amadey | a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd

Analysis

max time kernel
112s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe
Size

1000KB
MD5

7f6db04d6ab8a2a5f0f337a66f238479
SHA1

cd3ea6910bf91ece6d034a6b2848768983788ef5
SHA256

a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd
SHA512

ee6eb7d0b4ecba406e01832e3ce2daa4cd9ef447629bc02da7619cc5eb902981f8fabb9e196b2afae945982bc747de06827539d611e58dee1af69430da2b7cb8
SSDEEP

12288:JMrCy90VYUrcQHeB3D6Y4vsEqFj/ImB4cv0uBoM/0+AdsEomBQ+Y34OcWWubMMRn:vyIYqHex6LsEqe5OGKz3EoOebxA8

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8798.exev2764JX.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8798.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8798.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8798.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2764JX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2764JX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2764JX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8798.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8798.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2764JX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2764JX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2764JX.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4168-212-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-213-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-215-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-217-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-219-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-221-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-223-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-225-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-227-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-229-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-231-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-233-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-235-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-237-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-239-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-241-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-243-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-245-0x0000000002390000-0x00000000023CF000-memory.dmp	family_redline
behavioral1/memory/4168-590-0x0000000004D20000-0x0000000004D30000-memory.dmp	family_redline
behavioral1/memory/4168-1130-0x0000000004D20000-0x0000000004D30000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y07yq19.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y07yq19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap0311.exezap8615.exezap8939.exetz8798.exev2764JX.exew00ko24.exexnVls04.exey07yq19.exeoneetx.exeCrypted.exeoneetx.exe

pid	process
2452	zap0311.exe
4884	zap8615.exe
4520	zap8939.exe
3612	tz8798.exe
1296	v2764JX.exe
4168	w00ko24.exe
952	xnVls04.exe
4972	y07yq19.exe
4908	oneetx.exe
4132	Crypted.exe
828	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3436 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3436	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8798.exev2764JX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2764JX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2764JX.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8939.exea940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exezap0311.exezap8615.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8939.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap0311.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8615.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8615.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8939.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3692 1296 WerFault.exe v2764JX.exe
4252 4168 WerFault.exe w00ko24.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2228 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8798.exev2764JX.exew00ko24.exexnVls04.exe

pid process

3612 tz8798.exe
3612 tz8798.exe
1296 v2764JX.exe
1296 v2764JX.exe
4168 w00ko24.exe
4168 w00ko24.exe
952 xnVls04.exe
952 xnVls04.exe

pid	pid_target	process	target process
3692	1296	WerFault.exe	v2764JX.exe
4252	4168	WerFault.exe	w00ko24.exe

pid	process
2228	schtasks.exe

pid	process
3612	tz8798.exe
3612	tz8798.exe
1296	v2764JX.exe
1296	v2764JX.exe
4168	w00ko24.exe
4168	w00ko24.exe
952	xnVls04.exe
952	xnVls04.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8798.exev2764JX.exew00ko24.exexnVls04.exe

description	pid	process
Token: SeDebugPrivilege	3612	tz8798.exe
Token: SeDebugPrivilege	1296	v2764JX.exe
Token: SeDebugPrivilege	4168	w00ko24.exe
Token: SeDebugPrivilege	952	xnVls04.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y07yq19.exe

