amadey | 4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f

Analysis

max time kernel
159s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2023, 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe
Size

515KB
MD5

8cccf021269839eff740ccd56363eb82
SHA1

76a5db672250408819db6a715626c879e16a8ac7
SHA256

4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f
SHA512

d923c7acba5498d3225d419ed6518d8a9280f6638735f3ac09d25faf5d11643bf1abb71700c387d1f9f277192d809ceab4f6a2ab3e98c89e2a1c61de7d42c652
SSDEEP

12288:+MrDy90yJ5gw7HE9mjOZ2rCebqF2NGpwW8i:dyzKmjLrnbqF2NeL5

Score

10^/10

amadey healer redline smokeloader news backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

news

77.91.68.68:19071

Attributes

auth_value
99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231f4-152.dat	healer
behavioral1/files/0x00070000000231f4-153.dat	healer
behavioral1/memory/1308-154-0x0000000000270000-0x000000000027A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5556390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5556390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5556390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5556390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5556390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5556390.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	danke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	25AF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	b7359588.exe

Executes dropped EXE 10 IoCs

pid	Process
3944	v4104913.exe
1944	v8355189.exe
1308	a5556390.exe
220	b7359588.exe
4488	danke.exe
1156	c2669179.exe
3536	d7581013.exe
2552	danke.exe
2772	25AF.exe
3248	danke.exe

Loads dropped DLL 5 IoCs

pid	Process
4620	rundll32.exe
1144	rundll32.exe
1144	rundll32.exe
4752	rundll32.exe
4752	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5556390.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4104913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4104913.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8355189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8355189.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3424	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2669179.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2669179.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2669179.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
408	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	25AF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	a5556390.exe
1308	a5556390.exe
1156	c2669179.exe
1156	c2669179.exe
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
684	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1156	c2669179.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	a5556390.exe
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
220	b7359588.exe
684	Process not Found
684	Process not Found

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3944	4796	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe	86
PID 4796 wrote to memory of 3944	4796	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe	86
PID 4796 wrote to memory of 3944	4796	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe	86
PID 3944 wrote to memory of 1944	3944	v4104913.exe	87
PID 3944 wrote to memory of 1944	3944	v4104913.exe	87
PID 3944 wrote to memory of 1944	3944	v4104913.exe	87
PID 1944 wrote to memory of 1308	1944	v8355189.exe	88
PID 1944 wrote to memory of 1308	1944	v8355189.exe	88
PID 1944 wrote to memory of 220	1944	v8355189.exe	93
PID 1944 wrote to memory of 220	1944	v8355189.exe	93
PID 1944 wrote to memory of 220	1944	v8355189.exe	93
PID 220 wrote to memory of 4488	220	b7359588.exe	94
PID 220 wrote to memory of 4488	220	b7359588.exe	94
PID 220 wrote to memory of 4488	220	b7359588.exe	94
PID 3944 wrote to memory of 1156	3944	v4104913.exe	95
PID 3944 wrote to memory of 1156	3944	v4104913.exe	95
PID 3944 wrote to memory of 1156	3944	v4104913.exe	95
PID 4488 wrote to memory of 408	4488	danke.exe	96
PID 4488 wrote to memory of 408	4488	danke.exe	96
PID 4488 wrote to memory of 408	4488	danke.exe	96
PID 4488 wrote to memory of 1336	4488	danke.exe	98
PID 4488 wrote to memory of 1336	4488	danke.exe	98
PID 4488 wrote to memory of 1336	4488	danke.exe	98
PID 1336 wrote to memory of 2496	1336	cmd.exe	100
PID 1336 wrote to memory of 2496	1336	cmd.exe	100
PID 1336 wrote to memory of 2496	1336	cmd.exe	100
PID 1336 wrote to memory of 4248	1336	cmd.exe	101
PID 1336 wrote to memory of 4248	1336	cmd.exe	101
PID 1336 wrote to memory of 4248	1336	cmd.exe	101
PID 1336 wrote to memory of 4992	1336	cmd.exe	102
PID 1336 wrote to memory of 4992	1336	cmd.exe	102
PID 1336 wrote to memory of 4992	1336	cmd.exe	102
PID 1336 wrote to memory of 3460	1336	cmd.exe	103
PID 1336 wrote to memory of 3460	1336	cmd.exe	103
PID 1336 wrote to memory of 3460	1336	cmd.exe	103
PID 1336 wrote to memory of 1664	1336	cmd.exe	104
PID 1336 wrote to memory of 1664	1336	cmd.exe	104
PID 1336 wrote to memory of 1664	1336	cmd.exe	104
PID 1336 wrote to memory of 3044	1336	cmd.exe	105
PID 1336 wrote to memory of 3044	1336	cmd.exe	105
PID 1336 wrote to memory of 3044	1336	cmd.exe	105
PID 4796 wrote to memory of 3536	4796	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe	106
PID 4796 wrote to memory of 3536	4796	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe	106
PID 4796 wrote to memory of 3536	4796	4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe	106
PID 4488 wrote to memory of 4620	4488	danke.exe	118
PID 4488 wrote to memory of 4620	4488	danke.exe	118
PID 4488 wrote to memory of 4620	4488	danke.exe	118
PID 684 wrote to memory of 2772	684	Process not Found	120
PID 684 wrote to memory of 2772	684	Process not Found	120
PID 684 wrote to memory of 2772	684	Process not Found	120
PID 2772 wrote to memory of 3756	2772	25AF.exe	121
PID 2772 wrote to memory of 3756	2772	25AF.exe	121
PID 2772 wrote to memory of 3756	2772	25AF.exe	121
PID 3756 wrote to memory of 1144	3756	control.exe	123
PID 3756 wrote to memory of 1144	3756	control.exe	123
PID 3756 wrote to memory of 1144	3756	control.exe	123
PID 1144 wrote to memory of 2252	1144	rundll32.exe	125
PID 1144 wrote to memory of 2252	1144	rundll32.exe	125
PID 2252 wrote to memory of 4752	2252	RunDll32.exe	126
PID 2252 wrote to memory of 4752	2252	RunDll32.exe	126
PID 2252 wrote to memory of 4752	2252	RunDll32.exe	126

