

SHA512
5f8821cf32d990fc903d649565975687057214eec9c9afbd4f02c5d12b59cfb31856adf8bd92c45d23eb3ec63b68f9470dc03ede2184a5093c21aff1909173f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xupxV98.exe
Filesize
175KB

MD5
3e24eadca529d8010434c0cd3c5f1b21

SHA1
76b70c3c8e827ffbd0887ce7fb1311723a6553e8

SHA256
7aa04f693b7b21850ea5efc30e9d840d78cfa2c4e5427c2fe68621bff40c986c

SHA512
6d1b658bd6125441a0df319ef01da4333793930d279fd198e77b1b6f577593f4be42aeef45dcb95fec540d1c91e90dd8d23ebf09d0c4490596ea8dcd814e8a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xupxV98.exe
Filesize
175KB

MD5
3e24eadca529d8010434c0cd3c5f1b21

SHA1
76b70c3c8e827ffbd0887ce7fb1311723a6553e8

SHA256
7aa04f693b7b21850ea5efc30e9d840d78cfa2c4e5427c2fe68621bff40c986c

SHA512
6d1b658bd6125441a0df319ef01da4333793930d279fd198e77b1b6f577593f4be42aeef45dcb95fec540d1c91e90dd8d23ebf09d0c4490596ea8dcd814e8a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2599.exe
Filesize
700KB

MD5
cd87659489986a40ad9842b888aab7cf

SHA1
7f28185ceb0440d06af318efc56f3cc70c11090e

SHA256
a87980681b21020a95ea85b5851a99dddb28c728a44091102bb7ee98537c125c

SHA512
4b813e225b9424d769863ae2e3888f7fab6e44e4245df791bdd61afdbe1856935f00e2798928227aa7687df291438d19ab7a614a93a7f8a0b1b4455aace8dc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2599.exe
Filesize
700KB

MD5
cd87659489986a40ad9842b888aab7cf

SHA1
7f28185ceb0440d06af318efc56f3cc70c11090e

SHA256
a87980681b21020a95ea85b5851a99dddb28c728a44091102bb7ee98537c125c

SHA512
4b813e225b9424d769863ae2e3888f7fab6e44e4245df791bdd61afdbe1856935f00e2798928227aa7687df291438d19ab7a614a93a7f8a0b1b4455aace8dc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97HV33.exe
Filesize
349KB

MD5
4ab8cd86b5281854e83860bfd34ec686

SHA1
eb037e2b0e3a7fd150c118c735fdd9273ad9436f

SHA256
431b61a0ed4845934425d1cf60cabb39b53609f3d06c50e19768f1eb25008789

SHA512
5261c4fc1053f9a591cdfd9fed5526752c892d51714ccea11d77808d27fe6899cde686996e400bf95f448c4934103cf5a3e9b27816270490527b05e27ad1ce47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97HV33.exe
Filesize
349KB

MD5
4ab8cd86b5281854e83860bfd34ec686

SHA1
eb037e2b0e3a7fd150c118c735fdd9273ad9436f

SHA256
431b61a0ed4845934425d1cf60cabb39b53609f3d06c50e19768f1eb25008789

SHA512
5261c4fc1053f9a591cdfd9fed5526752c892d51714ccea11d77808d27fe6899cde686996e400bf95f448c4934103cf5a3e9b27816270490527b05e27ad1ce47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3295.exe
Filesize
347KB

MD5
7b4f7ee4c55a381906e29293cbbde7aa

SHA1
8468902c594231ab717ae86e6f14f870475f5b6f

SHA256
630fb28dd71530d78d2cbd6763c01b93bf68e6742e1c754197509e456b5f8d11

SHA512
8f395028d0cf241685bd21ac9d28466bc40be29d1a3fa322d1f1c9faf2ead1d01ec07e17bfc72a86a0784756c00e2e32f2c127aeb0f8bb56f45e7e9c43ec91a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3295.exe
Filesize
347KB

MD5
7b4f7ee4c55a381906e29293cbbde7aa

SHA1
8468902c594231ab717ae86e6f14f870475f5b6f

SHA256
630fb28dd71530d78d2cbd6763c01b93bf68e6742e1c754197509e456b5f8d11

SHA512
8f395028d0cf241685bd21ac9d28466bc40be29d1a3fa322d1f1c9faf2ead1d01ec07e17bfc72a86a0784756c00e2e32f2c127aeb0f8bb56f45e7e9c43ec91a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4216.exe
Filesize
11KB

