amadey | 16fe20ecb5af584fe0e4baf89426f308defa670ab6ee03ce841c82b4398eeac2

Analysis

max time kernel
186s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad52ab68dad439860eadbebfbe31a3e9.exe
Size

883KB
MD5

ad52ab68dad439860eadbebfbe31a3e9
SHA1

40980838bc035230299612420432ce4c57a5a4f4
SHA256

16fe20ecb5af584fe0e4baf89426f308defa670ab6ee03ce841c82b4398eeac2
SHA512

f61ba12955b6f3baa51c2c9e5ea1c84c6a9115602d01866ac77702c9edd6607d3a134ff65281a8dad8dce8e5ca0f8565510ed62a8dd9d32d0f68796694b72603
SSDEEP

12288:c+WAoWK3DW9g145x58OpGHmEJ/qdDyyZpxThSGu4ywzXI/9:cK8W9g145x58Ops/yVzSMXw9

Score

10^/10

amadey healer redline smokeloader 6012068394_99 breha kukish backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

6012068394_99

https://pastebin.com/raw/8baCJyMF

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002320f-65.dat	healer
behavioral2/files/0x000b00000002320f-66.dat	healer
behavioral2/memory/412-73-0x0000000000AA0000-0x0000000000AAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	CC14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	CC14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	CC14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	CC14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CC14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	CC14.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/memory/3848-68-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/memory/4500-111-0x00000000005D0000-0x000000000062A000-memory.dmp	family_redline
behavioral2/files/0x000a00000002320d-122.dat	family_redline
behavioral2/files/0x000a00000002320d-121.dat	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	8F19.bat
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	CD7D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

pid	Process
2924	7296.exe
2824	8535.exe
964	Rk9hW0Wo.exe
912	8F19.bat
3744	VL8Tu3Kf.exe
1408	kr1ZS2wr.exe
1928	912D.exe
3500	EA1Oc6nS.exe
412	CC14.exe
4708	1CX55wY7.exe
4888	CD7D.exe
2116	explothe.exe
5064	FCFA.exe
4500	2B8D.exe
4424	6FCB.exe
1108	2QP112px.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	CC14.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	EA1Oc6nS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rk9hW0Wo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VL8Tu3Kf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kr1ZS2wr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 2824 set thread context of 4240	2824	8535.exe	105
PID 1928 set thread context of 3848	1928	912D.exe	114
PID 4708 set thread context of 1316	4708	1CX55wY7.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4588	3704	WerFault.exe	85
496	2824	WerFault.exe	99
1052	1928	WerFault.exe	108
5052	4708	WerFault.exe	113
4780	1316	WerFault.exe	119

