amadey | 7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
24/07/2023, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe
Size

514KB
MD5

5451f69563fa04c8156bab586746f822
SHA1

40ae2c046d3cae7ac0d0be1837a46b5884fe4e6e
SHA256

7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec
SHA512

ade1d57e5bfe55cb5a69b9ed9b2a6c7e69e01e186733bcef75f8ac78be84d96d67c4f26192f940c3cdafd4ae5bfd5aa21a1e26bc5daa6c83b694883f28562feb
SSDEEP

12288:vMrOy90d9O4odQIPV7Y2XaaN0VoWHXDbxw5x12y:Vyw9JcQIPNYza0THHxwDky

Score

10^/10

amadey healer redline smokeloader news backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

news

77.91.68.68:19071

Attributes

auth_value
99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afa3-140.dat	healer
behavioral1/files/0x000700000001afa3-139.dat	healer
behavioral1/memory/4068-141-0x00000000002D0000-0x00000000002DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6149710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6149710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6149710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6149710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6149710.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
3784	v0354338.exe
1496	v5194864.exe
4068	a6149710.exe
2964	b2670361.exe
2888	pdates.exe
2364	c6862886.exe
3144	pdates.exe
548	d8061580.exe
4916	pdates.exe
5040	raman.exe
908	2F15.exe

Loads dropped DLL 6 IoCs

pid	Process
4768	rundll32.exe
4932	rundll32.exe
4752	rundll32.exe
3392	rundll32.exe
2076	rundll32.exe
2076	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6149710.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\raman.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004051\\raman.exe"	pdates.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0354338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0354338.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5194864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5194864.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6862886.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6862886.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6862886.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2368	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	raman.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	2F15.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	a6149710.exe
4068	a6149710.exe
2364	c6862886.exe
2364	c6862886.exe
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2364	c6862886.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	a6149710.exe
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	b2670361.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3784	3592	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe	70
PID 3592 wrote to memory of 3784	3592	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe	70
PID 3592 wrote to memory of 3784	3592	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe	70
PID 3784 wrote to memory of 1496	3784	v0354338.exe	71
PID 3784 wrote to memory of 1496	3784	v0354338.exe	71
PID 3784 wrote to memory of 1496	3784	v0354338.exe	71
PID 1496 wrote to memory of 4068	1496	v5194864.exe	72
PID 1496 wrote to memory of 4068	1496	v5194864.exe	72
PID 1496 wrote to memory of 2964	1496	v5194864.exe	73
PID 1496 wrote to memory of 2964	1496	v5194864.exe	73
PID 1496 wrote to memory of 2964	1496	v5194864.exe	73
PID 2964 wrote to memory of 2888	2964	b2670361.exe	74
PID 2964 wrote to memory of 2888	2964	b2670361.exe	74
PID 2964 wrote to memory of 2888	2964	b2670361.exe	74
PID 3784 wrote to memory of 2364	3784	v0354338.exe	75
PID 3784 wrote to memory of 2364	3784	v0354338.exe	75
PID 3784 wrote to memory of 2364	3784	v0354338.exe	75
PID 2888 wrote to memory of 2368	2888	pdates.exe	76
PID 2888 wrote to memory of 2368	2888	pdates.exe	76
PID 2888 wrote to memory of 2368	2888	pdates.exe	76
PID 2888 wrote to memory of 248	2888	pdates.exe	78
PID 2888 wrote to memory of 248	2888	pdates.exe	78
PID 2888 wrote to memory of 248	2888	pdates.exe	78
PID 248 wrote to memory of 3264	248	cmd.exe	80
PID 248 wrote to memory of 3264	248	cmd.exe	80
PID 248 wrote to memory of 3264	248	cmd.exe	80
PID 248 wrote to memory of 3696	248	cmd.exe	81
PID 248 wrote to memory of 3696	248	cmd.exe	81
PID 248 wrote to memory of 3696	248	cmd.exe	81
PID 248 wrote to memory of 3476	248	cmd.exe	82
PID 248 wrote to memory of 3476	248	cmd.exe	82
PID 248 wrote to memory of 3476	248	cmd.exe	82
PID 248 wrote to memory of 1856	248	cmd.exe	83
PID 248 wrote to memory of 1856	248	cmd.exe	83
PID 248 wrote to memory of 1856	248	cmd.exe	83
PID 248 wrote to memory of 2836	248	cmd.exe	84
PID 248 wrote to memory of 2836	248	cmd.exe	84
PID 248 wrote to memory of 2836	248	cmd.exe	84
PID 248 wrote to memory of 5064	248	cmd.exe	85
PID 248 wrote to memory of 5064	248	cmd.exe	85
PID 248 wrote to memory of 5064	248	cmd.exe	85
PID 3592 wrote to memory of 548	3592	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe	87
PID 3592 wrote to memory of 548	3592	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe	87
PID 3592 wrote to memory of 548	3592	7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe	87
PID 2888 wrote to memory of 4768	2888	pdates.exe	88
PID 2888 wrote to memory of 4768	2888	pdates.exe	88
PID 2888 wrote to memory of 4768	2888	pdates.exe	88
PID 2888 wrote to memory of 5040	2888	pdates.exe	90
PID 2888 wrote to memory of 5040	2888	pdates.exe	90
PID 2888 wrote to memory of 5040	2888	pdates.exe	90
PID 5040 wrote to memory of 2168	5040	raman.exe	91
PID 5040 wrote to memory of 2168	5040	raman.exe	91
PID 5040 wrote to memory of 2168	5040	raman.exe	91
PID 2168 wrote to memory of 4932	2168	control.exe	93
PID 2168 wrote to memory of 4932	2168	control.exe	93
PID 2168 wrote to memory of 4932	2168	control.exe	93
PID 4932 wrote to memory of 2496	4932	rundll32.exe	94
PID 4932 wrote to memory of 2496	4932	rundll32.exe	94
PID 2496 wrote to memory of 4752	2496	RunDll32.exe	95
PID 2496 wrote to memory of 4752	2496	RunDll32.exe	95
PID 2496 wrote to memory of 4752	2496	RunDll32.exe	95
PID 3276 wrote to memory of 908	3276	Process not Found	97
PID 3276 wrote to memory of 908	3276	Process not Found	97
PID 3276 wrote to memory of 908	3276	Process not Found	97

