amadey | 495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe
Size

514KB
MD5

50cee47138ffb917cf9642830f96a487
SHA1

c3580673135a4043b2c43cdcfe30689a4ff68407
SHA256

495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4
SHA512

704b79c94eb58bd3afe70354c50983728cac0feb5f118c90c851e0aa80e509fef127d7f42e160ec3fd2619de50e348db5dd3ce5a1dd33264d936ac19bfba84b2
SSDEEP

12288:fMrty90qTT5cwT36ulgSA+MYQd5QAclNqr3ej+h:aypXv36uFMY3Y3f

Score

10^/10

amadey healer redline smokeloader news backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

news

77.91.68.68:19071

Attributes

auth_value
99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231f5-152.dat	healer
behavioral1/files/0x00070000000231f5-153.dat	healer
behavioral1/memory/2944-154-0x0000000000180000-0x000000000018A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0002569.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0002569.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0002569.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0002569.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0002569.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0002569.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	b4320630.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	pdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	raman.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	FD76.exe

Executes dropped EXE 11 IoCs

pid	Process
2836	v5676487.exe
4320	v5016111.exe
2944	a0002569.exe
4360	b4320630.exe
5072	pdates.exe
3236	c9884633.exe
3680	d6143066.exe
3436	pdates.exe
2656	raman.exe
2572	pdates.exe
4240	FD76.exe