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4696	AppLaunch.exe
4696	AppLaunch.exe
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found
2160	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4696	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeDebugPrivilege	412	CC14.exe
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found
Token: SeShutdownPrivilege	2160	Process not Found
Token: SeCreatePagefilePrivilege	2160	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2160	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 3704 wrote to memory of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 3704 wrote to memory of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 3704 wrote to memory of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 3704 wrote to memory of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 3704 wrote to memory of 4696	3704	ad52ab68dad439860eadbebfbe31a3e9.exe	90
PID 2160 wrote to memory of 2924	2160	Process not Found	98
PID 2160 wrote to memory of 2924	2160	Process not Found	98
PID 2160 wrote to memory of 2924	2160	Process not Found	98
PID 2160 wrote to memory of 2824	2160	Process not Found	99
PID 2160 wrote to memory of 2824	2160	Process not Found	99
PID 2160 wrote to memory of 2824	2160	Process not Found	99
PID 2924 wrote to memory of 964	2924	7296.exe	101
PID 2924 wrote to memory of 964	2924	7296.exe	101
PID 2924 wrote to memory of 964	2924	7296.exe	101
PID 2160 wrote to memory of 912	2160	Process not Found	103
PID 2160 wrote to memory of 912	2160	Process not Found	103
PID 2160 wrote to memory of 912	2160	Process not Found	103
PID 964 wrote to memory of 3744	964	Rk9hW0Wo.exe	102
PID 964 wrote to memory of 3744	964	Rk9hW0Wo.exe	102
PID 964 wrote to memory of 3744	964	Rk9hW0Wo.exe	102
PID 3744 wrote to memory of 1408	3744	VL8Tu3Kf.exe	104
PID 3744 wrote to memory of 1408	3744	VL8Tu3Kf.exe	104
PID 3744 wrote to memory of 1408	3744	VL8Tu3Kf.exe	104
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2824 wrote to memory of 4240	2824	8535.exe	105
PID 2160 wrote to memory of 1928	2160	Process not Found	108
PID 2160 wrote to memory of 1928	2160	Process not Found	108
PID 2160 wrote to memory of 1928	2160	Process not Found	108
PID 1408 wrote to memory of 3500	1408	kr1ZS2wr.exe	107
PID 1408 wrote to memory of 3500	1408	kr1ZS2wr.exe	107
PID 1408 wrote to memory of 3500	1408	kr1ZS2wr.exe	107
PID 1928 wrote to memory of 2344	1928	912D.exe	111
PID 1928 wrote to memory of 2344	1928	912D.exe	111
PID 1928 wrote to memory of 2344	1928	912D.exe	111
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 2160 wrote to memory of 412	2160	Process not Found	112
PID 2160 wrote to memory of 412	2160	Process not Found	112
PID 3500 wrote to memory of 4708	3500	EA1Oc6nS.exe	113
PID 3500 wrote to memory of 4708	3500	EA1Oc6nS.exe	113
PID 3500 wrote to memory of 4708	3500	EA1Oc6nS.exe	113
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 1928 wrote to memory of 3848	1928	912D.exe	114
PID 2160 wrote to memory of 4888	2160	Process not Found	117
PID 2160 wrote to memory of 4888	2160	Process not Found	117
PID 2160 wrote to memory of 4888	2160	Process not Found	117
PID 4708 wrote to memory of 1316	4708	1CX55wY7.exe	119
PID 4708 wrote to memory of 1316	4708	1CX55wY7.exe	119
PID 4708 wrote to memory of 1316	4708	1CX55wY7.exe	119
PID 4708 wrote to memory of 1316	4708	1CX55wY7.exe	119
PID 4708 wrote to memory of 1316	4708	1CX55wY7.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad52ab68dad439860eadbebfbe31a3e9.exe
"C:\Users\Admin\AppData\Local\Temp\ad52ab68dad439860eadbebfbe31a3e9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 332
  2⤵
  - Program crash
  PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3704 -ip 3704
1⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\7296.exe
C:\Users\Admin\AppData\Local\Temp\7296.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk9hW0Wo.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk9hW0Wo.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL8Tu3Kf.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL8Tu3Kf.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kr1ZS2wr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kr1ZS2wr.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EA1Oc6nS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EA1Oc6nS.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX55wY7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX55wY7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 540
        8⤵
        Program crash
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 160
        7⤵
        Program crash
        
        PID:5052
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QP112px.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QP112px.exe
        6⤵
        Executes dropped EXE
        
        PID:1108

C:\Users\Admin\AppData\Local\Temp\8535.exe
C:\Users\Admin\AppData\Local\Temp\8535.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 144
  2⤵
  - Program crash
  PID:496

C:\Users\Admin\AppData\Local\Temp\8F19.bat
"C:\Users\Admin\AppData\Local\Temp\8F19.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:912
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8FE2.tmp\8FE3.tmp\8FE4.bat C:\Users\Admin\AppData\Local\Temp\8F19.bat"
  2⤵
  PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2824 -ip 2824
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\912D.exe
C:\Users\Admin\AppData\Local\Temp\912D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 156
  2⤵
  - Program crash
  PID:1052