C:\Users\Admin\AppData\Local\Temp\4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe
"C:\Users\Admin\AppData\Local\Temp\4b2fadb92d7562bba592f8c1ff6a8a778b0a3cbffdbe22d87978772523b2146f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4104913.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4104913.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8355189.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8355189.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5556390.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5556390.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7359588.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7359588.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:N"
        7⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:R" /E
        7⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:N"
        7⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:R" /E
        7⤵
        
        PID:3044
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2669179.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2669179.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7581013.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7581013.exe
  2⤵
  - Executes dropped EXE
  PID:3536

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\Temp\25AF.exe
C:\Users\Admin\AppData\Local\Temp\25AF.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\8YUB.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8YUB.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8YUB.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\8YUB.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:4752

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25AF.exe

Filesize
1.7MB

MD5
524ad9f9036cd63d33ea272c1dd62dcc

SHA1
75bd1466d7c0c23fdc205d643ec81283da82eff6

SHA256
d8a2d2cbfa422063fed427168fa8fc0a2c0d482692f542b476b39a86e3ec9980

SHA512
7b1879e89ccdaee7c26137c06263c015c08ba5f07778eae6bd451c1880e154c07103b93a5fbfd981551d39e3eacd8978bfc7cf6df9ad7833aef58b7a89195996

Download Submit
C:\Users\Admin\AppData\Local\Temp\25AF.exe

Filesize
1.7MB

MD5
524ad9f9036cd63d33ea272c1dd62dcc

SHA1
75bd1466d7c0c23fdc205d643ec81283da82eff6

SHA256
d8a2d2cbfa422063fed427168fa8fc0a2c0d482692f542b476b39a86e3ec9980

SHA512
7b1879e89ccdaee7c26137c06263c015c08ba5f07778eae6bd451c1880e154c07103b93a5fbfd981551d39e3eacd8978bfc7cf6df9ad7833aef58b7a89195996

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YUB.Cpl

Filesize
1.4MB

MD5
e566e7d6fc6a53fc31887e41dd499e73

SHA1
2c8da2e9d31714080f598ab1b467eea04451a434

SHA256
e394f086fcffad8d34ce90e13ee5cdf609a9a33a26e4d549ed6f03501cca58b6

SHA512
33267d4094321d46e93f2fda883f6ef0549ba7afa5d182d445ed71977f57623fcbf49f29496ffde307ba23dbdfce2479c21b61daff9e678961471dba8705ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yUb.cpl

