amadey | 1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52

Analysis

max time kernel
121s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe
Size

1001KB
MD5

dcf307fbed9cd6403db0b476a1d441b1
SHA1

f167cd7b411de3cf64cd0db21093a2e9703ff42b
SHA256

1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52
SHA512

385c7089378aead18cadeb19b9752f66dc85e3c8bf3bc2b91e756a2eb6fb46edf15b7a28dc335c76d2c59acd92fcc5ae59eb4c5e9c522232512669ac7acd97cf
SSDEEP

24576:Oy2UKe/zJK9P0WLso8j+H3LfYD7rfwspl/2tN:d2B6IP7YoGqf87rf/n

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v3552rd.exetz5272.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3552rd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3552rd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3552rd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3552rd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3552rd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3552rd.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3464-212-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-213-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-215-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-217-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-219-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-221-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-223-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-225-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-227-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-229-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-231-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-233-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-235-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-237-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-239-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-241-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-243-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline
behavioral1/memory/3464-245-0x0000000002740000-0x000000000277F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y01RT80.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y01RT80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap1195.exezap9670.exezap7578.exetz5272.exev3552rd.exew91gT39.exexuofY88.exey01RT80.exeoneetx.exeCrypted.exeoneetx.exe

pid	process
4624	zap1195.exe
4164	zap9670.exe
1724	zap7578.exe
452	tz5272.exe
4012	v3552rd.exe
3464	w91gT39.exe
4132	xuofY88.exe
1960	y01RT80.exe
1060	oneetx.exe
1924	Crypted.exe
4528	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3980 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3980	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz5272.exev3552rd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3552rd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3552rd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exezap1195.exezap9670.exezap7578.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1195.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9670.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7578.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1472 4012 WerFault.exe v3552rd.exe
836 3464 WerFault.exe w91gT39.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2980 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz5272.exev3552rd.exew91gT39.exexuofY88.exe

pid process

452 tz5272.exe
452 tz5272.exe
4012 v3552rd.exe
4012 v3552rd.exe
3464 w91gT39.exe
3464 w91gT39.exe
4132 xuofY88.exe
4132 xuofY88.exe

pid	pid_target	process	target process
1472	4012	WerFault.exe	v3552rd.exe
836	3464	WerFault.exe	w91gT39.exe

pid	process
2980	schtasks.exe

pid	process
452	tz5272.exe
452	tz5272.exe
4012	v3552rd.exe
4012	v3552rd.exe
3464	w91gT39.exe
3464	w91gT39.exe
4132	xuofY88.exe
4132	xuofY88.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz5272.exev3552rd.exew91gT39.exexuofY88.exe

description	pid	process
Token: SeDebugPrivilege	452	tz5272.exe
Token: SeDebugPrivilege	4012	v3552rd.exe
Token: SeDebugPrivilege	3464	w91gT39.exe
Token: SeDebugPrivilege	4132	xuofY88.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y01RT80.exe