MD5
50230721969baf6ffd6ac5e906699eb2

SHA1
0809aeb89c548bb40c69eaee2374ed7cc77d540c

SHA256
8432bca28dceff4837e912289864bb6b4c28e8584e57c5c59f1d63ad70dbb2a6

SHA512
96a66d691ad0b459f504b5413f3cd591adb5509076fb92c4364ef5fb1a7d7e5eeb9e54a6924c8ce9858c14701225cefcb3c415d581bd49bdb14521261fe37afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4216.exe
Filesize
11KB

MD5
50230721969baf6ffd6ac5e906699eb2

SHA1
0809aeb89c548bb40c69eaee2374ed7cc77d540c

SHA256
8432bca28dceff4837e912289864bb6b4c28e8584e57c5c59f1d63ad70dbb2a6

SHA512
96a66d691ad0b459f504b5413f3cd591adb5509076fb92c4364ef5fb1a7d7e5eeb9e54a6924c8ce9858c14701225cefcb3c415d581bd49bdb14521261fe37afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5581rg.exe
Filesize
292KB

MD5
366cb331cbff416b39c5426bbff013b6

SHA1
4fd8e76162932ba2077e3d983a0f4321f7873a75

SHA256
003bc8dd3e0738f277c32a01be08489c05346514151c38c748aed1b2459d6756

SHA512
7d95e2345bd6d9cf4089d37cb7e09cb599ec3e8c24c1b31aa5adb0bbc331936a0ab8522fd6eae93d5ed1858e234a92c4694b42db08baa0ed8a510ac60f764141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5581rg.exe
Filesize
292KB

MD5
366cb331cbff416b39c5426bbff013b6

SHA1
4fd8e76162932ba2077e3d983a0f4321f7873a75

SHA256
003bc8dd3e0738f277c32a01be08489c05346514151c38c748aed1b2459d6756

SHA512
7d95e2345bd6d9cf4089d37cb7e09cb599ec3e8c24c1b31aa5adb0bbc331936a0ab8522fd6eae93d5ed1858e234a92c4694b42db08baa0ed8a510ac60f764141

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a3a7d985c2e5a96e69e61f019098982c

SHA1
3873ec5cb4fbb415a5885bf837b2e00722ab4383

SHA256
3ebe9b62c1676a86ca564b2d0cdb9cf3448a0eb070dfb05892a8c352f78b63c5

SHA512
a3aa471957c359e13afee327c9bc8745a165b40f03696f1a9a0de8c6cc348b513d4af8a8cf23cf5b77e1c9e3afce25e8630132116caca61d4a6edf1ffff3dcdc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1552-1131-0x0000000006700000-0x00000000068C2000-memory.dmp

Filesize
1.8MB

Download
memory/1552-1121-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/1552-1134-0x00000000080E0000-0x0000000008130000-memory.dmp

Filesize
320KB

Download
memory/1552-1133-0x00000000023E0000-0x0000000002456000-memory.dmp

Filesize
472KB

Download
memory/1552-1132-0x00000000068E0000-0x0000000006E0C000-memory.dmp

Filesize
5.2MB

Download
memory/1552-1129-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-1128-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/1552-1127-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-1126-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-210-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-212-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-214-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-209-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-216-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-218-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-220-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-222-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-224-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-226-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-228-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-230-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-232-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-234-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-236-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-238-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-240-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-242-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/1552-387-0x0000000002110000-0x000000000215B000-memory.dmp

Filesize
300KB

Download
memory/1552-388-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-390-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-392-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-1119-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/1552-1120-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/1552-1125-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/1552-1122-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1552-1123-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/3024-1140-0x0000000000F20000-0x0000000000F52000-memory.dmp

Filesize
200KB

Download
memory/3024-1142-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/3024-1141-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/3716-1179-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3716-1177-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3716-1176-0x0000000000530000-0x0000000000562000-memory.dmp

Filesize
200KB

Download
memory/4000-161-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/4104-185-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-177-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-189-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-187-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-200-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4104-201-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4104-191-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-197-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-183-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-181-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-179-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-199-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-175-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-173-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-172-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-202-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4104-204-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4104-171-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4104-195-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4104-169-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4104-170-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4104-168-0x0000000000540000-0x000000000056D000-memory.dmp

Filesize
180KB

Download
memory/4104-167-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/4104-193-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download