Filesize
1.4MB

MD5
e566e7d6fc6a53fc31887e41dd499e73

SHA1
2c8da2e9d31714080f598ab1b467eea04451a434

SHA256
e394f086fcffad8d34ce90e13ee5cdf609a9a33a26e4d549ed6f03501cca58b6

SHA512
33267d4094321d46e93f2fda883f6ef0549ba7afa5d182d445ed71977f57623fcbf49f29496ffde307ba23dbdfce2479c21b61daff9e678961471dba8705ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yUb.cpl

Filesize
1.4MB

MD5
e566e7d6fc6a53fc31887e41dd499e73

SHA1
2c8da2e9d31714080f598ab1b467eea04451a434

SHA256
e394f086fcffad8d34ce90e13ee5cdf609a9a33a26e4d549ed6f03501cca58b6

SHA512
33267d4094321d46e93f2fda883f6ef0549ba7afa5d182d445ed71977f57623fcbf49f29496ffde307ba23dbdfce2479c21b61daff9e678961471dba8705ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yUb.cpl

Filesize
1.4MB

MD5
e566e7d6fc6a53fc31887e41dd499e73

SHA1
2c8da2e9d31714080f598ab1b467eea04451a434

SHA256
e394f086fcffad8d34ce90e13ee5cdf609a9a33a26e4d549ed6f03501cca58b6

SHA512
33267d4094321d46e93f2fda883f6ef0549ba7afa5d182d445ed71977f57623fcbf49f29496ffde307ba23dbdfce2479c21b61daff9e678961471dba8705ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yUb.cpl

Filesize
1.4MB

MD5
e566e7d6fc6a53fc31887e41dd499e73

SHA1
2c8da2e9d31714080f598ab1b467eea04451a434

SHA256
e394f086fcffad8d34ce90e13ee5cdf609a9a33a26e4d549ed6f03501cca58b6

SHA512
33267d4094321d46e93f2fda883f6ef0549ba7afa5d182d445ed71977f57623fcbf49f29496ffde307ba23dbdfce2479c21b61daff9e678961471dba8705ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yUb.cpl

Filesize
1.4MB

MD5
e566e7d6fc6a53fc31887e41dd499e73

SHA1
2c8da2e9d31714080f598ab1b467eea04451a434

SHA256
e394f086fcffad8d34ce90e13ee5cdf609a9a33a26e4d549ed6f03501cca58b6

SHA512
33267d4094321d46e93f2fda883f6ef0549ba7afa5d182d445ed71977f57623fcbf49f29496ffde307ba23dbdfce2479c21b61daff9e678961471dba8705ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7581013.exe

Filesize
172KB

MD5
7c303f8ad277e7ff8eff8e35146655cb

SHA1
b5f1ec9b004d91a621bdfe5310995b3c538dd9b5

SHA256
c9d9de3808adf9cf7376e694261157765da9d25b6e88f27063a7593d9a73e006

SHA512
f68aa2cb4d2e7750ce51dbab859a0fb045e7cffcc8018c10bb232c4bd7c3fd4285035c9e4a838c0b8e54b10d29bb939c7b78da855ea0cfc605a7b8c38c7fc26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7581013.exe

Filesize
172KB

MD5
7c303f8ad277e7ff8eff8e35146655cb

SHA1
b5f1ec9b004d91a621bdfe5310995b3c538dd9b5

SHA256
c9d9de3808adf9cf7376e694261157765da9d25b6e88f27063a7593d9a73e006

SHA512
f68aa2cb4d2e7750ce51dbab859a0fb045e7cffcc8018c10bb232c4bd7c3fd4285035c9e4a838c0b8e54b10d29bb939c7b78da855ea0cfc605a7b8c38c7fc26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4104913.exe

