amadey | 2bf3220a8aee52e32c680b42b021836ef828ac4588178fd274945ab83293bfd1

Analysis

max time kernel
112s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

987KB
MD5

34226bc4fe5585bf8537b5a0f8b916a6
SHA1

aa959b7ebfb03a2914b457d484ff40932bca758b
SHA256

2bf3220a8aee52e32c680b42b021836ef828ac4588178fd274945ab83293bfd1
SHA512

38fe703914fc6899078c304e65154e78edb3770a98c1046d3a03aeccc4a2b0ca261cfb67f883a0ea1d4c5a544fccbdd81195e1c3f75ce5f56a55645d97cf6a9c
SSDEEP

24576:SyahiK5sGjmxInbg6lh5MxuNTlCuOpiRETU6dLSp5yJyNPa:5y1qxIn0A0MBbOpxkpwwNP

Score

10^/10

amadey redline lamp rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lamp

176.113.115.145:4125

Attributes

auth_value
8a3e8bc22f2496c7c5339eb332073902

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz5429.exev6905WL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5429.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5429.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5429.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5429.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6905WL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6905WL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5429.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5429.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6905WL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6905WL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6905WL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6905WL.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4108-210-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-211-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-213-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-215-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-217-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-221-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-224-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-226-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-228-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-230-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-232-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-234-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-236-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-238-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-240-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-242-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-246-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline
behavioral2/memory/4108-244-0x00000000024D0000-0x000000000250F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y41OT37.exeoneetx.exePTS%20CC%202023.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y41OT37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	PTS%20CC%202023.exe

Executes dropped EXE 12 IoCs

Processes:

zap9571.exezap4315.exezap1087.exetz5429.exev6905WL.exew23zK51.exexqhLZ13.exey41OT37.exeoneetx.exedavidgetspaid$$$$$$$$$$$$$$.exePTS%20CC%202023.exeoneetx.exe

pid	process
4648	zap9571.exe
2416	zap4315.exe
4412	zap1087.exe
2784	tz5429.exe
1676	v6905WL.exe
4108	w23zK51.exe
1164	xqhLZ13.exe
3984	y41OT37.exe
2120	oneetx.exe
4996	davidgetspaid$$$$$$$$$$$$$$.exe
4388	PTS%20CC%202023.exe
4340	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1552 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1552	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v6905WL.exetz5429.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6905WL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6905WL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5429.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap9571.exezap4315.exezap1087.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9571.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4315.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4315.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1087.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

452 1676 WerFault.exe v6905WL.exe
1188 4108 WerFault.exe w23zK51.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1284 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3752 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz5429.exev6905WL.exew23zK51.exexqhLZ13.exe

pid process

2784 tz5429.exe
2784 tz5429.exe
1676 v6905WL.exe
1676 v6905WL.exe
4108 w23zK51.exe
4108 w23zK51.exe
1164 xqhLZ13.exe
1164 xqhLZ13.exe

flow	ioc
43	ip-api.com

pid	pid_target	process	target process
452	1676	WerFault.exe	v6905WL.exe
1188	4108	WerFault.exe	w23zK51.exe

pid	process
1284	schtasks.exe

pid	process
3752	PING.EXE

pid	process
2784	tz5429.exe
2784	tz5429.exe
1676	v6905WL.exe
1676	v6905WL.exe
4108	w23zK51.exe
4108	w23zK51.exe
1164	xqhLZ13.exe
1164	xqhLZ13.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz5429.exev6905WL.exew23zK51.exexqhLZ13.exePTS%20CC%202023.exe

description	pid	process
Token: SeDebugPrivilege	2784	tz5429.exe
Token: SeDebugPrivilege	1676	v6905WL.exe
Token: SeDebugPrivilege	4108	w23zK51.exe
Token: SeDebugPrivilege	1164	xqhLZ13.exe
Token: SeDebugPrivilege	4388	PTS%20CC%202023.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y41OT37.exe

pid process

3984 y41OT37.exe

pid	process
3984	y41OT37.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exezap9571.exezap4315.exezap1087.exey41OT37.exeoneetx.execmd.exePTS%20CC%202023.execmd.exe