C:\Users\Admin\AppData\Local\Temp\7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe
"C:\Users\Admin\AppData\Local\Temp\7a9336bdc9a855330dfc6d674e00aaade0509fdcc55178112703f86064c08aec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354338.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354338.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5194864.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5194864.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6149710.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6149710.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2670361.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2670361.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        7⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        7⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        7⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        7⤵
        
        PID:5064
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4768
      - C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
        10⤵
        Loads dropped DLL
        
        PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6862886.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6862886.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8061580.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8061580.exe
  2⤵
  - Executes dropped EXE
  PID:548

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\AppData\Local\Temp\2F15.exe
C:\Users\Admin\AppData\Local\Temp\2F15.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:908
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
    3⤵
    - Loads dropped DLL
    PID:3392
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
      4⤵
      PID:2128
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe

Filesize
1.9MB

MD5
9fed2b1056b26fe6a1c77fc5a6c0e91e

SHA1
202dae4de54d29840a0aa5a4b08baff652e0acb5

SHA256
a456dceb27961e0766a36b377590d2fc5c9a0e69d3661ef53af40054db7406f5

SHA512
6b9e200ea3d7ff9bb65eef50cd8513ba9fc8694c78ae4881a2c578d1dd7284a93228fbb630131b31f331c1fd100150b7ec851ebc67b093cbee18a15ed751b170

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe

Filesize
1.9MB

MD5
9fed2b1056b26fe6a1c77fc5a6c0e91e

SHA1
202dae4de54d29840a0aa5a4b08baff652e0acb5

SHA256
a456dceb27961e0766a36b377590d2fc5c9a0e69d3661ef53af40054db7406f5

SHA512
6b9e200ea3d7ff9bb65eef50cd8513ba9fc8694c78ae4881a2c578d1dd7284a93228fbb630131b31f331c1fd100150b7ec851ebc67b093cbee18a15ed751b170

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\raman.exe

Filesize
1.9MB

MD5
9fed2b1056b26fe6a1c77fc5a6c0e91e

SHA1
202dae4de54d29840a0aa5a4b08baff652e0acb5

SHA256
a456dceb27961e0766a36b377590d2fc5c9a0e69d3661ef53af40054db7406f5

SHA512
6b9e200ea3d7ff9bb65eef50cd8513ba9fc8694c78ae4881a2c578d1dd7284a93228fbb630131b31f331c1fd100150b7ec851ebc67b093cbee18a15ed751b170

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.exe

Filesize
1.9MB

MD5
9fed2b1056b26fe6a1c77fc5a6c0e91e

SHA1
202dae4de54d29840a0aa5a4b08baff652e0acb5

SHA256
a456dceb27961e0766a36b377590d2fc5c9a0e69d3661ef53af40054db7406f5

SHA512
6b9e200ea3d7ff9bb65eef50cd8513ba9fc8694c78ae4881a2c578d1dd7284a93228fbb630131b31f331c1fd100150b7ec851ebc67b093cbee18a15ed751b170