C:\Users\Admin\AppData\Local\Temp\CC14.exe
C:\Users\Admin\AppData\Local\Temp\CC14.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1928 -ip 1928
1⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\CD7D.exe
C:\Users\Admin\AppData\Local\Temp\CD7D.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4888
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4708 -ip 4708
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1316 -ip 1316
1⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\FCFA.exe
C:\Users\Admin\AppData\Local\Temp\FCFA.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\AppData\Local\Temp\2B8D.exe
C:\Users\Admin\AppData\Local\Temp\2B8D.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Users\Admin\AppData\Local\Temp\6FCB.exe
C:\Users\Admin\AppData\Local\Temp\6FCB.exe
1⤵
- Executes dropped EXE
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B8D.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B8D.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FCB.exe

Filesize
180KB

MD5
109da216e61cf349221bd2455d2170d4

SHA1
ea6983b8581b8bb57e47c8492783256313c19480

SHA256
a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

SHA512
460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FCB.exe

Filesize
180KB

MD5
109da216e61cf349221bd2455d2170d4

SHA1
ea6983b8581b8bb57e47c8492783256313c19480

SHA256
a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

SHA512
460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7296.exe

Filesize
1.2MB

MD5
95e02f955562752fcc4580f10340ec0d

SHA1
9bcecc42307317763d0ac6a12d4bb6268a7805bd

SHA256
3682dd54f3e2f8b8d2ec857563da136eac1a2d49709437dc5004c9e78afe3fa2

SHA512
aa4e7eacfca04a392ee474895b9803763869ddad431381073842a0f634c3e7a1c55c95e757fa7bf360cb46032f39219810cebbd5d66590517bbe08cc976fbc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7296.exe

Filesize
1.2MB

MD5
95e02f955562752fcc4580f10340ec0d

SHA1
9bcecc42307317763d0ac6a12d4bb6268a7805bd

SHA256
3682dd54f3e2f8b8d2ec857563da136eac1a2d49709437dc5004c9e78afe3fa2

SHA512
aa4e7eacfca04a392ee474895b9803763869ddad431381073842a0f634c3e7a1c55c95e757fa7bf360cb46032f39219810cebbd5d66590517bbe08cc976fbc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8535.exe

Filesize
407KB

MD5
de9a55f41fb293fbabe3131aa59af656

SHA1
f01b1ea663a60e257d9c9afb153ab3ff7a0d691d

SHA256
fb8a53171cfae7ab478a71a84d0a160b3c5890f3292e7859acef643899e521fb

SHA512
66447b9c6fc8508a1dd65506ddeed9a708f57fd0605f92ea8f22d720ca110c4ebdf6f0441ef456e08ff67964fda008f527316ce3dd576d1eac0927a3b44ec533

Download Submit
C:\Users\Admin\AppData\Local\Temp\8535.exe

Filesize
407KB

MD5
de9a55f41fb293fbabe3131aa59af656

SHA1
f01b1ea663a60e257d9c9afb153ab3ff7a0d691d

SHA256
fb8a53171cfae7ab478a71a84d0a160b3c5890f3292e7859acef643899e521fb

SHA512
66447b9c6fc8508a1dd65506ddeed9a708f57fd0605f92ea8f22d720ca110c4ebdf6f0441ef456e08ff67964fda008f527316ce3dd576d1eac0927a3b44ec533

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F19.bat

Filesize
97KB

MD5
d328e62755fdd373e81dcaa5bd64efe3

SHA1
c355ed31f09561286e5cd8bc08d03bfc11f8b9b1

SHA256
969ebbf2c6a1b33335be87cd87154dfdc997bb1f48611e4451ccd5e15728f464

SHA512
6339195b4de8553819665625c62983686d1ee5308131f1ee97746bb7c7617f74600655463ce74341041c037fc496740e65a2c4e892cfbf60849b691367722a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F19.bat