description	pid	process	target process
PID 5048 wrote to memory of 4648	5048	setup.exe	zap9571.exe
PID 5048 wrote to memory of 4648	5048	setup.exe	zap9571.exe
PID 5048 wrote to memory of 4648	5048	setup.exe	zap9571.exe
PID 4648 wrote to memory of 2416	4648	zap9571.exe	zap4315.exe
PID 4648 wrote to memory of 2416	4648	zap9571.exe	zap4315.exe
PID 4648 wrote to memory of 2416	4648	zap9571.exe	zap4315.exe
PID 2416 wrote to memory of 4412	2416	zap4315.exe	zap1087.exe
PID 2416 wrote to memory of 4412	2416	zap4315.exe	zap1087.exe
PID 2416 wrote to memory of 4412	2416	zap4315.exe	zap1087.exe
PID 4412 wrote to memory of 2784	4412	zap1087.exe	tz5429.exe
PID 4412 wrote to memory of 2784	4412	zap1087.exe	tz5429.exe
PID 4412 wrote to memory of 1676	4412	zap1087.exe	v6905WL.exe
PID 4412 wrote to memory of 1676	4412	zap1087.exe	v6905WL.exe
PID 4412 wrote to memory of 1676	4412	zap1087.exe	v6905WL.exe
PID 2416 wrote to memory of 4108	2416	zap4315.exe	w23zK51.exe
PID 2416 wrote to memory of 4108	2416	zap4315.exe	w23zK51.exe
PID 2416 wrote to memory of 4108	2416	zap4315.exe	w23zK51.exe
PID 4648 wrote to memory of 1164	4648	zap9571.exe	xqhLZ13.exe
PID 4648 wrote to memory of 1164	4648	zap9571.exe	xqhLZ13.exe
PID 4648 wrote to memory of 1164	4648	zap9571.exe	xqhLZ13.exe
PID 5048 wrote to memory of 3984	5048	setup.exe	y41OT37.exe
PID 5048 wrote to memory of 3984	5048	setup.exe	y41OT37.exe
PID 5048 wrote to memory of 3984	5048	setup.exe	y41OT37.exe
PID 3984 wrote to memory of 2120	3984	y41OT37.exe	oneetx.exe
PID 3984 wrote to memory of 2120	3984	y41OT37.exe	oneetx.exe
PID 3984 wrote to memory of 2120	3984	y41OT37.exe	oneetx.exe
PID 2120 wrote to memory of 1284	2120	oneetx.exe	schtasks.exe
PID 2120 wrote to memory of 1284	2120	oneetx.exe	schtasks.exe
PID 2120 wrote to memory of 1284	2120	oneetx.exe	schtasks.exe
PID 2120 wrote to memory of 4672	2120	oneetx.exe	cmd.exe
PID 2120 wrote to memory of 4672	2120	oneetx.exe	cmd.exe
PID 2120 wrote to memory of 4672	2120	oneetx.exe	cmd.exe
PID 4672 wrote to memory of 2820	4672	cmd.exe	cmd.exe
PID 4672 wrote to memory of 2820	4672	cmd.exe	cmd.exe
PID 4672 wrote to memory of 2820	4672	cmd.exe	cmd.exe
PID 4672 wrote to memory of 3476	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3476	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3476	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 2832	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 2832	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 2832	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 4828	4672	cmd.exe	cmd.exe
PID 4672 wrote to memory of 4828	4672	cmd.exe	cmd.exe
PID 4672 wrote to memory of 4828	4672	cmd.exe	cmd.exe
PID 4672 wrote to memory of 3536	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3536	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3536	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3508	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3508	4672	cmd.exe	cacls.exe
PID 4672 wrote to memory of 3508	4672	cmd.exe	cacls.exe
PID 2120 wrote to memory of 4996	2120	oneetx.exe	davidgetspaid$$$$$$$$$$$$$$.exe
PID 2120 wrote to memory of 4996	2120	oneetx.exe	davidgetspaid$$$$$$$$$$$$$$.exe
PID 2120 wrote to memory of 4996	2120	oneetx.exe	davidgetspaid$$$$$$$$$$$$$$.exe
PID 2120 wrote to memory of 4388	2120	oneetx.exe	PTS%20CC%202023.exe
PID 2120 wrote to memory of 4388	2120	oneetx.exe	PTS%20CC%202023.exe
PID 4388 wrote to memory of 224	4388	PTS%20CC%202023.exe	cmd.exe
PID 4388 wrote to memory of 224	4388	PTS%20CC%202023.exe	cmd.exe
PID 224 wrote to memory of 3448	224	cmd.exe	chcp.com
PID 224 wrote to memory of 3448	224	cmd.exe	chcp.com
PID 224 wrote to memory of 3752	224	cmd.exe	PING.EXE
PID 224 wrote to memory of 3752	224	cmd.exe	PING.EXE
PID 2120 wrote to memory of 1552	2120	oneetx.exe	rundll32.exe
PID 2120 wrote to memory of 1552	2120	oneetx.exe	rundll32.exe
PID 2120 wrote to memory of 1552	2120	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9571.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9571.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4315.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4315.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1087.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1087.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5429.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5429.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6905WL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6905WL.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1080
6⤵
- Program crash
PID:452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23zK51.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23zK51.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1656
5⤵
- Program crash
PID:1188