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.exe

Filesize
1.9MB

MD5
9fed2b1056b26fe6a1c77fc5a6c0e91e

SHA1
202dae4de54d29840a0aa5a4b08baff652e0acb5

SHA256
a456dceb27961e0766a36b377590d2fc5c9a0e69d3661ef53af40054db7406f5

SHA512
6b9e200ea3d7ff9bb65eef50cd8513ba9fc8694c78ae4881a2c578d1dd7284a93228fbb630131b31f331c1fd100150b7ec851ebc67b093cbee18a15ed751b170

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1TF.Cpl

Filesize
1.4MB

MD5
a18e89e4448a03f1ed59f3e717c01cb0

SHA1
8f8bd6396e1b543ee8a0dc0ebea195a63ec21521

SHA256
8c18211d65ca238a1b699174c27efb5b6761d8cd469f3831b01e218122e42740

SHA512
38efd78de679b0a98230c19a863f692143339aa062fe40e6ba828a96bccda5321efaf63add3067f070f1929d51a868967be778d5cc623c1f0a03f849734268fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8061580.exe

Filesize
175KB

MD5
421c67873f0872de9f052de9f6cb55b6

SHA1
6411e8bb02b1fbeb3ca256f9096cc507376783c6

SHA256
b7a7aa78c4698c68730e3e316693c634e0df39e6349d79031585115fb26145bf

SHA512
35a2e3d6e6dab8771b4f33dd6ba09a58a8c7442e9384fcfd2ebc981bdfce5f7a039e59adcc78e4d6baf4a007f1c65839cc43edc522de6f08fc41222771beb55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8061580.exe

Filesize
175KB

MD5
421c67873f0872de9f052de9f6cb55b6

SHA1
6411e8bb02b1fbeb3ca256f9096cc507376783c6

SHA256
b7a7aa78c4698c68730e3e316693c634e0df39e6349d79031585115fb26145bf

SHA512
35a2e3d6e6dab8771b4f33dd6ba09a58a8c7442e9384fcfd2ebc981bdfce5f7a039e59adcc78e4d6baf4a007f1c65839cc43edc522de6f08fc41222771beb55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354338.exe

Filesize
358KB

MD5
71784a2cfae7cff61de9f9cc9d7fa5da

SHA1
4123b19be12144cc61c648043e028aeaf75b51df

SHA256
4549a6e34bf0fdd82a2e6bdc1e72ead76eb55625f4d5410117e56d17c46f58b8

SHA512
5597d64b37719e23ff38511c64346af9e99a603d69b5fcae39fd143baf6ff64cc5680b843b0376e61fdcdcd369d7d8b8f11f01ee842b45cea839a62911a28598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354338.exe

Filesize
358KB

MD5
71784a2cfae7cff61de9f9cc9d7fa5da

SHA1
4123b19be12144cc61c648043e028aeaf75b51df

SHA256
4549a6e34bf0fdd82a2e6bdc1e72ead76eb55625f4d5410117e56d17c46f58b8

SHA512
5597d64b37719e23ff38511c64346af9e99a603d69b5fcae39fd143baf6ff64cc5680b843b0376e61fdcdcd369d7d8b8f11f01ee842b45cea839a62911a28598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6862886.exe

Filesize
35KB

MD5
2ccbd5b9691c5703c43c6f9c4e425e35

SHA1
b8e78c3e92d00faaa692eed58bdff6e0dfdf0597

SHA256
08f9e2c7deabbb9ba3ef979fa0ba4cb2baa25b9c9568b982fa9789d251e2a854

SHA512
fbf2e577df9e9e65f55df0f2044a2f38638f98b87c948bd6f56614348802888fbe3cb21000a21e7f8386aa4d409fdf4291e89a2fef641a55ef274caff7586a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6862886.exe

Filesize
35KB

MD5
2ccbd5b9691c5703c43c6f9c4e425e35

SHA1
b8e78c3e92d00faaa692eed58bdff6e0dfdf0597

SHA256
08f9e2c7deabbb9ba3ef979fa0ba4cb2baa25b9c9568b982fa9789d251e2a854

SHA512
fbf2e577df9e9e65f55df0f2044a2f38638f98b87c948bd6f56614348802888fbe3cb21000a21e7f8386aa4d409fdf4291e89a2fef641a55ef274caff7586a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5194864.exe