Loads dropped DLL 6 IoCs

pid	Process
1876	rundll32.exe
2360	rundll32.exe
3864	rundll32.exe
3864	rundll32.exe
2132	rundll32.exe
1212	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0002569.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5676487.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5676487.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5016111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5016111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raman.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004051\\raman.exe"	pdates.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9884633.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9884633.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9884633.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	raman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	FD76.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	a0002569.exe
2944	a0002569.exe
3236	c9884633.exe
3236	c9884633.exe
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found
780	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
780	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3236	c9884633.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	a0002569.exe
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found
Token: SeShutdownPrivilege	780	Process not Found
Token: SeCreatePagefilePrivilege	780	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4360	b4320630.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2836	2996	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe	86
PID 2996 wrote to memory of 2836	2996	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe	86
PID 2996 wrote to memory of 2836	2996	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe	86
PID 2836 wrote to memory of 4320	2836	v5676487.exe	87
PID 2836 wrote to memory of 4320	2836	v5676487.exe	87
PID 2836 wrote to memory of 4320	2836	v5676487.exe	87
PID 4320 wrote to memory of 2944	4320	v5016111.exe	88
PID 4320 wrote to memory of 2944	4320	v5016111.exe	88
PID 4320 wrote to memory of 4360	4320	v5016111.exe	93
PID 4320 wrote to memory of 4360	4320	v5016111.exe	93
PID 4320 wrote to memory of 4360	4320	v5016111.exe	93
PID 4360 wrote to memory of 5072	4360	b4320630.exe	94
PID 4360 wrote to memory of 5072	4360	b4320630.exe	94
PID 4360 wrote to memory of 5072	4360	b4320630.exe	94
PID 2836 wrote to memory of 3236	2836	v5676487.exe	95
PID 2836 wrote to memory of 3236	2836	v5676487.exe	95
PID 2836 wrote to memory of 3236	2836	v5676487.exe	95
PID 5072 wrote to memory of 2616	5072	pdates.exe	96
PID 5072 wrote to memory of 2616	5072	pdates.exe	96
PID 5072 wrote to memory of 2616	5072	pdates.exe	96
PID 5072 wrote to memory of 3404	5072	pdates.exe	98
PID 5072 wrote to memory of 3404	5072	pdates.exe	98
PID 5072 wrote to memory of 3404	5072	pdates.exe	98
PID 3404 wrote to memory of 872	3404	cmd.exe	100
PID 3404 wrote to memory of 872	3404	cmd.exe	100
PID 3404 wrote to memory of 872	3404	cmd.exe	100
PID 3404 wrote to memory of 5036	3404	cmd.exe	101
PID 3404 wrote to memory of 5036	3404	cmd.exe	101
PID 3404 wrote to memory of 5036	3404	cmd.exe	101
PID 3404 wrote to memory of 2184	3404	cmd.exe	102
PID 3404 wrote to memory of 2184	3404	cmd.exe	102
PID 3404 wrote to memory of 2184	3404	cmd.exe	102
PID 3404 wrote to memory of 2688	3404	cmd.exe	103
PID 3404 wrote to memory of 2688	3404	cmd.exe	103
PID 3404 wrote to memory of 2688	3404	cmd.exe	103
PID 3404 wrote to memory of 656	3404	cmd.exe	104
PID 3404 wrote to memory of 656	3404	cmd.exe	104
PID 3404 wrote to memory of 656	3404	cmd.exe	104
PID 3404 wrote to memory of 4644	3404	cmd.exe	105
PID 3404 wrote to memory of 4644	3404	cmd.exe	105
PID 3404 wrote to memory of 4644	3404	cmd.exe	105
PID 2996 wrote to memory of 3680	2996	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe	106
PID 2996 wrote to memory of 3680	2996	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe	106
PID 2996 wrote to memory of 3680	2996	495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe	106
PID 5072 wrote to memory of 1876	5072	pdates.exe	114
PID 5072 wrote to memory of 1876	5072	pdates.exe	114
PID 5072 wrote to memory of 1876	5072	pdates.exe	114
PID 5072 wrote to memory of 2656	5072	pdates.exe	116
PID 5072 wrote to memory of 2656	5072	pdates.exe	116
PID 5072 wrote to memory of 2656	5072	pdates.exe	116
PID 2656 wrote to memory of 1216	2656	raman.exe	117
PID 2656 wrote to memory of 1216	2656	raman.exe	117
PID 2656 wrote to memory of 1216	2656	raman.exe	117
PID 1216 wrote to memory of 2360	1216	control.exe	119
PID 1216 wrote to memory of 2360	1216	control.exe	119
PID 1216 wrote to memory of 2360	1216	control.exe	119
PID 2360 wrote to memory of 2832	2360	rundll32.exe	120
PID 2360 wrote to memory of 2832	2360	rundll32.exe	120
PID 2832 wrote to memory of 3864	2832	RunDll32.exe	121
PID 2832 wrote to memory of 3864	2832	RunDll32.exe	121
PID 2832 wrote to memory of 3864	2832	RunDll32.exe	121
PID 780 wrote to memory of 4240	780	Process not Found	130
PID 780 wrote to memory of 4240	780	Process not Found	130
PID 780 wrote to memory of 4240	780	Process not Found	130

C:\Users\Admin\AppData\Local\Temp\495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe
"C:\Users\Admin\AppData\Local\Temp\495151363b2f054498bfebbd3c2ab98bc556b5a39feeb8c1f4236e079cb326c4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5676487.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5676487.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5016111.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5016111.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0002569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0002569.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4320630.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4320630.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        7⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        7⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        7⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        7⤵
        
        PID:4644
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
        10⤵
        Loads dropped DLL
        
        PID:3864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9884633.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9884633.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6143066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6143066.exe
  2⤵
  - Executes dropped EXE
  PID:3680

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Users\Admin\AppData\Local\Temp\FD76.exe
C:\Users\Admin\AppData\Local\Temp\FD76.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4240
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
    3⤵
    - Loads dropped DLL
    PID:2132
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
      4⤵
      PID:2340
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe

Filesize
1.7MB

MD5
c22b20974498e9db3dfbd94ac5375058

SHA1
f945331ba98379848e9fcc4fbb1f591391edf028

SHA256
d1f832dc7b20055b7ac1f2b31e7127654eb70dcb5249ec8aa1180150efc16321

SHA512
31a6a9debbc538d9566bb64fd1eb3c1117caf1b4da1b99d976728fd4e18839b579be7aad16c27fe759a7256f497f353d45e6e0e2c22f9d22e219bdc5419a7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe

