amadey | 5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6

Analysis

max time kernel
106s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe
Size

1001KB
MD5

9acc3a335b31852ebb6a4419bf5a3ee2
SHA1

abb58cee5eaf12de8c982e3bd51e2d3b336c6a1f
SHA256

5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6
SHA512

d2b719f0fc7f958d359e02c1f827ec0bae909e54b00a8b943741886b3749c7814724670e45dcd20140ec01946fdbe8b8a723d170928b100a6a61613bb26d5e95
SSDEEP

24576:cyxduJK6QMfxtV+9FUHmU2IbVNVW1UHNg8W4:LODQMfxtV+YGUDhNVW1A3W

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz4433.exev6797ek.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4433.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6797ek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6797ek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6797ek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6797ek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6797ek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6797ek.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5104-213-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-214-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-216-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-218-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-220-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-222-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-224-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-226-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-228-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-230-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-232-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-234-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-236-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-238-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-240-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-242-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-244-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/5104-246-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y15fl94.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y15fl94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap4471.exezap8465.exezap7156.exetz4433.exev6797ek.exew39ae54.exexNPiv75.exey15fl94.exeoneetx.exebuildghost.exeoneetx.exe

pid	process
2572	zap4471.exe
1456	zap8465.exe
2628	zap7156.exe
4488	tz4433.exe
3392	v6797ek.exe
5104	w39ae54.exe
4960	xNPiv75.exe
5012	y15fl94.exe
468	oneetx.exe
1592	buildghost.exe
388	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4488 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4488	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4433.exev6797ek.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4433.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6797ek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6797ek.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8465.exezap7156.exe5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exezap4471.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8465.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7156.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4471.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8465.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3860 3392 WerFault.exe v6797ek.exe
404 5104 WerFault.exe w39ae54.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2324 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz4433.exev6797ek.exew39ae54.exexNPiv75.exe

pid process

4488 tz4433.exe
4488 tz4433.exe
3392 v6797ek.exe
3392 v6797ek.exe
5104 w39ae54.exe
5104 w39ae54.exe
4960 xNPiv75.exe
4960 xNPiv75.exe

flow	ioc
30	ip-api.com

pid	pid_target	process	target process
3860	3392	WerFault.exe	v6797ek.exe
404	5104	WerFault.exe	w39ae54.exe

pid	process
2324	schtasks.exe

pid	process
4488	tz4433.exe
4488	tz4433.exe
3392	v6797ek.exe
3392	v6797ek.exe
5104	w39ae54.exe
5104	w39ae54.exe
4960	xNPiv75.exe
4960	xNPiv75.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz4433.exev6797ek.exew39ae54.exexNPiv75.exebuildghost.exe

description	pid	process
Token: SeDebugPrivilege	4488	tz4433.exe
Token: SeDebugPrivilege	3392	v6797ek.exe
Token: SeDebugPrivilege	5104	w39ae54.exe
Token: SeDebugPrivilege	4960	xNPiv75.exe
Token: SeDebugPrivilege	1592	buildghost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y15fl94.exe