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqhLZ13.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqhLZ13.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y41OT37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y41OT37.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2820

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:3476

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4828

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3536

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\1000046001\davidgetspaid$$$$$$$$$$$$$$.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\davidgetspaid$$$$$$$$$$$$$$.exe"
4⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\AppData\Local\Temp\1000047001\PTS%20CC%202023.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\PTS%20CC%202023.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000047001\PTS%20CC%202023.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3448

C:\Windows\system32\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1676 -ip 1676
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4108 -ip 4108
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000046001\davidgetspaid$$$$$$$$$$$$$$.exe
Filesize
34KB

MD5
14a8ec5c9448d6fecb58f04879237163

SHA1
561d4c732c7fa5f3b8559e0c44bec1ae2c90c53a

SHA256
87b0e8494bdeb13b48a548fe9c1fd6a7e93ad09e7a968839b22f41c5461456c7

SHA512
f4763d8ea9ae2301705a9fe189857e6fd87b98484315195b8f8967907c71f62f79c9811492b440ae9bbb8e1581550b6ebe7cf5010e7a281d2888f0b9e8c19788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\davidgetspaid$$$$$$$$$$$$$$.exe
Filesize
34KB

MD5
14a8ec5c9448d6fecb58f04879237163

SHA1
561d4c732c7fa5f3b8559e0c44bec1ae2c90c53a

SHA256
87b0e8494bdeb13b48a548fe9c1fd6a7e93ad09e7a968839b22f41c5461456c7

SHA512
f4763d8ea9ae2301705a9fe189857e6fd87b98484315195b8f8967907c71f62f79c9811492b440ae9bbb8e1581550b6ebe7cf5010e7a281d2888f0b9e8c19788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\davidgetspaid$$$$$$$$$$$$$$.exe
Filesize
34KB

MD5
14a8ec5c9448d6fecb58f04879237163

SHA1
561d4c732c7fa5f3b8559e0c44bec1ae2c90c53a

SHA256
87b0e8494bdeb13b48a548fe9c1fd6a7e93ad09e7a968839b22f41c5461456c7

SHA512
f4763d8ea9ae2301705a9fe189857e6fd87b98484315195b8f8967907c71f62f79c9811492b440ae9bbb8e1581550b6ebe7cf5010e7a281d2888f0b9e8c19788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\PTS%20CC%202023.exe
Filesize
48KB

MD5
61fb7e8b2345ee7d5e398ab53ec50530

SHA1
618c5471ff2b556664f93fea09a6a5ab18448d03

SHA256
7078c775d2e0b4a4ca493836dad53cb49e5cfeb4dd0be4d8c889d19a5834e1f9

SHA512
e4541c261b626c36862799aee68cad1f7dd811b6492a0e3d45307e7b82237c3fcaf8460f64bf37a389baa742c983252bc914127908b9b58a10ee221125d6f590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\PTS%20CC%202023.exe
Filesize
48KB

MD5
61fb7e8b2345ee7d5e398ab53ec50530

SHA1
618c5471ff2b556664f93fea09a6a5ab18448d03

SHA256
7078c775d2e0b4a4ca493836dad53cb49e5cfeb4dd0be4d8c889d19a5834e1f9

SHA512
e4541c261b626c36862799aee68cad1f7dd811b6492a0e3d45307e7b82237c3fcaf8460f64bf37a389baa742c983252bc914127908b9b58a10ee221125d6f590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\PTS%20CC%202023.exe
Filesize
48KB