pid process

4972 y07yq19.exe

pid	process
4972	y07yq19.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exezap0311.exezap8615.exezap8939.exey07yq19.exeoneetx.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 2452	1752	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe	zap0311.exe
PID 1752 wrote to memory of 2452	1752	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe	zap0311.exe
PID 1752 wrote to memory of 2452	1752	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe	zap0311.exe
PID 2452 wrote to memory of 4884	2452	zap0311.exe	zap8615.exe
PID 2452 wrote to memory of 4884	2452	zap0311.exe	zap8615.exe
PID 2452 wrote to memory of 4884	2452	zap0311.exe	zap8615.exe
PID 4884 wrote to memory of 4520	4884	zap8615.exe	zap8939.exe
PID 4884 wrote to memory of 4520	4884	zap8615.exe	zap8939.exe
PID 4884 wrote to memory of 4520	4884	zap8615.exe	zap8939.exe
PID 4520 wrote to memory of 3612	4520	zap8939.exe	tz8798.exe
PID 4520 wrote to memory of 3612	4520	zap8939.exe	tz8798.exe
PID 4520 wrote to memory of 1296	4520	zap8939.exe	v2764JX.exe
PID 4520 wrote to memory of 1296	4520	zap8939.exe	v2764JX.exe
PID 4520 wrote to memory of 1296	4520	zap8939.exe	v2764JX.exe
PID 4884 wrote to memory of 4168	4884	zap8615.exe	w00ko24.exe
PID 4884 wrote to memory of 4168	4884	zap8615.exe	w00ko24.exe
PID 4884 wrote to memory of 4168	4884	zap8615.exe	w00ko24.exe
PID 2452 wrote to memory of 952	2452	zap0311.exe	xnVls04.exe
PID 2452 wrote to memory of 952	2452	zap0311.exe	xnVls04.exe
PID 2452 wrote to memory of 952	2452	zap0311.exe	xnVls04.exe
PID 1752 wrote to memory of 4972	1752	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe	y07yq19.exe
PID 1752 wrote to memory of 4972	1752	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe	y07yq19.exe
PID 1752 wrote to memory of 4972	1752	a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe	y07yq19.exe
PID 4972 wrote to memory of 4908	4972	y07yq19.exe	oneetx.exe
PID 4972 wrote to memory of 4908	4972	y07yq19.exe	oneetx.exe
PID 4972 wrote to memory of 4908	4972	y07yq19.exe	oneetx.exe
PID 4908 wrote to memory of 2228	4908	oneetx.exe	schtasks.exe
PID 4908 wrote to memory of 2228	4908	oneetx.exe	schtasks.exe
PID 4908 wrote to memory of 2228	4908	oneetx.exe	schtasks.exe
PID 4908 wrote to memory of 2480	4908	oneetx.exe	cmd.exe
PID 4908 wrote to memory of 2480	4908	oneetx.exe	cmd.exe
PID 4908 wrote to memory of 2480	4908	oneetx.exe	cmd.exe
PID 2480 wrote to memory of 392	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 392	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 392	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 1352	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 1352	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 1352	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 2564	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 2564	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 2564	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 3588	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 3588	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 3588	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 384	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 384	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 384	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4840	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4840	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4840	2480	cmd.exe	cacls.exe
PID 4908 wrote to memory of 4132	4908	oneetx.exe	Crypted.exe
PID 4908 wrote to memory of 4132	4908	oneetx.exe	Crypted.exe
PID 4908 wrote to memory of 4132	4908	oneetx.exe	Crypted.exe
PID 4908 wrote to memory of 3436	4908	oneetx.exe	rundll32.exe
PID 4908 wrote to memory of 3436	4908	oneetx.exe	rundll32.exe
PID 4908 wrote to memory of 3436	4908	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe
"C:\Users\Admin\AppData\Local\Temp\a940b58e37375f95526a77b4d17b8322990d4b2b03aff06f0c63de55441e6afd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0311.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0311.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8615.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8615.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8939.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8939.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8798.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8798.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2764JX.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2764JX.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1084
6⤵
- Program crash
PID:3692

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ko24.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ko24.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1348
5⤵
- Program crash
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnVls04.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnVls04.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y07yq19.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y07yq19.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:392

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1352

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3588

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:384

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe"
4⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1296 -ip 1296
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4168 -ip 4168
1⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
Filesize
323KB

MD5
4b357990f0543c5d97897dec4419b2ea

SHA1
9a5e81ddceb7d98ecf36712a03834d9acd9ef48e

SHA256
78250e56eb74256bbff94794bb9e325fa053b3f2e37077fe4675c8c0ec8c59ba

SHA512
aa0f883fdb5c8a9c2b1ecdbb30f316d51b7fe95ac771e62b5089d040513ceb6887af2a2c2b4b5edd7d755b9287c30d4b78f02f47c7058e8eff49a2e57aadaaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
Filesize
323KB

MD5
4b357990f0543c5d97897dec4419b2ea

SHA1
9a5e81ddceb7d98ecf36712a03834d9acd9ef48e

SHA256
78250e56eb74256bbff94794bb9e325fa053b3f2e37077fe4675c8c0ec8c59ba

SHA512
aa0f883fdb5c8a9c2b1ecdbb30f316d51b7fe95ac771e62b5089d040513ceb6887af2a2c2b4b5edd7d755b9287c30d4b78f02f47c7058e8eff49a2e57aadaaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
Filesize
323KB