Filesize
234KB

MD5
03685d7a28d6a020ddf4437bf131d71d

SHA1
4cbc18d4b5ac6c9a92e28b03b2ace21daf7e45cb

SHA256
bb40f60088cacc26ee08aacfbe40c61e60601760dca177464ee457e4902818b0

SHA512
554572903b758a343b5df5e6918f978650b7c8966d43a07ce9a6d517226ca450f3a2dcd03b5a7380221840761244eba1e6edae12c2d1d59499dc20b736907d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5194864.exe

Filesize
234KB

MD5
03685d7a28d6a020ddf4437bf131d71d

SHA1
4cbc18d4b5ac6c9a92e28b03b2ace21daf7e45cb

SHA256
bb40f60088cacc26ee08aacfbe40c61e60601760dca177464ee457e4902818b0

SHA512
554572903b758a343b5df5e6918f978650b7c8966d43a07ce9a6d517226ca450f3a2dcd03b5a7380221840761244eba1e6edae12c2d1d59499dc20b736907d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6149710.exe

Filesize
13KB

MD5
c89c6346f90d9becb5599caad86d9af5

SHA1
bcb98380595d3601143df94a1241cde7993bc415

SHA256
009e0d6ab798660addcf81271f0949ccb5d1aa66e1702a646c189d635544e31f

SHA512
d0919c6d1d075ec34b0311e3b50808bc4f1cf1e2a6c6c7e50d92e00846e301d60c35ebebe17d5c022bce87b705da193dab4d395a599c36ab52c1ca8336c1e67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6149710.exe

Filesize
13KB

MD5
c89c6346f90d9becb5599caad86d9af5

SHA1
bcb98380595d3601143df94a1241cde7993bc415

SHA256
009e0d6ab798660addcf81271f0949ccb5d1aa66e1702a646c189d635544e31f

SHA512
d0919c6d1d075ec34b0311e3b50808bc4f1cf1e2a6c6c7e50d92e00846e301d60c35ebebe17d5c022bce87b705da193dab4d395a599c36ab52c1ca8336c1e67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2670361.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2670361.exe

Filesize
223KB

MD5
205e4dc6801006593204642053637f5e

SHA1
95714526047712d63eedc96c37b2fee33a064bbd

SHA256
c838605179fcc5195342fb2a4b69f0b4fb9ca6655c83b995d4e59bcbf9035565

SHA512
84a7a4c99295a332115520d2f140832747bbf1a4d98f72a96bca22d147e9cb401ff40072ef9fcb783b4d58547712fd54411d2ef7e7d5ef8ca3576ea0c5a7de87

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit
\Users\Admin\AppData\Local\Temp\h1TF.cpl

Filesize
1.4MB

MD5
a18e89e4448a03f1ed59f3e717c01cb0

SHA1
8f8bd6396e1b543ee8a0dc0ebea195a63ec21521

SHA256
8c18211d65ca238a1b699174c27efb5b6761d8cd469f3831b01e218122e42740

SHA512
38efd78de679b0a98230c19a863f692143339aa062fe40e6ba828a96bccda5321efaf63add3067f070f1929d51a868967be778d5cc623c1f0a03f849734268fd

Download Submit
\Users\Admin\AppData\Local\Temp\h1TF.cpl

Filesize
1.4MB

MD5
a18e89e4448a03f1ed59f3e717c01cb0

SHA1
8f8bd6396e1b543ee8a0dc0ebea195a63ec21521

SHA256
8c18211d65ca238a1b699174c27efb5b6761d8cd469f3831b01e218122e42740

SHA512
38efd78de679b0a98230c19a863f692143339aa062fe40e6ba828a96bccda5321efaf63add3067f070f1929d51a868967be778d5cc623c1f0a03f849734268fd

Download Submit
\Users\Admin\AppData\Local\Temp\h1TF.cpl

Filesize
1.4MB

MD5
a18e89e4448a03f1ed59f3e717c01cb0

SHA1
8f8bd6396e1b543ee8a0dc0ebea195a63ec21521

SHA256
8c18211d65ca238a1b699174c27efb5b6761d8cd469f3831b01e218122e42740

SHA512
38efd78de679b0a98230c19a863f692143339aa062fe40e6ba828a96bccda5321efaf63add3067f070f1929d51a868967be778d5cc623c1f0a03f849734268fd

Download Submit
\Users\Admin\AppData\Local\Temp\h1TF.cpl

Filesize
1.4MB

MD5
a18e89e4448a03f1ed59f3e717c01cb0

SHA1
8f8bd6396e1b543ee8a0dc0ebea195a63ec21521

SHA256
8c18211d65ca238a1b699174c27efb5b6761d8cd469f3831b01e218122e42740

SHA512
38efd78de679b0a98230c19a863f692143339aa062fe40e6ba828a96bccda5321efaf63add3067f070f1929d51a868967be778d5cc623c1f0a03f849734268fd