pid process

1960 y01RT80.exe

pid	process
1960	y01RT80.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exezap1195.exezap9670.exezap7578.exey01RT80.exeoneetx.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 4624	4484	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe	zap1195.exe
PID 4484 wrote to memory of 4624	4484	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe	zap1195.exe
PID 4484 wrote to memory of 4624	4484	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe	zap1195.exe
PID 4624 wrote to memory of 4164	4624	zap1195.exe	zap9670.exe
PID 4624 wrote to memory of 4164	4624	zap1195.exe	zap9670.exe
PID 4624 wrote to memory of 4164	4624	zap1195.exe	zap9670.exe
PID 4164 wrote to memory of 1724	4164	zap9670.exe	zap7578.exe
PID 4164 wrote to memory of 1724	4164	zap9670.exe	zap7578.exe
PID 4164 wrote to memory of 1724	4164	zap9670.exe	zap7578.exe
PID 1724 wrote to memory of 452	1724	zap7578.exe	tz5272.exe
PID 1724 wrote to memory of 452	1724	zap7578.exe	tz5272.exe
PID 1724 wrote to memory of 4012	1724	zap7578.exe	v3552rd.exe
PID 1724 wrote to memory of 4012	1724	zap7578.exe	v3552rd.exe
PID 1724 wrote to memory of 4012	1724	zap7578.exe	v3552rd.exe
PID 4164 wrote to memory of 3464	4164	zap9670.exe	w91gT39.exe
PID 4164 wrote to memory of 3464	4164	zap9670.exe	w91gT39.exe
PID 4164 wrote to memory of 3464	4164	zap9670.exe	w91gT39.exe
PID 4624 wrote to memory of 4132	4624	zap1195.exe	xuofY88.exe
PID 4624 wrote to memory of 4132	4624	zap1195.exe	xuofY88.exe
PID 4624 wrote to memory of 4132	4624	zap1195.exe	xuofY88.exe
PID 4484 wrote to memory of 1960	4484	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe	y01RT80.exe
PID 4484 wrote to memory of 1960	4484	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe	y01RT80.exe
PID 4484 wrote to memory of 1960	4484	1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe	y01RT80.exe
PID 1960 wrote to memory of 1060	1960	y01RT80.exe	oneetx.exe
PID 1960 wrote to memory of 1060	1960	y01RT80.exe	oneetx.exe
PID 1960 wrote to memory of 1060	1960	y01RT80.exe	oneetx.exe
PID 1060 wrote to memory of 2980	1060	oneetx.exe	schtasks.exe
PID 1060 wrote to memory of 2980	1060	oneetx.exe	schtasks.exe
PID 1060 wrote to memory of 2980	1060	oneetx.exe	schtasks.exe
PID 1060 wrote to memory of 2044	1060	oneetx.exe	cmd.exe
PID 1060 wrote to memory of 2044	1060	oneetx.exe	cmd.exe
PID 1060 wrote to memory of 2044	1060	oneetx.exe	cmd.exe
PID 2044 wrote to memory of 4080	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 4080	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 4080	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 3548	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 3548	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 3548	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 4388	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 4388	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 4388	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 4076	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 4076	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 4076	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 2440	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 2440	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 2440	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 3688	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 3688	2044	cmd.exe	cacls.exe
PID 2044 wrote to memory of 3688	2044	cmd.exe	cacls.exe
PID 1060 wrote to memory of 1924	1060	oneetx.exe	Crypted.exe
PID 1060 wrote to memory of 1924	1060	oneetx.exe	Crypted.exe
PID 1060 wrote to memory of 1924	1060	oneetx.exe	Crypted.exe
PID 1060 wrote to memory of 3980	1060	oneetx.exe	rundll32.exe
PID 1060 wrote to memory of 3980	1060	oneetx.exe	rundll32.exe
PID 1060 wrote to memory of 3980	1060	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe
"C:\Users\Admin\AppData\Local\Temp\1fadd95007d7f5b3e1c86ca8459ebe232dcc7b1b84e0f38edbcb995313ee8d52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1195.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1195.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9670.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9670.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7578.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7578.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5272.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5272.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3552rd.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3552rd.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1028
6⤵
- Program crash
PID:1472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91gT39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91gT39.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1336
5⤵
- Program crash
PID:836

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuofY88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuofY88.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01RT80.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01RT80.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4080

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:3548

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4076

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:2440

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe"
4⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4012 -ip 4012
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3464 -ip 3464
1⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
Filesize
323KB

MD5
4b357990f0543c5d97897dec4419b2ea

SHA1
9a5e81ddceb7d98ecf36712a03834d9acd9ef48e

SHA256
78250e56eb74256bbff94794bb9e325fa053b3f2e37077fe4675c8c0ec8c59ba

SHA512
aa0f883fdb5c8a9c2b1ecdbb30f316d51b7fe95ac771e62b5089d040513ceb6887af2a2c2b4b5edd7d755b9287c30d4b78f02f47c7058e8eff49a2e57aadaaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
Filesize
323KB

MD5
4b357990f0543c5d97897dec4419b2ea

SHA1
9a5e81ddceb7d98ecf36712a03834d9acd9ef48e

SHA256
78250e56eb74256bbff94794bb9e325fa053b3f2e37077fe4675c8c0ec8c59ba

SHA512
aa0f883fdb5c8a9c2b1ecdbb30f316d51b7fe95ac771e62b5089d040513ceb6887af2a2c2b4b5edd7d755b9287c30d4b78f02f47c7058e8eff49a2e57aadaaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\Crypted.exe
Filesize
323KB