MD5
4b357990f0543c5d97897dec4419b2ea

SHA1
9a5e81ddceb7d98ecf36712a03834d9acd9ef48e

SHA256
78250e56eb74256bbff94794bb9e325fa053b3f2e37077fe4675c8c0ec8c59ba

SHA512
aa0f883fdb5c8a9c2b1ecdbb30f316d51b7fe95ac771e62b5089d040513ceb6887af2a2c2b4b5edd7d755b9287c30d4b78f02f47c7058e8eff49a2e57aadaaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y07yq19.exe
Filesize
236KB

MD5
384e1b27debe2afcd3506b496112abdb

SHA1
cf5e6faddf5c2921b8fd871635c602271bc842f3

SHA256
d4f3099e230683c0e1f553bb39a83c9157350d3ccd8d087ec2223b50656ddd4c

SHA512
9250f46be458b536a92ebfb8a2e7aa8dd4eb4a08b51114e4763b3c0bf1635cbace0c9d972a1121cbb2f83df6e90b512ea695ba1bee31c07044d33d4ac81fef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y07yq19.exe
Filesize
236KB

MD5
384e1b27debe2afcd3506b496112abdb

SHA1
cf5e6faddf5c2921b8fd871635c602271bc842f3

SHA256
d4f3099e230683c0e1f553bb39a83c9157350d3ccd8d087ec2223b50656ddd4c

SHA512
9250f46be458b536a92ebfb8a2e7aa8dd4eb4a08b51114e4763b3c0bf1635cbace0c9d972a1121cbb2f83df6e90b512ea695ba1bee31c07044d33d4ac81fef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0311.exe
Filesize
816KB

MD5
f5215f03e378e81b320b7b5b9b0a802b

SHA1
a6ce0a3c6521611482cac99f4cee22301cfeebd3

SHA256
4315de030d670aff7c92475455db6077d1639cc110984e00411d468998dc4fe4

SHA512
b08d2f1c15f9c50c00f848ab480480394c836467aef222d4ffc5b8d187f6173a83db84dee753f4d822626b5ccf3f64afe06091beaa12b99f1ce901cb235e45a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0311.exe
Filesize
816KB

MD5
f5215f03e378e81b320b7b5b9b0a802b

SHA1
a6ce0a3c6521611482cac99f4cee22301cfeebd3

SHA256
4315de030d670aff7c92475455db6077d1639cc110984e00411d468998dc4fe4

SHA512
b08d2f1c15f9c50c00f848ab480480394c836467aef222d4ffc5b8d187f6173a83db84dee753f4d822626b5ccf3f64afe06091beaa12b99f1ce901cb235e45a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnVls04.exe
Filesize
175KB

MD5
2134e3dc8a40ea6a517aff569be2d2fe

SHA1
d89ccf389fc5b50a24eab45bcc207d1b39a48560

SHA256
d23ec18d3d577e786e4bc053127cb3ba88ab6a4f0897ae634883ca3089c3d6c1

SHA512
543f49c2b1d7a52a31cd617459ce5fca04e0d342fcd06fa75c0ff0a56d9c5f59f3b289215a83e22b68722ff0b0a5a9da556bb7688b755833a6fb631ca0c2065a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnVls04.exe
Filesize
175KB

MD5
2134e3dc8a40ea6a517aff569be2d2fe

SHA1
d89ccf389fc5b50a24eab45bcc207d1b39a48560

SHA256
d23ec18d3d577e786e4bc053127cb3ba88ab6a4f0897ae634883ca3089c3d6c1

SHA512
543f49c2b1d7a52a31cd617459ce5fca04e0d342fcd06fa75c0ff0a56d9c5f59f3b289215a83e22b68722ff0b0a5a9da556bb7688b755833a6fb631ca0c2065a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8615.exe
Filesize
674KB

MD5
76db780f2a0f7e33e67b1a0d314a6640

SHA1
c612218915392649afd31e154b323c5776a10d09

SHA256
36af6870770bfa87a30c51397094dccf103e50719f6ac61a7d134b728651711d

SHA512
9d97c54e21569f2ab7040caffe13d882ae8b80ced5a66952ece2e1e87d2123a7403d1ede40bb3e6a948ce44f83a0faefa673647493fc5f55cac766c28d4156e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8615.exe
Filesize
674KB

