amadey | eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc

Analysis

max time kernel
134s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe
Size

1000KB
MD5

115de4c6fb27be89477a015e9da7ea08
SHA1

5f9f8f0b8080e241545244868baec3f2ec18db68
SHA256

eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc
SHA512

bf35b8fbec76307f77a29dc121a5e831e27066e6c59636490f900171360f79dbae2045be8d22c0a0f4414b99ca27cae14f06bd68f6bdb0696321c4a6a045020e
SSDEEP

24576:Qyr8ZDteRjOc6JISMf05CDHKKwb/U/YubluI1DwgZdEP:XfRjOzID0QDjwDuxhuGRZd

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7180sW.exetz3501.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7180sW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3501.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7180sW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7180sW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7180sW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7180sW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7180sW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3501.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5052-211-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-212-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-214-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-216-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-218-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-220-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-222-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-224-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-226-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-228-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-230-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-232-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-234-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-236-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-238-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-240-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-244-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/5052-242-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y97oa14.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y97oa14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 12 IoCs

Processes:

zap4074.exezap2120.exezap0150.exetz3501.exev7180sW.exew37UF74.exexLuQa83.exey97oa14.exeoneetx.exebuildghost.exeoneetx.exeoneetx.exe

pid	process
2248	zap4074.exe
1268	zap2120.exe
3268	zap0150.exe
2976	tz3501.exe
3112	v7180sW.exe
5052	w37UF74.exe
2676	xLuQa83.exe
2376	y97oa14.exe
908	oneetx.exe
3796	buildghost.exe
1660	oneetx.exe
2760	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5080 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5080	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3501.exev7180sW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3501.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7180sW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7180sW.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2120.exezap0150.exeeb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exezap4074.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2120.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0150.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4074.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4074.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2120.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4576 3112 WerFault.exe v7180sW.exe
2632 5052 WerFault.exe w37UF74.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3501.exev7180sW.exew37UF74.exexLuQa83.exe

pid process

2976 tz3501.exe
2976 tz3501.exe
3112 v7180sW.exe
3112 v7180sW.exe
5052 w37UF74.exe
5052 w37UF74.exe
2676 xLuQa83.exe
2676 xLuQa83.exe

flow	ioc
37	ip-api.com

pid	pid_target	process	target process
4576	3112	WerFault.exe	v7180sW.exe
2632	5052	WerFault.exe	w37UF74.exe

pid	process
216	schtasks.exe

pid	process
2976	tz3501.exe
2976	tz3501.exe
3112	v7180sW.exe
3112	v7180sW.exe
5052	w37UF74.exe
5052	w37UF74.exe
2676	xLuQa83.exe
2676	xLuQa83.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz3501.exev7180sW.exew37UF74.exexLuQa83.exebuildghost.exe

description	pid	process
Token: SeDebugPrivilege	2976	tz3501.exe
Token: SeDebugPrivilege	3112	v7180sW.exe
Token: SeDebugPrivilege	5052	w37UF74.exe
Token: SeDebugPrivilege	2676	xLuQa83.exe
Token: SeDebugPrivilege	3796	buildghost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y97oa14.exe

pid process

2376 y97oa14.exe

pid	process
2376	y97oa14.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exezap4074.exezap2120.exezap0150.exey97oa14.exeoneetx.execmd.exe