Filesize
1.7MB

MD5
c22b20974498e9db3dfbd94ac5375058

SHA1
f945331ba98379848e9fcc4fbb1f591391edf028

SHA256
d1f832dc7b20055b7ac1f2b31e7127654eb70dcb5249ec8aa1180150efc16321

SHA512
31a6a9debbc538d9566bb64fd1eb3c1117caf1b4da1b99d976728fd4e18839b579be7aad16c27fe759a7256f497f353d45e6e0e2c22f9d22e219bdc5419a7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe

Filesize
1.7MB

MD5
c22b20974498e9db3dfbd94ac5375058

SHA1
f945331ba98379848e9fcc4fbb1f591391edf028

SHA256
d1f832dc7b20055b7ac1f2b31e7127654eb70dcb5249ec8aa1180150efc16321

SHA512
31a6a9debbc538d9566bb64fd1eb3c1117caf1b4da1b99d976728fd4e18839b579be7aad16c27fe759a7256f497f353d45e6e0e2c22f9d22e219bdc5419a7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD76.exe

Filesize
1.7MB

MD5
c22b20974498e9db3dfbd94ac5375058

SHA1
f945331ba98379848e9fcc4fbb1f591391edf028

SHA256
d1f832dc7b20055b7ac1f2b31e7127654eb70dcb5249ec8aa1180150efc16321

SHA512
31a6a9debbc538d9566bb64fd1eb3c1117caf1b4da1b99d976728fd4e18839b579be7aad16c27fe759a7256f497f353d45e6e0e2c22f9d22e219bdc5419a7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD76.exe

Filesize
1.7MB

MD5
c22b20974498e9db3dfbd94ac5375058

SHA1
f945331ba98379848e9fcc4fbb1f591391edf028

SHA256
d1f832dc7b20055b7ac1f2b31e7127654eb70dcb5249ec8aa1180150efc16321

SHA512
31a6a9debbc538d9566bb64fd1eb3c1117caf1b4da1b99d976728fd4e18839b579be7aad16c27fe759a7256f497f353d45e6e0e2c22f9d22e219bdc5419a7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6143066.exe

Filesize
175KB

MD5
1ec0cef25380752432f3fb3dbb229099

SHA1
b05e6cc7a8f1d04e775ed1104c3deb1ee10d229d

SHA256
46ebbcb3f745064c50a88bc91b7b41942ef3ccfe7cacafaf3a0484b29f1f31c3

SHA512
1e1e94a6ad7138cdc0326f05cfe623a825e01150056f5c5b79bb313a1960e08a32f3aeb419de90540841e0afb38b20d4a95c896de0d39b74aa85ae90277af4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6143066.exe

Filesize
175KB

MD5
1ec0cef25380752432f3fb3dbb229099

SHA1
b05e6cc7a8f1d04e775ed1104c3deb1ee10d229d

SHA256
46ebbcb3f745064c50a88bc91b7b41942ef3ccfe7cacafaf3a0484b29f1f31c3

SHA512
1e1e94a6ad7138cdc0326f05cfe623a825e01150056f5c5b79bb313a1960e08a32f3aeb419de90540841e0afb38b20d4a95c896de0d39b74aa85ae90277af4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5676487.exe

Filesize
359KB

MD5
7e01d0777f323da38153036af307fd63

SHA1
978d823dbe86d68958e4dd9a8a1cb284f68aa8a0

SHA256
47dd4d47780e9031c081409e4d51c2777077f478b9363576b9434898d84aa729

SHA512
140a517892a71c2f7d219d46ed6284a7bead67e69dbd44e530f46795112c7efa3d46acd26ac8a5ced4342808ebca31409bb82fdc0c181280b400c402d210061d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5676487.exe