MD5
4b357990f0543c5d97897dec4419b2ea

SHA1
9a5e81ddceb7d98ecf36712a03834d9acd9ef48e

SHA256
78250e56eb74256bbff94794bb9e325fa053b3f2e37077fe4675c8c0ec8c59ba

SHA512
aa0f883fdb5c8a9c2b1ecdbb30f316d51b7fe95ac771e62b5089d040513ceb6887af2a2c2b4b5edd7d755b9287c30d4b78f02f47c7058e8eff49a2e57aadaaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01RT80.exe
Filesize
236KB

MD5
574c761de83f28c3036bf90b4e3268df

SHA1
4c4f2a5e7264e2867ad44b43e9dfd466199f397f

SHA256
00b2392daab11fdc8dcbf81803de981de98c35a440e85d7101820c3e963f3db7

SHA512
1498a9ca52c02e38ceec1786681028ae471814943fc5845162d9d068d1134f7671317a1c7f470d62a86251e13a33aa006c1f5e1579fddf317ef87a2d9bd40d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01RT80.exe
Filesize
236KB

MD5
574c761de83f28c3036bf90b4e3268df

SHA1
4c4f2a5e7264e2867ad44b43e9dfd466199f397f

SHA256
00b2392daab11fdc8dcbf81803de981de98c35a440e85d7101820c3e963f3db7

SHA512
1498a9ca52c02e38ceec1786681028ae471814943fc5845162d9d068d1134f7671317a1c7f470d62a86251e13a33aa006c1f5e1579fddf317ef87a2d9bd40d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1195.exe
Filesize
817KB

MD5
de4407d8f76f468982b3a57881287952

SHA1
b8434974cb561fbd3773b526a79a1c572da52c92

SHA256
d2b71f0f8ec4113e6ca8b11d5675d67641c3a1b4e2aedd32ffe3577044610b0e

SHA512
33a6cc7eb0c22434a343affbc45b6779700e330af2733098a9371ddb1a811e1f437ed25e6d592b2dcb0bc04352fc5d3150893845007c77a12c18b338de141026

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1195.exe
Filesize
817KB

MD5
de4407d8f76f468982b3a57881287952

SHA1
b8434974cb561fbd3773b526a79a1c572da52c92

SHA256
d2b71f0f8ec4113e6ca8b11d5675d67641c3a1b4e2aedd32ffe3577044610b0e

SHA512
33a6cc7eb0c22434a343affbc45b6779700e330af2733098a9371ddb1a811e1f437ed25e6d592b2dcb0bc04352fc5d3150893845007c77a12c18b338de141026

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuofY88.exe
Filesize
175KB

MD5
db9d757ffaf3cfec4934255a2998e2f6

SHA1
6a2ceb8a0e4d7340a991a516e4759cd94da0a327

SHA256
bfe1fee03fcb59100099baba920ca4ddd0a2223255131dcea40b05f3a2edce42

SHA512
01f13dc14ef6035c97835af3363bae9819518289d14ed27fa7fccb480f89c4cee01b4899285dd69cda301f7c2bbb289fbaf17c4624b3a853a7e9a49c1becbc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuofY88.exe
Filesize
175KB

MD5
db9d757ffaf3cfec4934255a2998e2f6

SHA1
6a2ceb8a0e4d7340a991a516e4759cd94da0a327

SHA256
bfe1fee03fcb59100099baba920ca4ddd0a2223255131dcea40b05f3a2edce42

SHA512
01f13dc14ef6035c97835af3363bae9819518289d14ed27fa7fccb480f89c4cee01b4899285dd69cda301f7c2bbb289fbaf17c4624b3a853a7e9a49c1becbc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9670.exe
Filesize
675KB

MD5
2760fa4e431d94f2120f6198b034a440

SHA1
00d5376969f29177d097079d10b80699b55204a3

SHA256
30311aa688640e058224fa3aaa1372b83c8d26007f609b90c9b81e411dae3fe5

SHA512
f48f579703f385180f2f2df66c4f2b882fda03ee6c36e66c7d5fbbdd0add6a4f5c837471f83ad94c61b458151a91998556445e6df101e67a63c70c9516825a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9670.exe
Filesize
675KB