Download Submit
\Users\Admin\AppData\Local\Temp\h1TF.cpl

Filesize
1.4MB

MD5
a18e89e4448a03f1ed59f3e717c01cb0

SHA1
8f8bd6396e1b543ee8a0dc0ebea195a63ec21521

SHA256
8c18211d65ca238a1b699174c27efb5b6761d8cd469f3831b01e218122e42740

SHA512
38efd78de679b0a98230c19a863f692143339aa062fe40e6ba828a96bccda5321efaf63add3067f070f1929d51a868967be778d5cc623c1f0a03f849734268fd

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
memory/548-174-0x000000000AEB0000-0x000000000AEFB000-memory.dmp

Filesize
300KB

Download
memory/548-168-0x0000000071CA0000-0x000000007238E000-memory.dmp

Filesize
6.9MB

Download
memory/548-169-0x0000000003100000-0x0000000003106000-memory.dmp

Filesize
24KB

Download
memory/548-167-0x0000000000F80000-0x0000000000FB0000-memory.dmp

Filesize
192KB

Download
memory/548-170-0x000000000B400000-0x000000000BA06000-memory.dmp

Filesize
6.0MB

Download
memory/548-175-0x0000000071CA0000-0x000000007238E000-memory.dmp

Filesize
6.9MB

Download
memory/548-173-0x000000000AE70000-0x000000000AEAE000-memory.dmp

Filesize
248KB

Download
memory/548-172-0x000000000AE10000-0x000000000AE22000-memory.dmp

Filesize
72KB

Download
memory/548-171-0x000000000AF00000-0x000000000B00A000-memory.dmp

Filesize
1.0MB

Download
memory/2076-248-0x0000000004980000-0x0000000004A81000-memory.dmp

Filesize
1.0MB

Download
memory/2076-250-0x0000000004A90000-0x0000000004B77000-memory.dmp

Filesize
924KB

Download
memory/2076-252-0x0000000004A90000-0x0000000004B77000-memory.dmp

Filesize
924KB

Download
memory/2076-246-0x0000000002960000-0x0000000002ABE000-memory.dmp

Filesize
1.4MB

Download
memory/2076-245-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/2076-253-0x0000000004A90000-0x0000000004B77000-memory.dmp

Filesize
924KB

Download
memory/2076-244-0x0000000002960000-0x0000000002ABE000-memory.dmp

Filesize
1.4MB

Download
memory/2364-157-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2364-161-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3276-160-0x0000000001230000-0x0000000001246000-memory.dmp

Filesize
88KB

Download
memory/3392-236-0x0000000004BD0000-0x0000000004CD1000-memory.dmp

Filesize
1.0MB

Download
memory/3392-238-0x0000000004CE0000-0x0000000004DC7000-memory.dmp

Filesize
924KB

Download
memory/3392-241-0x0000000004CE0000-0x0000000004DC7000-memory.dmp

Filesize
924KB

Download
memory/3392-233-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download
memory/3392-240-0x0000000004CE0000-0x0000000004DC7000-memory.dmp

Filesize
924KB

Download
memory/4068-144-0x00007FFCDFB90000-0x00007FFCE057C000-memory.dmp

Filesize
9.9MB

Download
memory/4068-142-0x00007FFCDFB90000-0x00007FFCE057C000-memory.dmp

Filesize
9.9MB

Download
memory/4068-141-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/4752-222-0x0000000005430000-0x0000000005517000-memory.dmp

Filesize
924KB

Download
memory/4752-220-0x0000000005320000-0x0000000005421000-memory.dmp

Filesize
1.0MB

Download
memory/4752-224-0x0000000005430000-0x0000000005517000-memory.dmp

Filesize
924KB

Download
memory/4752-217-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

Filesize
24KB

Download
memory/4752-225-0x0000000005430000-0x0000000005517000-memory.dmp

Filesize
924KB

Download
memory/4932-215-0x0000000004FC0000-0x00000000050A7000-memory.dmp

Filesize
924KB

Download
memory/4932-214-0x0000000004FC0000-0x00000000050A7000-memory.dmp

Filesize
924KB

Download
memory/4932-211-0x0000000004FC0000-0x00000000050A7000-memory.dmp

Filesize
924KB

Download
memory/4932-212-0x0000000004FC0000-0x00000000050A7000-memory.dmp

Filesize
924KB

Download
memory/4932-210-0x0000000004EB0000-0x0000000004FB1000-memory.dmp

Filesize
1.0MB

Download
memory/4932-208-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4932-207-0x0000000002FD0000-0x0000000002FD6000-memory.dmp

Filesize
24KB

Download