Filesize
359KB

MD5
7e01d0777f323da38153036af307fd63

SHA1
978d823dbe86d68958e4dd9a8a1cb284f68aa8a0

SHA256
47dd4d47780e9031c081409e4d51c2777077f478b9363576b9434898d84aa729

SHA512
140a517892a71c2f7d219d46ed6284a7bead67e69dbd44e530f46795112c7efa3d46acd26ac8a5ced4342808ebca31409bb82fdc0c181280b400c402d210061d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9884633.exe

Filesize
35KB

MD5
8698a6a3915b1359237bad4f4a0f7e11

SHA1
2bd1eed9469587f0aa3f3060659e9eef3eef881b

SHA256
3b32be8732dc6963309837fb6448d4c273350921cc1332e54a25f4004771ff53

SHA512
9ed6a46f84d31f3bd3daaa3ac55d142c4887cec5ab15df977538e958d11ab4ade775292f53368d0d31bb3f515ba5a0e06581d265f617a2cacb073bcc137113a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9884633.exe

Filesize
35KB

MD5
8698a6a3915b1359237bad4f4a0f7e11

SHA1
2bd1eed9469587f0aa3f3060659e9eef3eef881b

SHA256
3b32be8732dc6963309837fb6448d4c273350921cc1332e54a25f4004771ff53

SHA512
9ed6a46f84d31f3bd3daaa3ac55d142c4887cec5ab15df977538e958d11ab4ade775292f53368d0d31bb3f515ba5a0e06581d265f617a2cacb073bcc137113a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5016111.exe

Filesize
234KB

MD5
9c571abbb7cc49b1e632495299acfaca

SHA1
9fab8001333a89ae394052d01666aba400859942

SHA256
e666bed293d13334d41c4e4a13da4fbb3d08f213ff1cd6baff23a68356af8bd8

SHA512
b25fa04bf54b916ab6ef44b1286a984b982227dfedf316a4d9febceba3cbe1736f2f8a2c554a20513afd6347cd396d76ff09780f33982c809dc8b770bd01fdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5016111.exe

Filesize
234KB

MD5
9c571abbb7cc49b1e632495299acfaca

SHA1
9fab8001333a89ae394052d01666aba400859942

SHA256
e666bed293d13334d41c4e4a13da4fbb3d08f213ff1cd6baff23a68356af8bd8

SHA512
b25fa04bf54b916ab6ef44b1286a984b982227dfedf316a4d9febceba3cbe1736f2f8a2c554a20513afd6347cd396d76ff09780f33982c809dc8b770bd01fdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0002569.exe

Filesize
13KB

MD5
765ed2f26c88474cd2fbaebad452990c

SHA1
d6922cb3a5c92233e07d57b55fa748dce7e644c0

SHA256
194a1e09f24014e3f48216fe698993f1126401412fdb6af625dae84c7028dcfc

SHA512
95e8d3844112251e1f5010e8848c946a4db8633be7c55c3541adafee3188208c30bf02e4e777f0e4b1d26819a92d1b6cb6b1c1d5c78c387e2199bef1c8b6377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0002569.exe

Filesize
13KB

MD5
765ed2f26c88474cd2fbaebad452990c

SHA1
d6922cb3a5c92233e07d57b55fa748dce7e644c0

SHA256
194a1e09f24014e3f48216fe698993f1126401412fdb6af625dae84c7028dcfc

SHA512
95e8d3844112251e1f5010e8848c946a4db8633be7c55c3541adafee3188208c30bf02e4e777f0e4b1d26819a92d1b6cb6b1c1d5c78c387e2199bef1c8b6377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4320630.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4320630.exe

Filesize
223KB

MD5
305ecbabc0304bc3d2708d6d511e019a

SHA1
63aa542890fb0c5dd2eea5325a8736c77359f037

SHA256
7731afb0d4949a79a0ce96055a2aa053f146a0c0420a6cab24b9cbd2067c0210

SHA512
cfdd1018058d889034df2bd7289bbf0fbc170bf9893d74508cb012a7a1cf70b245232e99eed00e2d88bee39eaa1b27f715d794bfe9829948c0e7e38f49a5754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.Cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Local\Temp\V09O9J.cpl