description	pid	process	target process
PID 4380 wrote to memory of 2248	4380	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe	zap4074.exe
PID 4380 wrote to memory of 2248	4380	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe	zap4074.exe
PID 4380 wrote to memory of 2248	4380	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe	zap4074.exe
PID 2248 wrote to memory of 1268	2248	zap4074.exe	zap2120.exe
PID 2248 wrote to memory of 1268	2248	zap4074.exe	zap2120.exe
PID 2248 wrote to memory of 1268	2248	zap4074.exe	zap2120.exe
PID 1268 wrote to memory of 3268	1268	zap2120.exe	zap0150.exe
PID 1268 wrote to memory of 3268	1268	zap2120.exe	zap0150.exe
PID 1268 wrote to memory of 3268	1268	zap2120.exe	zap0150.exe
PID 3268 wrote to memory of 2976	3268	zap0150.exe	tz3501.exe
PID 3268 wrote to memory of 2976	3268	zap0150.exe	tz3501.exe
PID 3268 wrote to memory of 3112	3268	zap0150.exe	v7180sW.exe
PID 3268 wrote to memory of 3112	3268	zap0150.exe	v7180sW.exe
PID 3268 wrote to memory of 3112	3268	zap0150.exe	v7180sW.exe
PID 1268 wrote to memory of 5052	1268	zap2120.exe	w37UF74.exe
PID 1268 wrote to memory of 5052	1268	zap2120.exe	w37UF74.exe
PID 1268 wrote to memory of 5052	1268	zap2120.exe	w37UF74.exe
PID 2248 wrote to memory of 2676	2248	zap4074.exe	xLuQa83.exe
PID 2248 wrote to memory of 2676	2248	zap4074.exe	xLuQa83.exe
PID 2248 wrote to memory of 2676	2248	zap4074.exe	xLuQa83.exe
PID 4380 wrote to memory of 2376	4380	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe	y97oa14.exe
PID 4380 wrote to memory of 2376	4380	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe	y97oa14.exe
PID 4380 wrote to memory of 2376	4380	eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe	y97oa14.exe
PID 2376 wrote to memory of 908	2376	y97oa14.exe	oneetx.exe
PID 2376 wrote to memory of 908	2376	y97oa14.exe	oneetx.exe
PID 2376 wrote to memory of 908	2376	y97oa14.exe	oneetx.exe
PID 908 wrote to memory of 216	908	oneetx.exe	schtasks.exe
PID 908 wrote to memory of 216	908	oneetx.exe	schtasks.exe
PID 908 wrote to memory of 216	908	oneetx.exe	schtasks.exe
PID 908 wrote to memory of 4364	908	oneetx.exe	cmd.exe
PID 908 wrote to memory of 4364	908	oneetx.exe	cmd.exe
PID 908 wrote to memory of 4364	908	oneetx.exe	cmd.exe
PID 4364 wrote to memory of 2756	4364	cmd.exe	cmd.exe
PID 4364 wrote to memory of 2756	4364	cmd.exe	cmd.exe
PID 4364 wrote to memory of 2756	4364	cmd.exe	cmd.exe
PID 4364 wrote to memory of 5108	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 5108	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 5108	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 348	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 348	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 348	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 4328	4364	cmd.exe	cmd.exe
PID 4364 wrote to memory of 4328	4364	cmd.exe	cmd.exe
PID 4364 wrote to memory of 4328	4364	cmd.exe	cmd.exe
PID 4364 wrote to memory of 4000	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 4000	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 4000	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 4204	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 4204	4364	cmd.exe	cacls.exe
PID 4364 wrote to memory of 4204	4364	cmd.exe	cacls.exe
PID 908 wrote to memory of 3796	908	oneetx.exe	buildghost.exe
PID 908 wrote to memory of 3796	908	oneetx.exe	buildghost.exe
PID 908 wrote to memory of 5080	908	oneetx.exe	rundll32.exe
PID 908 wrote to memory of 5080	908	oneetx.exe	rundll32.exe
PID 908 wrote to memory of 5080	908	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe
"C:\Users\Admin\AppData\Local\Temp\eb3afe139f6158b6689e8bbeac5ac282a0e9de37e02b17ef32cbe4b1ff1055fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4074.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4074.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2120.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2120.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0150.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0150.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3501.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3501.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7180sW.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7180sW.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1080
6⤵
- Program crash
PID:4576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37UF74.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37UF74.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1928
5⤵
- Program crash
PID:2632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLuQa83.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLuQa83.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y97oa14.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y97oa14.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2756

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:5108

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4328

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4000

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
"C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3112 -ip 3112
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5052 -ip 5052
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y97oa14.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y97oa14.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4074.exe
Filesize
816KB

MD5
aae65a1c4b63c6be6ba845dabb6cc5e3

SHA1
b7638373e6416b2a3c2f5da0200e2ca40da4c95b

SHA256
d38b92e3ca385415f7e275738d66bc9fc65bd3f73cef5f8522727890759d30e8

SHA512
f2593dd60627ec4e0be5868194e4bea4247b273bb16106537b0229c744d1c29527d971a02edfabc23068d9472d9cf103909e420374122bcbb96d8304ae192fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4074.exe
Filesize
816KB