MD5
61fb7e8b2345ee7d5e398ab53ec50530

SHA1
618c5471ff2b556664f93fea09a6a5ab18448d03

SHA256
7078c775d2e0b4a4ca493836dad53cb49e5cfeb4dd0be4d8c889d19a5834e1f9

SHA512
e4541c261b626c36862799aee68cad1f7dd811b6492a0e3d45307e7b82237c3fcaf8460f64bf37a389baa742c983252bc914127908b9b58a10ee221125d6f590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y41OT37.exe
Filesize
237KB

MD5
5b775aae7625b5e915489d767d685bdc

SHA1
8892b1c7446f28627ad78e478dd2b8984c64dc5c

SHA256
4d139fe02f5902561f7029dd007c3db0be0590db69bfdd9b1935e916782bc917

SHA512
82824923f483fcc3e5976c31890bab6ce98212a4614a35fef2b7d89d50cc74223d72b0ba6a7938a85f50be0b02af0c90caf2535a902b0c59834ee85e0dde2d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y41OT37.exe
Filesize
237KB

MD5
5b775aae7625b5e915489d767d685bdc

SHA1
8892b1c7446f28627ad78e478dd2b8984c64dc5c

SHA256
4d139fe02f5902561f7029dd007c3db0be0590db69bfdd9b1935e916782bc917

SHA512
82824923f483fcc3e5976c31890bab6ce98212a4614a35fef2b7d89d50cc74223d72b0ba6a7938a85f50be0b02af0c90caf2535a902b0c59834ee85e0dde2d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9571.exe
Filesize
805KB

MD5
8ba9cab965afb3964891ab4befe3ab80

SHA1
094bd09ed9393f6da8b55fc60b6f1cf983b4ecab

SHA256
7dd0770f9b4534c12d50e500ac013dd4ce1d02f10d50ad36b8b9664c5f03356c

SHA512
d5a6e32352ca6cb25ca5578ef3a2d30e07a691a7bcf8eea5e98e878e0462776a3a4a27582492f3637be04729a8d27e622d91dfda14c086e566dddc00142719d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9571.exe
Filesize
805KB

MD5
8ba9cab965afb3964891ab4befe3ab80

SHA1
094bd09ed9393f6da8b55fc60b6f1cf983b4ecab

SHA256
7dd0770f9b4534c12d50e500ac013dd4ce1d02f10d50ad36b8b9664c5f03356c

SHA512
d5a6e32352ca6cb25ca5578ef3a2d30e07a691a7bcf8eea5e98e878e0462776a3a4a27582492f3637be04729a8d27e622d91dfda14c086e566dddc00142719d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqhLZ13.exe
Filesize
168KB

MD5
f933dfdb9ea28cd4813487f09c591ce2

SHA1
2a05b653e3ad63b10d433603f3caaf8d04cc329f

SHA256
ef6e68d3fde165744f9ecc76f1e58b72c6fecc4cb4bfb332c6faa5bb239c87af

SHA512
1d1cadeeae9aaceaabb9b8970e76dcde9c5f708214fcdf45037abca48ef17f6c9406e9989a16c051b2d0b69c4e4e326285f3a40451da200e59296d36cf6eba64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqhLZ13.exe
Filesize
168KB

MD5
f933dfdb9ea28cd4813487f09c591ce2

SHA1
2a05b653e3ad63b10d433603f3caaf8d04cc329f

SHA256
ef6e68d3fde165744f9ecc76f1e58b72c6fecc4cb4bfb332c6faa5bb239c87af

SHA512
1d1cadeeae9aaceaabb9b8970e76dcde9c5f708214fcdf45037abca48ef17f6c9406e9989a16c051b2d0b69c4e4e326285f3a40451da200e59296d36cf6eba64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4315.exe
Filesize
651KB

MD5
8af14f263b121ec3594b8a3ae4ec0dfb

SHA1
e9f277ac0f62b30de3b48ac772117420efd94f56

SHA256
49895858fa5e38590122a3a3236293a10130fc85fed20c514adfe34d13478ee4

SHA512
36d3baa9dccda1ca4fd5b6f518fe8073b7aeed7a38eb51296ba6fabef254c90d4789bcfea28140d06327a344191f04519522d23f2865361fc1c10945db41b1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4315.exe
Filesize
651KB