Filesize
1.2MB

MD5
828504fe5f7e905b79f0768404b55b21

SHA1
e1275b85cce51727dba9a3022866d2211613e44b

SHA256
582900afac1d999f2dfd6ae05fead351c0fb706cb6ab32c259120b6505318abd

SHA512
9f934ce3c23f75a0806832653a117b61e51caf1b2b79ef63f4eeacb07597d0f8e270367b6b3cc4c6191bed30113ecc7e43187591772168cc1cd5e25de0aabade

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit
memory/780-175-0x00000000030F0000-0x0000000003106000-memory.dmp

Filesize
88KB

Download
memory/1212-278-0x0000000002DC0000-0x0000000002EA6000-memory.dmp

Filesize
920KB

Download
memory/1212-277-0x0000000002DC0000-0x0000000002EA6000-memory.dmp

Filesize
920KB

Download
memory/1212-275-0x0000000002DC0000-0x0000000002EA6000-memory.dmp

Filesize
920KB

Download
memory/1212-273-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1212-272-0x0000000002CC0000-0x0000000002DBF000-memory.dmp

Filesize
1020KB

Download
memory/1212-270-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

Filesize
24KB

Download
memory/2132-259-0x00000000028D0000-0x00000000028D6000-memory.dmp

Filesize
24KB

Download
memory/2132-267-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2132-266-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2132-264-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2132-262-0x0000000002E70000-0x0000000002F6F000-memory.dmp

Filesize
1020KB

Download
memory/2360-235-0x0000000002B50000-0x0000000002C4F000-memory.dmp

Filesize
1020KB

Download
memory/2360-239-0x0000000002C50000-0x0000000002D36000-memory.dmp

Filesize
920KB

Download
memory/2360-240-0x0000000002C50000-0x0000000002D36000-memory.dmp

Filesize
920KB

Download
memory/2360-232-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2360-233-0x0000000002550000-0x0000000002556000-memory.dmp

Filesize
24KB

Download
memory/2360-236-0x0000000002C50000-0x0000000002D36000-memory.dmp

Filesize
920KB

Download
memory/2360-237-0x0000000002C50000-0x0000000002D36000-memory.dmp

Filesize
920KB

Download
memory/2944-154-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2944-155-0x00007FF985390000-0x00007FF985E51000-memory.dmp

Filesize
10.8MB

Download
memory/2944-157-0x00007FF985390000-0x00007FF985E51000-memory.dmp

Filesize
10.8MB

Download
memory/3236-174-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3236-176-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3680-182-0x00000000008B0000-0x00000000008E0000-memory.dmp

Filesize
192KB

Download
memory/3680-184-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/3680-189-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/3680-188-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/3680-187-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3680-186-0x0000000005270000-0x0000000005282000-memory.dmp

Filesize
72KB

Download
memory/3680-185-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/3680-190-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3680-183-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/3864-244-0x0000000000A20000-0x0000000000A26000-memory.dmp

Filesize
24KB

Download
memory/3864-252-0x0000000002D20000-0x0000000002E06000-memory.dmp

Filesize
920KB

Download
memory/3864-250-0x0000000002D20000-0x0000000002E06000-memory.dmp

Filesize
920KB

Download
memory/3864-245-0x00000000028A0000-0x00000000029DC000-memory.dmp

Filesize
1.2MB

Download
memory/3864-243-0x00000000028A0000-0x00000000029DC000-memory.dmp

Filesize
1.2MB

Download
memory/3864-253-0x0000000002D20000-0x0000000002E06000-memory.dmp

Filesize
920KB

Download
memory/3864-248-0x0000000002C20000-0x0000000002D1F000-memory.dmp

Filesize
1020KB

Download