MD5
aae65a1c4b63c6be6ba845dabb6cc5e3

SHA1
b7638373e6416b2a3c2f5da0200e2ca40da4c95b

SHA256
d38b92e3ca385415f7e275738d66bc9fc65bd3f73cef5f8522727890759d30e8

SHA512
f2593dd60627ec4e0be5868194e4bea4247b273bb16106537b0229c744d1c29527d971a02edfabc23068d9472d9cf103909e420374122bcbb96d8304ae192fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLuQa83.exe
Filesize
175KB

MD5
3260f00eaf43688806e0ce524123d439

SHA1
86b14ccca633252822b0b2b1e04285014a79f607

SHA256
658445e07948828bf4fcccc181f410312d29c029add41a764a4e3aded01085f2

SHA512
4f2d3ce20e199185802fa9a0839ed742487ace204f714beb93ea4ff9a998b71ecc14034ecdc6f5e9acc9e4238c78d79b60ad9ba3c3e8e26687e8d1da558471a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLuQa83.exe
Filesize
175KB

MD5
3260f00eaf43688806e0ce524123d439

SHA1
86b14ccca633252822b0b2b1e04285014a79f607

SHA256
658445e07948828bf4fcccc181f410312d29c029add41a764a4e3aded01085f2

SHA512
4f2d3ce20e199185802fa9a0839ed742487ace204f714beb93ea4ff9a998b71ecc14034ecdc6f5e9acc9e4238c78d79b60ad9ba3c3e8e26687e8d1da558471a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2120.exe
Filesize
675KB

MD5
a37b8b342f71f63808b43625ff4f05fb

SHA1
8be9b88e86a24c743f1abfd306a3188a5cef2c03

SHA256
4d20b1a2b1ae30a634169a340ae0128eff1cf87d0945df79bfd0b7c34ba57b7c

SHA512
2948db52af12e358b98c7e1b6e7d58fb5f43fe75c49ddd3666c3874dffa33401d59e94578785e1c2ab6b157ff89178083ea34e5930fbbd9cfe17c5fe84de59fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2120.exe
Filesize
675KB

MD5
a37b8b342f71f63808b43625ff4f05fb

SHA1
8be9b88e86a24c743f1abfd306a3188a5cef2c03

SHA256
4d20b1a2b1ae30a634169a340ae0128eff1cf87d0945df79bfd0b7c34ba57b7c

SHA512
2948db52af12e358b98c7e1b6e7d58fb5f43fe75c49ddd3666c3874dffa33401d59e94578785e1c2ab6b157ff89178083ea34e5930fbbd9cfe17c5fe84de59fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37UF74.exe
Filesize
318KB

MD5
445d6583399a026d347929d754d623c0

SHA1
3a5fbda78e7d0482c072fdfc95b3492e1167d449

SHA256
c5de819623c70c0986017347732b6771f836dafd3f6fe464d0f521d376aff1d5

SHA512
971205352bbe336f5054650ef538ad4e19426d960ec7dceb5297e283d16199770ec83181d86e3be2deabadda5f7b040d26c925e34e2f4ab8b006c9d783478af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37UF74.exe
Filesize
318KB

MD5
445d6583399a026d347929d754d623c0

SHA1
3a5fbda78e7d0482c072fdfc95b3492e1167d449

SHA256
c5de819623c70c0986017347732b6771f836dafd3f6fe464d0f521d376aff1d5

SHA512
971205352bbe336f5054650ef538ad4e19426d960ec7dceb5297e283d16199770ec83181d86e3be2deabadda5f7b040d26c925e34e2f4ab8b006c9d783478af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0150.exe
Filesize
334KB

MD5
faae424a11465a888a97181bdf470bef

SHA1
fd58cd805563a95a011338e9c5b172213d5cb75a

SHA256
2975880fd7e9c93a735269f92fac379720d508d8aed49c35237d34a6dac885f1

SHA512
6b820e72994923802ab5bec6add783a2da198037f55240c36017af62c38b26caca2c5b5779071356dad6f2888b5d0e317ca3c1ea861c5d60b08502f21fd074b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0150.exe
Filesize
334KB

MD5
faae424a11465a888a97181bdf470bef

SHA1
fd58cd805563a95a011338e9c5b172213d5cb75a

SHA256
2975880fd7e9c93a735269f92fac379720d508d8aed49c35237d34a6dac885f1

SHA512
6b820e72994923802ab5bec6add783a2da198037f55240c36017af62c38b26caca2c5b5779071356dad6f2888b5d0e317ca3c1ea861c5d60b08502f21fd074b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3501.exe
Filesize
11KB