pid process

5012 y15fl94.exe

pid	process
5012	y15fl94.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exezap4471.exezap8465.exezap7156.exey15fl94.exeoneetx.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 2572	2148	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe	zap4471.exe
PID 2148 wrote to memory of 2572	2148	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe	zap4471.exe
PID 2148 wrote to memory of 2572	2148	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe	zap4471.exe
PID 2572 wrote to memory of 1456	2572	zap4471.exe	zap8465.exe
PID 2572 wrote to memory of 1456	2572	zap4471.exe	zap8465.exe
PID 2572 wrote to memory of 1456	2572	zap4471.exe	zap8465.exe
PID 1456 wrote to memory of 2628	1456	zap8465.exe	zap7156.exe
PID 1456 wrote to memory of 2628	1456	zap8465.exe	zap7156.exe
PID 1456 wrote to memory of 2628	1456	zap8465.exe	zap7156.exe
PID 2628 wrote to memory of 4488	2628	zap7156.exe	tz4433.exe
PID 2628 wrote to memory of 4488	2628	zap7156.exe	tz4433.exe
PID 2628 wrote to memory of 3392	2628	zap7156.exe	v6797ek.exe
PID 2628 wrote to memory of 3392	2628	zap7156.exe	v6797ek.exe
PID 2628 wrote to memory of 3392	2628	zap7156.exe	v6797ek.exe
PID 1456 wrote to memory of 5104	1456	zap8465.exe	w39ae54.exe
PID 1456 wrote to memory of 5104	1456	zap8465.exe	w39ae54.exe
PID 1456 wrote to memory of 5104	1456	zap8465.exe	w39ae54.exe
PID 2572 wrote to memory of 4960	2572	zap4471.exe	xNPiv75.exe
PID 2572 wrote to memory of 4960	2572	zap4471.exe	xNPiv75.exe
PID 2572 wrote to memory of 4960	2572	zap4471.exe	xNPiv75.exe
PID 2148 wrote to memory of 5012	2148	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe	y15fl94.exe
PID 2148 wrote to memory of 5012	2148	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe	y15fl94.exe
PID 2148 wrote to memory of 5012	2148	5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe	y15fl94.exe
PID 5012 wrote to memory of 468	5012	y15fl94.exe	oneetx.exe
PID 5012 wrote to memory of 468	5012	y15fl94.exe	oneetx.exe
PID 5012 wrote to memory of 468	5012	y15fl94.exe	oneetx.exe
PID 468 wrote to memory of 2324	468	oneetx.exe	schtasks.exe
PID 468 wrote to memory of 2324	468	oneetx.exe	schtasks.exe
PID 468 wrote to memory of 2324	468	oneetx.exe	schtasks.exe
PID 468 wrote to memory of 2616	468	oneetx.exe	cmd.exe
PID 468 wrote to memory of 2616	468	oneetx.exe	cmd.exe
PID 468 wrote to memory of 2616	468	oneetx.exe	cmd.exe
PID 2616 wrote to memory of 2540	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2540	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2540	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2092	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2092	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2092	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 3772	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 3772	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 3772	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 752	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 752	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 752	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 1672	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 1672	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 1672	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 1260	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 1260	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 1260	2616	cmd.exe	cacls.exe
PID 468 wrote to memory of 1592	468	oneetx.exe	buildghost.exe
PID 468 wrote to memory of 1592	468	oneetx.exe	buildghost.exe
PID 468 wrote to memory of 4488	468	oneetx.exe	rundll32.exe
PID 468 wrote to memory of 4488	468	oneetx.exe	rundll32.exe
PID 468 wrote to memory of 4488	468	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe
"C:\Users\Admin\AppData\Local\Temp\5c9d6107ae2d900f31f2827d0b0f78e1e3db46e143eb12d3a8d29e867daaddf6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4471.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4471.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8465.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8465.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7156.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7156.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4433.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4433.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6797ek.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6797ek.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1084
6⤵
- Program crash
PID:3860

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39ae54.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39ae54.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1472
5⤵
- Program crash
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNPiv75.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNPiv75.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15fl94.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15fl94.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2540

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2092

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:752

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:1672

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
"C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3392 -ip 3392
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5104 -ip 5104
1⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15fl94.exe
Filesize
236KB

MD5
e0de97077fc288f306354ed5f5bd04ca

SHA1
8a27150ad0aaffbc95afd8d73699f823d94d1173

SHA256
27c733e2d57e8c51a3c82ce69eb968a6c0fd166f0e750188376c5d365c205b88

SHA512
1334001fa8c7118eb8fd14b48653474b3e896cb53fc3be1d497a48263d876b02b53885b73c464c8b5d6f992c2e90b4b954396c851ef4489033b6d206803af2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15fl94.exe
Filesize
236KB