MD5
8af14f263b121ec3594b8a3ae4ec0dfb

SHA1
e9f277ac0f62b30de3b48ac772117420efd94f56

SHA256
49895858fa5e38590122a3a3236293a10130fc85fed20c514adfe34d13478ee4

SHA512
36d3baa9dccda1ca4fd5b6f518fe8073b7aeed7a38eb51296ba6fabef254c90d4789bcfea28140d06327a344191f04519522d23f2865361fc1c10945db41b1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23zK51.exe
Filesize
295KB

MD5
25b72776a4aa972c31c403b090fdab89

SHA1
9cf29ab99c8c79fea96ede75bf796a566e91843e

SHA256
40bd39a53c417650c0528cda8e8b820c9f539c7e3f510f9f31fa9a287db5088b

SHA512
a9573daac7824ddd3eb7e33f480c604edd5e6efdfc1d4e9bd55d7cac1ea591092ab82361a1a9df2e96407990287aa508a4daf487a5f0df44801b31d1c577fa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23zK51.exe
Filesize
295KB

MD5
25b72776a4aa972c31c403b090fdab89

SHA1
9cf29ab99c8c79fea96ede75bf796a566e91843e

SHA256
40bd39a53c417650c0528cda8e8b820c9f539c7e3f510f9f31fa9a287db5088b

SHA512
a9573daac7824ddd3eb7e33f480c604edd5e6efdfc1d4e9bd55d7cac1ea591092ab82361a1a9df2e96407990287aa508a4daf487a5f0df44801b31d1c577fa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1087.exe
Filesize
322KB

MD5
cf7aa28bf98be00658b5e710bae11576

SHA1
26277626f48514b45f890887fdcbfc64bd13df7a

SHA256
eca27bc0f4f5fea03f84b899dd5d83bcab26fe9e61a4bd41ea24a7600e57c97f

SHA512
169e52c07082de1055fe8a31d4334534ffb0b7786548ec3c16d77c7737b55ca8fbeabb81b0d4ab05d3fa29fea30742b1892ea686fefb36a00acfeef9150004bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1087.exe
Filesize
322KB

MD5
cf7aa28bf98be00658b5e710bae11576

SHA1
26277626f48514b45f890887fdcbfc64bd13df7a

SHA256
eca27bc0f4f5fea03f84b899dd5d83bcab26fe9e61a4bd41ea24a7600e57c97f

SHA512
169e52c07082de1055fe8a31d4334534ffb0b7786548ec3c16d77c7737b55ca8fbeabb81b0d4ab05d3fa29fea30742b1892ea686fefb36a00acfeef9150004bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5429.exe
Filesize
11KB

MD5
62333705c6e94740ed1ea6373b5d044d

SHA1
05e1892ad2bf472902b3a5491781c19fdbbd8177

SHA256
d41e4af4a3e4f45c734298ebe777ead8dcadfd1fb18717b3251117bbd5dafd47

SHA512
e21d711a22edf987c6ffe04fba89aa3a1d6d18aec4a8e12db8724627ba9e6ca3cfb5ffed3f552523039785fecab8ac3235d5f1acc97f0b64b7cbbd0c946b747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5429.exe
Filesize
11KB

MD5
62333705c6e94740ed1ea6373b5d044d

SHA1
05e1892ad2bf472902b3a5491781c19fdbbd8177

SHA256
d41e4af4a3e4f45c734298ebe777ead8dcadfd1fb18717b3251117bbd5dafd47

SHA512
e21d711a22edf987c6ffe04fba89aa3a1d6d18aec4a8e12db8724627ba9e6ca3cfb5ffed3f552523039785fecab8ac3235d5f1acc97f0b64b7cbbd0c946b747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6905WL.exe
Filesize
237KB

MD5
2324b3d3db33fb11f6332dd4f5bae5b1

SHA1
d2bd1f3829cda341f86df63922e055b6ec4907a9

SHA256
53d1acb84991ecca8bc9dade836a783019138a80a625f6e1fad67d3f189d3904

SHA512
e9bdc40dd299bf5ceb0206ceb020f7e323f6d0c737f44ef6edcd3561f89d05ffe237c0c1cc5bdced0109f83e0889c823479139e913b8f9d4a1774798ec2f49a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6905WL.exe
Filesize
237KB