MD5
f53dad119013acb06f4fd3e93a724065

SHA1
f22fa1aacedb1d95a7c56b4d570b3a7a88b9f1bf

SHA256
4da084c70aac2e578fa72442175d8bcfe21e1fc04446922958c809fd783de34b

SHA512
f1b3e9229265d5b0383474a1e2d07c3caee0644ed2e7c44e97637b5a4f4313dd919a175d64b5855a0fb9785f35c68ec610295168250045b6427d45670aee0225

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3501.exe
Filesize
11KB

MD5
f53dad119013acb06f4fd3e93a724065

SHA1
f22fa1aacedb1d95a7c56b4d570b3a7a88b9f1bf

SHA256
4da084c70aac2e578fa72442175d8bcfe21e1fc04446922958c809fd783de34b

SHA512
f1b3e9229265d5b0383474a1e2d07c3caee0644ed2e7c44e97637b5a4f4313dd919a175d64b5855a0fb9785f35c68ec610295168250045b6427d45670aee0225

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7180sW.exe
Filesize
260KB

MD5
2bbf70d25c178dba64dff1db05ddf23e

SHA1
851aae7f57d07988ca98058b77b2635141f155fc

SHA256
25192f74d1f5a1e256899cf5492ca1af9cdedb900c66a44facd6a29155a238f7

SHA512
574d09d0ce826b88b538c7a5817058c1e3d270781355a9cd3e0518ba2e3965bc045bc8763f98b362ffa76fc0939d7c69efd11a368e84619e72e2e93a11778d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7180sW.exe
Filesize
260KB

MD5
2bbf70d25c178dba64dff1db05ddf23e

SHA1
851aae7f57d07988ca98058b77b2635141f155fc

SHA256
25192f74d1f5a1e256899cf5492ca1af9cdedb900c66a44facd6a29155a238f7

SHA512
574d09d0ce826b88b538c7a5817058c1e3d270781355a9cd3e0518ba2e3965bc045bc8763f98b362ffa76fc0939d7c69efd11a368e84619e72e2e93a11778d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
d0dd80d94c2f5619d6dbaa3bbd332221

SHA1
c815b1d312f45be28ff54e7d018152908362ae33

SHA256
dff9d859d76ff5600345579e4ea60b799e28ab91847699ae55346cbc28724b98

SHA512
f3dc414c076ed24e30930d88e0477f6563c4bd5fa4b421a76f8f09e052803c589d2a566533e4316895b7d5609800d8bc4244c2c7334509bec5f3aa5db2640774

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2676-1138-0x00000000003E0000-0x0000000000412000-memory.dmp

Filesize
200KB

Download
memory/2676-1139-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2976-161-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/3112-189-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-172-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-199-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3112-202-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3112-195-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-193-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-191-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-187-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-185-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-183-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-167-0x0000000000610000-0x000000000063D000-memory.dmp

Filesize
180KB

Download
memory/3112-168-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3112-169-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3112-181-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-179-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-177-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-175-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-173-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-197-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/3112-171-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/3112-170-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3796-1178-0x000001AC8FA90000-0x000001AC8FAA2000-memory.dmp

Filesize
72KB

Download
memory/3796-1179-0x000001AC917F0000-0x000001AC91840000-memory.dmp

Filesize
320KB

Download
memory/3796-1180-0x000001ACAA100000-0x000001ACAA110000-memory.dmp

Filesize
64KB

Download
memory/5052-222-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-242-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-1117-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/5052-1118-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/5052-1119-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/5052-1120-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-1121-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/5052-1123-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-1124-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-1125-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-1126-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/5052-1127-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/5052-1128-0x00000000064C0000-0x0000000006536000-memory.dmp

Filesize
472KB

Download
memory/5052-1129-0x0000000006540000-0x0000000006590000-memory.dmp

Filesize
320KB

Download
memory/5052-1130-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/5052-1131-0x0000000006770000-0x0000000006C9C000-memory.dmp

Filesize
5.2MB

Download
memory/5052-244-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-240-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-238-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-236-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-234-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-232-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-230-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-228-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-226-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-224-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-220-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-218-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-216-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-214-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-212-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-211-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/5052-210-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-209-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-208-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/5052-207-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/5052-1132-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download