Filesize
97KB

MD5
d328e62755fdd373e81dcaa5bd64efe3

SHA1
c355ed31f09561286e5cd8bc08d03bfc11f8b9b1

SHA256
969ebbf2c6a1b33335be87cd87154dfdc997bb1f48611e4451ccd5e15728f464

SHA512
6339195b4de8553819665625c62983686d1ee5308131f1ee97746bb7c7617f74600655463ce74341041c037fc496740e65a2c4e892cfbf60849b691367722a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F19.bat

Filesize
97KB

MD5
d328e62755fdd373e81dcaa5bd64efe3

SHA1
c355ed31f09561286e5cd8bc08d03bfc11f8b9b1

SHA256
969ebbf2c6a1b33335be87cd87154dfdc997bb1f48611e4451ccd5e15728f464

SHA512
6339195b4de8553819665625c62983686d1ee5308131f1ee97746bb7c7617f74600655463ce74341041c037fc496740e65a2c4e892cfbf60849b691367722a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FE2.tmp\8FE3.tmp\8FE4.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\912D.exe

Filesize
446KB

MD5
837bc325d77ab39bb82facfa7adfa74a

SHA1
afdb4e3e07f7f1263b08ea28c375b7d046a69426

SHA256
bc63abb527a5886f539af0389ca7b10d65151ea6b3186aa9300d8fb930c8a2fe

SHA512
abf3743bc3faded1dd4f2fd71a3ffa6361e039d256394b2cd918e40fcc7173dae5cbf3d927b2811b99e29d949adc6f3536ff7cc9a7742607a5ef8335d7841490

Download Submit
C:\Users\Admin\AppData\Local\Temp\912D.exe

Filesize
446KB

MD5
837bc325d77ab39bb82facfa7adfa74a

SHA1
afdb4e3e07f7f1263b08ea28c375b7d046a69426

SHA256
bc63abb527a5886f539af0389ca7b10d65151ea6b3186aa9300d8fb930c8a2fe

SHA512
abf3743bc3faded1dd4f2fd71a3ffa6361e039d256394b2cd918e40fcc7173dae5cbf3d927b2811b99e29d949adc6f3536ff7cc9a7742607a5ef8335d7841490

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC14.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC14.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD7D.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD7D.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCFA.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCFA.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk9hW0Wo.exe

Filesize
1.1MB

MD5
e2615541cd713e06907d1aeac1afef5c

SHA1
889275253695bd77aa1ea3f3bedf738561aa0f56

SHA256
4ba96e3a2e6279569fe01266454889280bafd497ea26d1cb262c1b5a8a6d309c

SHA512
a5dcf862934b07f620c40df86383f4918df6c615278e5dc22c7fcb47eb8cf03fd307fa74625a21493092fd054fc9b3f5afef31243744a6099daf3466cad5692b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rk9hW0Wo.exe

Filesize
1.1MB

MD5
e2615541cd713e06907d1aeac1afef5c

SHA1
889275253695bd77aa1ea3f3bedf738561aa0f56

SHA256
4ba96e3a2e6279569fe01266454889280bafd497ea26d1cb262c1b5a8a6d309c

SHA512
a5dcf862934b07f620c40df86383f4918df6c615278e5dc22c7fcb47eb8cf03fd307fa74625a21493092fd054fc9b3f5afef31243744a6099daf3466cad5692b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL8Tu3Kf.exe

Filesize
921KB

MD5
2e9ff05d00fb0b433757768da96f7a97

SHA1
df6c719ddae645327e7b9354b36a4d857293b99e

SHA256
9978e9a9dee2e091f02e3400313fd6ca5b89f4e53ef413e5a8b2f109cec3237d

SHA512
be178d3af95119e4106229c87dc404ad3d9fa326d855757a8eae2faafd20f4284015cf7c9d91f770dd85ce0695fd76630ccfd86a924c48acbeb3ab602f0d656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL8Tu3Kf.exe