Filesize
359KB

MD5
5a4e9bbe57b60108f04683e3219b2a11

SHA1
decefad7d2bded03600cd13bc145d7b2c2c8a692

SHA256
1cdfbeddb03e00a70e33993bfc0b67a1e09ff0012d12ba6cb0616985261bab69

SHA512
ab825ceee4c65ebf7c36eb62dae18f403f1cfadc0668587101f0e397c869b806865f9e2b9fd02bd4aefd6c58dcd9c868caa32775bfaf707bae69a8b5ae078935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4104913.exe

Filesize
359KB

MD5
5a4e9bbe57b60108f04683e3219b2a11

SHA1
decefad7d2bded03600cd13bc145d7b2c2c8a692

SHA256
1cdfbeddb03e00a70e33993bfc0b67a1e09ff0012d12ba6cb0616985261bab69

SHA512
ab825ceee4c65ebf7c36eb62dae18f403f1cfadc0668587101f0e397c869b806865f9e2b9fd02bd4aefd6c58dcd9c868caa32775bfaf707bae69a8b5ae078935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2669179.exe

Filesize
33KB

MD5
81e302fc60fe98022f0208061d2d13e5

SHA1
b5f063bf09878c85b8bba5a742ddee535ac166d0

SHA256
d179b758a55c11720a9b6d982f38c427bbccd0ffb7c33ca33eafd2b7e95cd725

SHA512
49e4eb09b7523fe8c26ce2fa9786751dfb3f29e0a56b9e04a970fc71328862116f84a08008caf1e45ac49e938c53600735c7fa39dd80f8479e4b26959a325764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2669179.exe

Filesize
33KB

MD5
81e302fc60fe98022f0208061d2d13e5

SHA1
b5f063bf09878c85b8bba5a742ddee535ac166d0

SHA256
d179b758a55c11720a9b6d982f38c427bbccd0ffb7c33ca33eafd2b7e95cd725

SHA512
49e4eb09b7523fe8c26ce2fa9786751dfb3f29e0a56b9e04a970fc71328862116f84a08008caf1e45ac49e938c53600735c7fa39dd80f8479e4b26959a325764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8355189.exe

Filesize
235KB

MD5
96398f255e9742eb9bbfe233651bc795

SHA1
b1796ad760d9c3c7bbf0b3ca8a1ae1a263c23ab6

SHA256
177fc67fb045ebe28b6fc8a2a78bc78f6aa0da25b1bc35e4c4176d796338b889

SHA512
e137194aeda6cb8ca6ca752cd1cf3f754ca69c3fb526328c839eb730105e6957dafc6b5906182ab9f0223bf6ff7b42b4d1180459edef848c99da5e0ef7a50754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8355189.exe

Filesize
235KB

MD5
96398f255e9742eb9bbfe233651bc795

SHA1
b1796ad760d9c3c7bbf0b3ca8a1ae1a263c23ab6

SHA256
177fc67fb045ebe28b6fc8a2a78bc78f6aa0da25b1bc35e4c4176d796338b889

SHA512
e137194aeda6cb8ca6ca752cd1cf3f754ca69c3fb526328c839eb730105e6957dafc6b5906182ab9f0223bf6ff7b42b4d1180459edef848c99da5e0ef7a50754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5556390.exe

Filesize
11KB

MD5
989364c865eb7ae6b7d99c0f9315aaaa

SHA1
180d31c042c0b72eb8c94d628de6df2819179820

SHA256
5c4fdba1407b2e7812a326d05f334021ffc6d33bac1b87b67061d9fdae5ce33b

SHA512
3526a12bb0b90e9a2568cdb55a817ea3552b35e6cc66933965e49f1dd113b9cf04c9b1c45add6e6538bbef1c4956a56fddf736cecd6542680dd2712c0eec4a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5556390.exe

Filesize
11KB

MD5
989364c865eb7ae6b7d99c0f9315aaaa

SHA1
180d31c042c0b72eb8c94d628de6df2819179820

SHA256
5c4fdba1407b2e7812a326d05f334021ffc6d33bac1b87b67061d9fdae5ce33b

SHA512
3526a12bb0b90e9a2568cdb55a817ea3552b35e6cc66933965e49f1dd113b9cf04c9b1c45add6e6538bbef1c4956a56fddf736cecd6542680dd2712c0eec4a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7359588.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7359588.exe