MD5
e0de97077fc288f306354ed5f5bd04ca

SHA1
8a27150ad0aaffbc95afd8d73699f823d94d1173

SHA256
27c733e2d57e8c51a3c82ce69eb968a6c0fd166f0e750188376c5d365c205b88

SHA512
1334001fa8c7118eb8fd14b48653474b3e896cb53fc3be1d497a48263d876b02b53885b73c464c8b5d6f992c2e90b4b954396c851ef4489033b6d206803af2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4471.exe
Filesize
817KB

MD5
40c554543aa03a5e03f1bf2491e04b4b

SHA1
54fd7864de58fa05c95295d2e8c97545f830b49f

SHA256
d32294d083abc94cb3f20f530cc7094a94f6a24bba633e8e1d03eed28d8305a0

SHA512
e07d96f68a80c5ca586daada3db662d7567b51d556a3456d13daad1a41c258a7c2c02d0f31ce42e6047b5fef1cb64f0e3b9bc424a28b71ac3fdee58387e8a468

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4471.exe
Filesize
817KB

MD5
40c554543aa03a5e03f1bf2491e04b4b

SHA1
54fd7864de58fa05c95295d2e8c97545f830b49f

SHA256
d32294d083abc94cb3f20f530cc7094a94f6a24bba633e8e1d03eed28d8305a0

SHA512
e07d96f68a80c5ca586daada3db662d7567b51d556a3456d13daad1a41c258a7c2c02d0f31ce42e6047b5fef1cb64f0e3b9bc424a28b71ac3fdee58387e8a468

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNPiv75.exe
Filesize
175KB

MD5
698bbcfa2d64f5e9c48d39921d6713be

SHA1
517b7ebe0a950b3048c87d2fab9b0a0566457ff9

SHA256
1e6bd4d2c6953a8397e356563a2a7b3574ee0aa84f36a1d0ea2ccaae112797a4

SHA512
9d89071d12c2f6f7c5d0ba135c55c919a7fd28de70a274bfd901f1c7f64fbe53907ccfe2295207d69e08f9cf77e2f5e620ea1d42937a94f8999cffb25691f059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNPiv75.exe
Filesize
175KB

MD5
698bbcfa2d64f5e9c48d39921d6713be

SHA1
517b7ebe0a950b3048c87d2fab9b0a0566457ff9

SHA256
1e6bd4d2c6953a8397e356563a2a7b3574ee0aa84f36a1d0ea2ccaae112797a4

SHA512
9d89071d12c2f6f7c5d0ba135c55c919a7fd28de70a274bfd901f1c7f64fbe53907ccfe2295207d69e08f9cf77e2f5e620ea1d42937a94f8999cffb25691f059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8465.exe
Filesize
675KB

MD5
3d23ebc6718b37fb181de80fa5c0c1a5

SHA1
59bcc62d7276c2957fdd1eb8c3db2e8dd43344e9

SHA256
ee1d262e10dec2dc7283fa3e92bd76f5c28dad317a6a26ed68dc240be291713f

SHA512
a6fd2cc2872439da02d9bbbe63f3e43301cda430559163bacdbc7fb61a085173659001bbd2f7e399210cc7e4ba8ab2e343f18a34465b6bae2c1f63c906781381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8465.exe
Filesize
675KB

MD5
3d23ebc6718b37fb181de80fa5c0c1a5

SHA1
59bcc62d7276c2957fdd1eb8c3db2e8dd43344e9

SHA256
ee1d262e10dec2dc7283fa3e92bd76f5c28dad317a6a26ed68dc240be291713f

SHA512
a6fd2cc2872439da02d9bbbe63f3e43301cda430559163bacdbc7fb61a085173659001bbd2f7e399210cc7e4ba8ab2e343f18a34465b6bae2c1f63c906781381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39ae54.exe
Filesize
318KB