MD5
2760fa4e431d94f2120f6198b034a440

SHA1
00d5376969f29177d097079d10b80699b55204a3

SHA256
30311aa688640e058224fa3aaa1372b83c8d26007f609b90c9b81e411dae3fe5

SHA512
f48f579703f385180f2f2df66c4f2b882fda03ee6c36e66c7d5fbbdd0add6a4f5c837471f83ad94c61b458151a91998556445e6df101e67a63c70c9516825a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91gT39.exe
Filesize
318KB

MD5
5999f6abdb426b6e73f0696a8b2343a8

SHA1
930d8e087c056005aa120f383fc7a34a200490c8

SHA256
5540818f33d3dcad395a40cf8e4f76a24ffe01f35098a1a6fb1c78bbf3d124ab

SHA512
984fcbdb9b518c634f5a451455166149059c9142ebd68c2c82eb0f6b1bb669915679f853a01fec5a3c34d0441b90ac6f951fd0ebbdd409978e55e094b6134479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91gT39.exe
Filesize
318KB

MD5
5999f6abdb426b6e73f0696a8b2343a8

SHA1
930d8e087c056005aa120f383fc7a34a200490c8

SHA256
5540818f33d3dcad395a40cf8e4f76a24ffe01f35098a1a6fb1c78bbf3d124ab

SHA512
984fcbdb9b518c634f5a451455166149059c9142ebd68c2c82eb0f6b1bb669915679f853a01fec5a3c34d0441b90ac6f951fd0ebbdd409978e55e094b6134479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7578.exe
Filesize
334KB

MD5
3426abccd9bb9af8d07cfb56659a5409

SHA1
1a5c38875556d7fc12a6123aa12f4f8ece3bd6be

SHA256
29f57c4f57a8275697fc8258df71b41ee7b5170aaa945517b549415f0f6afbbf

SHA512
b7a6ce4d49d2eb56ce45a21f6f42e0dac5ab456a7eef46b997b7b33b618809a3762355ec82550cccfa80ae80478ed197ed7f5ac5b7f509582f2b33859979aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7578.exe
Filesize
334KB

MD5
3426abccd9bb9af8d07cfb56659a5409

SHA1
1a5c38875556d7fc12a6123aa12f4f8ece3bd6be

SHA256
29f57c4f57a8275697fc8258df71b41ee7b5170aaa945517b549415f0f6afbbf

SHA512
b7a6ce4d49d2eb56ce45a21f6f42e0dac5ab456a7eef46b997b7b33b618809a3762355ec82550cccfa80ae80478ed197ed7f5ac5b7f509582f2b33859979aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5272.exe
Filesize
11KB

MD5
7e55f8743ecae8db17206b194a5f6046

SHA1
4c09aa829b2831c3720f399bcf7bb48bbc6b8c4f

SHA256
c0f6efa313868cde8ef3c08909c4c35f56c19f0bef2e75672e76d25c02b33c8f

SHA512
899101046ea723bd820d86f56d854278c7dbe1c20007c53d068a306ff90607ef54417a6775f20573184936be69628db4776da78f1c7d3cc2b7f1a7cb1cf06e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5272.exe
Filesize
11KB

MD5
7e55f8743ecae8db17206b194a5f6046

SHA1
4c09aa829b2831c3720f399bcf7bb48bbc6b8c4f

SHA256
c0f6efa313868cde8ef3c08909c4c35f56c19f0bef2e75672e76d25c02b33c8f

SHA512
899101046ea723bd820d86f56d854278c7dbe1c20007c53d068a306ff90607ef54417a6775f20573184936be69628db4776da78f1c7d3cc2b7f1a7cb1cf06e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3552rd.exe
Filesize
259KB