MD5
2324b3d3db33fb11f6332dd4f5bae5b1

SHA1
d2bd1f3829cda341f86df63922e055b6ec4907a9

SHA256
53d1acb84991ecca8bc9dade836a783019138a80a625f6e1fad67d3f189d3904

SHA512
e9bdc40dd299bf5ceb0206ceb020f7e323f6d0c737f44ef6edcd3561f89d05ffe237c0c1cc5bdced0109f83e0889c823479139e913b8f9d4a1774798ec2f49a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
237KB

MD5
5b775aae7625b5e915489d767d685bdc

SHA1
8892b1c7446f28627ad78e478dd2b8984c64dc5c

SHA256
4d139fe02f5902561f7029dd007c3db0be0590db69bfdd9b1935e916782bc917

SHA512
82824923f483fcc3e5976c31890bab6ce98212a4614a35fef2b7d89d50cc74223d72b0ba6a7938a85f50be0b02af0c90caf2535a902b0c59834ee85e0dde2d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
237KB

MD5
5b775aae7625b5e915489d767d685bdc

SHA1
8892b1c7446f28627ad78e478dd2b8984c64dc5c

SHA256
4d139fe02f5902561f7029dd007c3db0be0590db69bfdd9b1935e916782bc917

SHA512
82824923f483fcc3e5976c31890bab6ce98212a4614a35fef2b7d89d50cc74223d72b0ba6a7938a85f50be0b02af0c90caf2535a902b0c59834ee85e0dde2d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
237KB

MD5
5b775aae7625b5e915489d767d685bdc

SHA1
8892b1c7446f28627ad78e478dd2b8984c64dc5c

SHA256
4d139fe02f5902561f7029dd007c3db0be0590db69bfdd9b1935e916782bc917

SHA512
82824923f483fcc3e5976c31890bab6ce98212a4614a35fef2b7d89d50cc74223d72b0ba6a7938a85f50be0b02af0c90caf2535a902b0c59834ee85e0dde2d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
237KB

MD5
5b775aae7625b5e915489d767d685bdc

SHA1
8892b1c7446f28627ad78e478dd2b8984c64dc5c

SHA256
4d139fe02f5902561f7029dd007c3db0be0590db69bfdd9b1935e916782bc917

SHA512
82824923f483fcc3e5976c31890bab6ce98212a4614a35fef2b7d89d50cc74223d72b0ba6a7938a85f50be0b02af0c90caf2535a902b0c59834ee85e0dde2d1b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1164-1141-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/1164-1140-0x0000000000FD0000-0x0000000001000000-memory.dmp

Filesize
192KB

Download
memory/1676-168-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1676-190-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-202-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1676-203-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1676-204-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1676-205-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1676-167-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/1676-199-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1676-198-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1676-197-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1676-196-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-194-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-192-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-200-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1676-188-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-186-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-184-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-182-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-180-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-178-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-176-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-174-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-172-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-170-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/1676-169-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/2784-161-0x00000000007D0000-0x00000000007DA000-memory.dmp

Filesize
40KB

Download
memory/4108-224-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-238-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-1119-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/4108-1120-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/4108-1121-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/4108-1122-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/4108-1123-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-1125-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4108-1126-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4108-1128-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-1127-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-1129-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-1130-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/4108-1131-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4108-1132-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-1133-0x0000000006F40000-0x0000000006FB6000-memory.dmp

Filesize
472KB

Download
memory/4108-246-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-242-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-240-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-244-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-236-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-234-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-232-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-230-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-228-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-226-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-222-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-221-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-218-0x0000000000770000-0x00000000007BB000-memory.dmp

Filesize
300KB

Download
memory/4108-220-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4108-1134-0x0000000006FD0000-0x0000000007020000-memory.dmp

Filesize
320KB

Download
memory/4108-210-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-211-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-213-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-217-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4108-215-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/4388-1197-0x0000023D494E0000-0x0000023D494F0000-memory.dmp

Filesize
64KB

Download
memory/4388-1196-0x0000023D49640000-0x0000023D49690000-memory.dmp

Filesize
320KB

Download
memory/4388-1195-0x0000023D2D9A0000-0x0000023D2D9B2000-memory.dmp

Filesize
72KB

Download