MD5
76db780f2a0f7e33e67b1a0d314a6640

SHA1
c612218915392649afd31e154b323c5776a10d09

SHA256
36af6870770bfa87a30c51397094dccf103e50719f6ac61a7d134b728651711d

SHA512
9d97c54e21569f2ab7040caffe13d882ae8b80ced5a66952ece2e1e87d2123a7403d1ede40bb3e6a948ce44f83a0faefa673647493fc5f55cac766c28d4156e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ko24.exe
Filesize
318KB

MD5
6fbd0e8140fe28b40af362ee322e67af

SHA1
896f720306984f3ad493a09ec116bee0e543f8a1

SHA256
8edf848167068375fa8f7e54afa4948aae8e261093ffba5d935379cd533ad3ff

SHA512
5e6199612dcd79380cbad2edbbd1c0f27ce780e3f335ab6fe781b0f39636fdf75e6f932564000348019977976917b97177888ab0b65e11794ebb7aac4c7d70b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ko24.exe
Filesize
318KB

MD5
6fbd0e8140fe28b40af362ee322e67af

SHA1
896f720306984f3ad493a09ec116bee0e543f8a1

SHA256
8edf848167068375fa8f7e54afa4948aae8e261093ffba5d935379cd533ad3ff

SHA512
5e6199612dcd79380cbad2edbbd1c0f27ce780e3f335ab6fe781b0f39636fdf75e6f932564000348019977976917b97177888ab0b65e11794ebb7aac4c7d70b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8939.exe
Filesize
333KB

MD5
7fc222e03c4a285cdc5d78ac27b1050b

SHA1
6d283f25bd2f662b7dde714648295f56c3c78eed

SHA256
62763c79d9132209bbc48a6fb904b877fc70f0560ce47a2d0d36ada55501d5c9

SHA512
025207c4de5abb5d4cb7351c16d7ebb2a591d70501d0279333824ec137081ba3e528e4137e589082e92fd5dc2d979fc96e288d2dc9fefb9dbb523c6b98ceeae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8939.exe
Filesize
333KB

MD5
7fc222e03c4a285cdc5d78ac27b1050b

SHA1
6d283f25bd2f662b7dde714648295f56c3c78eed

SHA256
62763c79d9132209bbc48a6fb904b877fc70f0560ce47a2d0d36ada55501d5c9

SHA512
025207c4de5abb5d4cb7351c16d7ebb2a591d70501d0279333824ec137081ba3e528e4137e589082e92fd5dc2d979fc96e288d2dc9fefb9dbb523c6b98ceeae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8798.exe
Filesize
11KB

MD5
f3e8146d85121910da2fd1a88e617784

SHA1
7140831370a0f2038c5f6bd9af5babc0dd9e6c8a

SHA256
884e3fb676fe3119ea691aec8ed0d39a66debe26c89c2ac810b5d31e2602353c

SHA512
f9210d03beb58c41ae0b5575552c79410150e3981ea33754ded6d00cc757359df7b666646ed39fa8b037545cf215f04f722de534e904dd940f41cb1cabf68c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8798.exe
Filesize
11KB

MD5
f3e8146d85121910da2fd1a88e617784

SHA1
7140831370a0f2038c5f6bd9af5babc0dd9e6c8a

SHA256
884e3fb676fe3119ea691aec8ed0d39a66debe26c89c2ac810b5d31e2602353c

SHA512
f9210d03beb58c41ae0b5575552c79410150e3981ea33754ded6d00cc757359df7b666646ed39fa8b037545cf215f04f722de534e904dd940f41cb1cabf68c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2764JX.exe
Filesize
259KB

MD5
28812983945119670f0631ab6e41c5a2

SHA1
a11b84ba61e1ea5e52f73077208b31a352149a1e

SHA256
f28e3274c0a7592d9f95191ff3d6fa6650c2719bb5c891953d8bd711c22fcf39

SHA512
c3f289e4ad8d1660007ba40324d53e8ee573de772502c4bb88aab7a723c89135337e931ddfd72ccd3505da45f2dabb4219d2ff6608914df226a8ee368f32d2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2764JX.exe
Filesize
259KB