MD5
086c38eac5e0fc009483d9706ac17e5c

SHA1
0097e1ba9b99c1dbc090ecf93549ac71bfb8c233

SHA256
99371c4b72dd391314404a3e4e39be150ac2392d5c40d855c3b068a7bf2a65ab

SHA512
ae6d436f7f261e5cbdabea16d1dd18a74b83d4fc31da91397a1161cfced1069a0dbe6f6dcf2521eaf56f091a71e06dd55161b4ed694ff7fe9c59c0b1e7ddb371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3552rd.exe
Filesize
259KB

MD5
086c38eac5e0fc009483d9706ac17e5c

SHA1
0097e1ba9b99c1dbc090ecf93549ac71bfb8c233

SHA256
99371c4b72dd391314404a3e4e39be150ac2392d5c40d855c3b068a7bf2a65ab

SHA512
ae6d436f7f261e5cbdabea16d1dd18a74b83d4fc31da91397a1161cfced1069a0dbe6f6dcf2521eaf56f091a71e06dd55161b4ed694ff7fe9c59c0b1e7ddb371

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
574c761de83f28c3036bf90b4e3268df

SHA1
4c4f2a5e7264e2867ad44b43e9dfd466199f397f

SHA256
00b2392daab11fdc8dcbf81803de981de98c35a440e85d7101820c3e963f3db7

SHA512
1498a9ca52c02e38ceec1786681028ae471814943fc5845162d9d068d1134f7671317a1c7f470d62a86251e13a33aa006c1f5e1579fddf317ef87a2d9bd40d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
574c761de83f28c3036bf90b4e3268df

SHA1
4c4f2a5e7264e2867ad44b43e9dfd466199f397f

SHA256
00b2392daab11fdc8dcbf81803de981de98c35a440e85d7101820c3e963f3db7

SHA512
1498a9ca52c02e38ceec1786681028ae471814943fc5845162d9d068d1134f7671317a1c7f470d62a86251e13a33aa006c1f5e1579fddf317ef87a2d9bd40d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
574c761de83f28c3036bf90b4e3268df

SHA1
4c4f2a5e7264e2867ad44b43e9dfd466199f397f

SHA256
00b2392daab11fdc8dcbf81803de981de98c35a440e85d7101820c3e963f3db7

SHA512
1498a9ca52c02e38ceec1786681028ae471814943fc5845162d9d068d1134f7671317a1c7f470d62a86251e13a33aa006c1f5e1579fddf317ef87a2d9bd40d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
574c761de83f28c3036bf90b4e3268df

SHA1
4c4f2a5e7264e2867ad44b43e9dfd466199f397f

SHA256
00b2392daab11fdc8dcbf81803de981de98c35a440e85d7101820c3e963f3db7

SHA512
1498a9ca52c02e38ceec1786681028ae471814943fc5845162d9d068d1134f7671317a1c7f470d62a86251e13a33aa006c1f5e1579fddf317ef87a2d9bd40d37

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/452-161-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/3464-1127-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3464-1119-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/3464-1133-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/3464-1132-0x0000000006820000-0x00000000069E2000-memory.dmp

Filesize
1.8MB

Download
memory/3464-1131-0x0000000006790000-0x00000000067E0000-memory.dmp

Filesize
320KB

Download
memory/3464-1130-0x00000000066F0000-0x0000000006766000-memory.dmp

Filesize
472KB

Download
memory/3464-1129-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3464-1128-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3464-1126-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3464-209-0x0000000000610000-0x000000000065B000-memory.dmp

Filesize
300KB

Download
memory/3464-210-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3464-211-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3464-212-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-213-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-215-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-217-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-219-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-221-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-223-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-225-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-227-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-229-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-231-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-233-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-235-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-237-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-239-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-241-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-243-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-245-0x0000000002740000-0x000000000277F000-memory.dmp

Filesize
252KB

Download
memory/3464-1118-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/3464-1125-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3464-1120-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/3464-1121-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/3464-1122-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3464-1124-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/4012-177-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-167-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/4012-169-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4012-193-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4012-202-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4012-201-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4012-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4012-199-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-189-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-187-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-168-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/4012-191-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-195-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-172-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-183-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-181-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-179-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-197-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-175-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-173-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-185-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4012-171-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4012-170-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4132-1139-0x0000000000880000-0x00000000008B2000-memory.dmp

Filesize
200KB

Download
memory/4132-1140-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4132-1141-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download