MD5
17a0034d34334790c288287c6e3cfaa9

SHA1
26737af839659df906000e52610ddc6ae814bb8a

SHA256
d0b64e348fcb7159e0f7810f86ad1ec692f433e9d9521d841f4e137b1555cc28

SHA512
18fbfaefa5b0bb009b4efa3d4fe89d47b1f3f64a5cdc1c0ecdfe91bf1c48b7e305cf76c0521e3e1d6d5446ed355c5ee46d765efa3fcfebdbff7645a723ce59f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39ae54.exe
Filesize
318KB

MD5
17a0034d34334790c288287c6e3cfaa9

SHA1
26737af839659df906000e52610ddc6ae814bb8a

SHA256
d0b64e348fcb7159e0f7810f86ad1ec692f433e9d9521d841f4e137b1555cc28

SHA512
18fbfaefa5b0bb009b4efa3d4fe89d47b1f3f64a5cdc1c0ecdfe91bf1c48b7e305cf76c0521e3e1d6d5446ed355c5ee46d765efa3fcfebdbff7645a723ce59f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7156.exe
Filesize
334KB

MD5
2d0db55d43b1d05e94dcacd75a5561a7

SHA1
4e3b7206151f8c949660da0a6e93f80ea24f8374

SHA256
621abcbea51eaf6460cb864dd82724192946f14523adb100ad42f30154228289

SHA512
a66516236db0ee3770a398a35d5fe619c139a0f97ad55b24a84f41077a38b5a3d8a13bc789502468726c6a5d38aa47d422e72bd540127124641ef07dbe27e6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7156.exe
Filesize
334KB

MD5
2d0db55d43b1d05e94dcacd75a5561a7

SHA1
4e3b7206151f8c949660da0a6e93f80ea24f8374

SHA256
621abcbea51eaf6460cb864dd82724192946f14523adb100ad42f30154228289

SHA512
a66516236db0ee3770a398a35d5fe619c139a0f97ad55b24a84f41077a38b5a3d8a13bc789502468726c6a5d38aa47d422e72bd540127124641ef07dbe27e6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4433.exe
Filesize
11KB

MD5
ce4652fc037f77e3b677bacec367051a

SHA1
676cba8545628ea5fdea64ea475a150d9a0f1045

SHA256
81e4fbcda9c37eb6080f50cffe2288a26f4e82060e24b8d94d2ee17d0387bd08

SHA512
bc8a7206dfa21f6c49882d2a516c03f4424dad984b45adcb90ca080dc80ea4b344deebbc2df615178a33d8bc9666615ba2871f231d02f0886efab5b02786687b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4433.exe
Filesize
11KB

MD5
ce4652fc037f77e3b677bacec367051a

SHA1
676cba8545628ea5fdea64ea475a150d9a0f1045

SHA256
81e4fbcda9c37eb6080f50cffe2288a26f4e82060e24b8d94d2ee17d0387bd08

SHA512
bc8a7206dfa21f6c49882d2a516c03f4424dad984b45adcb90ca080dc80ea4b344deebbc2df615178a33d8bc9666615ba2871f231d02f0886efab5b02786687b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6797ek.exe
Filesize
260KB

MD5
335faf72732bd912ad9dca8e33453262

SHA1
e4d4fac258f198d7d204b2a7ddf6e1836fa267e2

SHA256
f9c5f80e35c00a48a2a7dff7c31eed178af7ceaefc214c3cc7f436e183e058d1

SHA512
09a83adffafe3e5945bc60af86400650e21b090c66c065f04f211703ac857db052c50cb961b6acde315bc398db57e94d0d37f186a0493b5b9cc27abc9f4f0a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6797ek.exe
Filesize
260KB