MD5
28812983945119670f0631ab6e41c5a2

SHA1
a11b84ba61e1ea5e52f73077208b31a352149a1e

SHA256
f28e3274c0a7592d9f95191ff3d6fa6650c2719bb5c891953d8bd711c22fcf39

SHA512
c3f289e4ad8d1660007ba40324d53e8ee573de772502c4bb88aab7a723c89135337e931ddfd72ccd3505da45f2dabb4219d2ff6608914df226a8ee368f32d2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
384e1b27debe2afcd3506b496112abdb

SHA1
cf5e6faddf5c2921b8fd871635c602271bc842f3

SHA256
d4f3099e230683c0e1f553bb39a83c9157350d3ccd8d087ec2223b50656ddd4c

SHA512
9250f46be458b536a92ebfb8a2e7aa8dd4eb4a08b51114e4763b3c0bf1635cbace0c9d972a1121cbb2f83df6e90b512ea695ba1bee31c07044d33d4ac81fef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
384e1b27debe2afcd3506b496112abdb

SHA1
cf5e6faddf5c2921b8fd871635c602271bc842f3

SHA256
d4f3099e230683c0e1f553bb39a83c9157350d3ccd8d087ec2223b50656ddd4c

SHA512
9250f46be458b536a92ebfb8a2e7aa8dd4eb4a08b51114e4763b3c0bf1635cbace0c9d972a1121cbb2f83df6e90b512ea695ba1bee31c07044d33d4ac81fef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
384e1b27debe2afcd3506b496112abdb

SHA1
cf5e6faddf5c2921b8fd871635c602271bc842f3

SHA256
d4f3099e230683c0e1f553bb39a83c9157350d3ccd8d087ec2223b50656ddd4c

SHA512
9250f46be458b536a92ebfb8a2e7aa8dd4eb4a08b51114e4763b3c0bf1635cbace0c9d972a1121cbb2f83df6e90b512ea695ba1bee31c07044d33d4ac81fef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
384e1b27debe2afcd3506b496112abdb

SHA1
cf5e6faddf5c2921b8fd871635c602271bc842f3

SHA256
d4f3099e230683c0e1f553bb39a83c9157350d3ccd8d087ec2223b50656ddd4c

SHA512
9250f46be458b536a92ebfb8a2e7aa8dd4eb4a08b51114e4763b3c0bf1635cbace0c9d972a1121cbb2f83df6e90b512ea695ba1bee31c07044d33d4ac81fef16

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/952-1142-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/952-1141-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

Filesize
200KB

Download
memory/1296-167-0x00000000020F0000-0x000000000211D000-memory.dmp

Filesize
180KB

Download
memory/1296-189-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-195-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-197-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-199-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1296-201-0x00000000020F0000-0x000000000211D000-memory.dmp

Filesize
180KB

Download
memory/1296-202-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1296-203-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1296-204-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1296-206-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1296-168-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1296-191-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-193-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-187-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-185-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-183-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-181-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-179-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-177-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-175-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-173-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-172-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1296-171-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1296-170-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1296-169-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3612-161-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/4168-219-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-241-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-243-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-245-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-589-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4168-590-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4168-1120-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/4168-1121-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/4168-1122-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4168-1123-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/4168-1124-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4168-1125-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4168-1126-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4168-1128-0x00000000064A0000-0x0000000006516000-memory.dmp

Filesize
472KB

Download
memory/4168-1129-0x0000000006520000-0x0000000006570000-memory.dmp

Filesize
320KB

Download
memory/4168-1130-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4168-1131-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4168-1132-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4168-1133-0x00000000067E0000-0x00000000069A2000-memory.dmp

Filesize
1.8MB

Download
memory/4168-239-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-237-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-235-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-233-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-231-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-229-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-227-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-225-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-223-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-221-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-217-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-215-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-213-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-212-0x0000000002390000-0x00000000023CF000-memory.dmp

Filesize
252KB

Download
memory/4168-211-0x0000000002050000-0x000000000209B000-memory.dmp

Filesize
300KB

Download
memory/4168-1134-0x00000000069C0000-0x0000000006EEC000-memory.dmp

Filesize
5.2MB

Download
memory/4168-1135-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download