Filesize
229KB

MD5
651407d620d75a11406bcfb621373cea

SHA1
cba29ac2c1927dff8da1d05a53dff1f2def8610f

SHA256
38d77848ffb8ce95088be57a9ab5b45ee3b6040b8eb4a53d347a515dcba64b58

SHA512
a4a5238b75cbb5a4e3e1f1e935119260e579733eb982656fa3ca61fedc613af5147f2bb464c02b764355df2ffd1f6bed603c70fa47cd6b0f8767b27393aa0ec8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
272B

MD5
d867eabb1be5b45bc77bb06814e23640

SHA1
3139a51ce7e8462c31070363b9532c13cc52c82d

SHA256
38c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349

SHA512
afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59

Download Submit
memory/684-192-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-259-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-175-0x0000000003360000-0x0000000003376000-memory.dmp

Filesize
88KB

Download
memory/684-194-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-195-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-196-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-197-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-198-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-200-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-202-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-203-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-204-0x0000000008DF0000-0x0000000008E00000-memory.dmp

Filesize
64KB

Download
memory/684-205-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-206-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-208-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-207-0x0000000008DE0000-0x0000000008DF0000-memory.dmp

Filesize
64KB

Download
memory/684-210-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-214-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-212-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-211-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-216-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-217-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-218-0x0000000008DE0000-0x0000000008DF0000-memory.dmp

Filesize
64KB

Download
memory/684-221-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-220-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-219-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-223-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-222-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-225-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-226-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-227-0x0000000008DE0000-0x0000000008DF0000-memory.dmp

Filesize
64KB

Download
memory/684-284-0x0000000007DC0000-0x0000000007DD0000-memory.dmp

Filesize
64KB

Download
memory/684-281-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-282-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-283-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-280-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-248-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-249-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-251-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-250-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/684-252-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-253-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-254-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-255-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-257-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-191-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-260-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-261-0x0000000007DC0000-0x0000000007DD0000-memory.dmp

Filesize
64KB

Download
memory/684-262-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-263-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-266-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-268-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-265-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-270-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-264-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-273-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-274-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/684-272-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-276-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-277-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-279-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-278-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/684-275-0x0000000008BF0000-0x0000000008C00000-memory.dmp

Filesize
64KB

Download
memory/1144-301-0x00000000024B0000-0x000000000261D000-memory.dmp

Filesize
1.4MB

Download
memory/1144-313-0x0000000002D60000-0x0000000002E61000-memory.dmp

Filesize
1.0MB

Download
memory/1144-312-0x0000000002D60000-0x0000000002E61000-memory.dmp

Filesize
1.0MB

Download
memory/1144-309-0x0000000002D60000-0x0000000002E61000-memory.dmp

Filesize
1.0MB

Download
memory/1144-307-0x0000000002C40000-0x0000000002D5C000-memory.dmp

Filesize
1.1MB

Download
memory/1144-303-0x00000000024B0000-0x000000000261D000-memory.dmp

Filesize
1.4MB

Download
memory/1144-302-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

Filesize
24KB

Download
memory/1156-173-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1156-176-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-154-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1308-157-0x00007FFB6F680000-0x00007FFB70141000-memory.dmp

Filesize
10.8MB

Download
memory/1308-155-0x00007FFB6F680000-0x00007FFB70141000-memory.dmp

Filesize
10.8MB

Download
memory/3536-186-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3536-182-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/3536-189-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3536-183-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3536-188-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/3536-187-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/3536-190-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3536-184-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/3536-185-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4752-316-0x0000000002390000-0x00000000024FD000-memory.dmp

Filesize
1.4MB

Download
memory/4752-317-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/4752-318-0x0000000002390000-0x00000000024FD000-memory.dmp

Filesize
1.4MB

Download
memory/4752-322-0x0000000002AD0000-0x0000000002BEC000-memory.dmp

Filesize
1.1MB

Download
memory/4752-323-0x0000000002BF0000-0x0000000002CF1000-memory.dmp

Filesize
1.0MB

Download
memory/4752-326-0x0000000002BF0000-0x0000000002CF1000-memory.dmp

Filesize
1.0MB

Download
memory/4752-327-0x0000000002BF0000-0x0000000002CF1000-memory.dmp

Filesize
1.0MB

Download