MD5
335faf72732bd912ad9dca8e33453262

SHA1
e4d4fac258f198d7d204b2a7ddf6e1836fa267e2

SHA256
f9c5f80e35c00a48a2a7dff7c31eed178af7ceaefc214c3cc7f436e183e058d1

SHA512
09a83adffafe3e5945bc60af86400650e21b090c66c065f04f211703ac857db052c50cb961b6acde315bc398db57e94d0d37f186a0493b5b9cc27abc9f4f0a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e0de97077fc288f306354ed5f5bd04ca

SHA1
8a27150ad0aaffbc95afd8d73699f823d94d1173

SHA256
27c733e2d57e8c51a3c82ce69eb968a6c0fd166f0e750188376c5d365c205b88

SHA512
1334001fa8c7118eb8fd14b48653474b3e896cb53fc3be1d497a48263d876b02b53885b73c464c8b5d6f992c2e90b4b954396c851ef4489033b6d206803af2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e0de97077fc288f306354ed5f5bd04ca

SHA1
8a27150ad0aaffbc95afd8d73699f823d94d1173

SHA256
27c733e2d57e8c51a3c82ce69eb968a6c0fd166f0e750188376c5d365c205b88

SHA512
1334001fa8c7118eb8fd14b48653474b3e896cb53fc3be1d497a48263d876b02b53885b73c464c8b5d6f992c2e90b4b954396c851ef4489033b6d206803af2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e0de97077fc288f306354ed5f5bd04ca

SHA1
8a27150ad0aaffbc95afd8d73699f823d94d1173

SHA256
27c733e2d57e8c51a3c82ce69eb968a6c0fd166f0e750188376c5d365c205b88

SHA512
1334001fa8c7118eb8fd14b48653474b3e896cb53fc3be1d497a48263d876b02b53885b73c464c8b5d6f992c2e90b4b954396c851ef4489033b6d206803af2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e0de97077fc288f306354ed5f5bd04ca

SHA1
8a27150ad0aaffbc95afd8d73699f823d94d1173

SHA256
27c733e2d57e8c51a3c82ce69eb968a6c0fd166f0e750188376c5d365c205b88

SHA512
1334001fa8c7118eb8fd14b48653474b3e896cb53fc3be1d497a48263d876b02b53885b73c464c8b5d6f992c2e90b4b954396c851ef4489033b6d206803af2ef

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1592-1180-0x0000026BEF970000-0x0000026BEF982000-memory.dmp

Filesize
72KB

Download
memory/1592-1181-0x0000026BF1570000-0x0000026BF15C0000-memory.dmp

Filesize
320KB

Download
memory/1592-1182-0x0000026BF35F0000-0x0000026BF3600000-memory.dmp

Filesize
64KB

Download
memory/3392-167-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/3392-187-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-197-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-199-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3392-201-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3392-202-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3392-203-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3392-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3392-168-0x0000000000750000-0x000000000077D000-memory.dmp

Filesize
180KB

Download
memory/3392-193-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-191-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-189-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-195-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-185-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-183-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-181-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-177-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-179-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-175-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-172-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-173-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/3392-171-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3392-169-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3392-170-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4488-161-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/4960-1140-0x00000000004D0000-0x0000000000502000-memory.dmp

Filesize
200KB

Download
memory/4960-1141-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/5104-218-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-244-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-246-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-1119-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/5104-1120-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/5104-1121-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/5104-1122-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/5104-1123-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5104-1124-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/5104-1125-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/5104-1127-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5104-1128-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5104-1129-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5104-1130-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/5104-1131-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/5104-1132-0x0000000006560000-0x0000000006722000-memory.dmp

Filesize
1.8MB

Download
memory/5104-242-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-240-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-238-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-236-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-234-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-232-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-230-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-228-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-226-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-224-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-222-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-220-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-216-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-214-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-213-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/5104-212-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5104-211-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5104-210-0x00000000006D0000-0x000000000071B000-memory.dmp

Filesize
300KB

Download
memory/5104-1133-0x0000000006730000-0x0000000006C5C000-memory.dmp

Filesize
5.2MB

Download
memory/5104-1134-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download