Filesize
921KB

MD5
2e9ff05d00fb0b433757768da96f7a97

SHA1
df6c719ddae645327e7b9354b36a4d857293b99e

SHA256
9978e9a9dee2e091f02e3400313fd6ca5b89f4e53ef413e5a8b2f109cec3237d

SHA512
be178d3af95119e4106229c87dc404ad3d9fa326d855757a8eae2faafd20f4284015cf7c9d91f770dd85ce0695fd76630ccfd86a924c48acbeb3ab602f0d656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kr1ZS2wr.exe

Filesize
632KB

MD5
a93aaef734ad2e0c4f37c362bfc4d7a7

SHA1
6faa286081a5ad1cac88c98ebbd4df88fdfafc22

SHA256
f4d0764872c5a1cc7120c389e7846ba3ee283fd9856017fe08992163bc8d1843

SHA512
2d53fffafa1a008523553e57b7842581b4b4041b3227b859b0fcb5b17409dc9ed09cfc1a09be26ce86305677d066f19f203b2636a0d506bf8f45417e4f2ffad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kr1ZS2wr.exe

Filesize
632KB

MD5
a93aaef734ad2e0c4f37c362bfc4d7a7

SHA1
6faa286081a5ad1cac88c98ebbd4df88fdfafc22

SHA256
f4d0764872c5a1cc7120c389e7846ba3ee283fd9856017fe08992163bc8d1843

SHA512
2d53fffafa1a008523553e57b7842581b4b4041b3227b859b0fcb5b17409dc9ed09cfc1a09be26ce86305677d066f19f203b2636a0d506bf8f45417e4f2ffad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EA1Oc6nS.exe

Filesize
436KB

MD5
da60cb3278f1d4bdf07ffe69ff0a7d6b

SHA1
d71ba47e1e8126892fb9a03e652d6690479e9f55

SHA256
f89ddaca84c218fe91096242289bdccc6999475755a4c7315e312545899f8d57

SHA512
34a931c71c3af4698152327ba56c209cf567f48cf3438f3c17baf2171a797a198881e679935891591dda8d1a2cc973ed41d7db24f24ea5784dd70044d724999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EA1Oc6nS.exe

Filesize
436KB

MD5
da60cb3278f1d4bdf07ffe69ff0a7d6b

SHA1
d71ba47e1e8126892fb9a03e652d6690479e9f55

SHA256
f89ddaca84c218fe91096242289bdccc6999475755a4c7315e312545899f8d57

SHA512
34a931c71c3af4698152327ba56c209cf567f48cf3438f3c17baf2171a797a198881e679935891591dda8d1a2cc973ed41d7db24f24ea5784dd70044d724999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX55wY7.exe

Filesize
407KB

MD5
fc5ebf4709553668cd7deb0402f7beba

SHA1
f652b09d44e01c3a4f9b9f1ff703784a526a95b1

SHA256
db48a572d64e3729bf3b0cc54e310c35b070c53e23fcf36038bea8976ae53089

SHA512
844035b71eee9d436e644687927afda099f41360f616b9dd4d2563213df73d4d99e9d59b341289e9fc7aa5b838f038922e402d4e62fb27f1bd5a2bd9988726da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX55wY7.exe

Filesize
407KB

MD5
fc5ebf4709553668cd7deb0402f7beba

SHA1
f652b09d44e01c3a4f9b9f1ff703784a526a95b1

SHA256
db48a572d64e3729bf3b0cc54e310c35b070c53e23fcf36038bea8976ae53089

SHA512
844035b71eee9d436e644687927afda099f41360f616b9dd4d2563213df73d4d99e9d59b341289e9fc7aa5b838f038922e402d4e62fb27f1bd5a2bd9988726da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QP112px.exe

Filesize
221KB

MD5
d08de733d2dd80f99ae95946c33571df

SHA1
a788b52677a4dba88c1dc08a3258bc12a00aa624

SHA256
d83f27f9e10b548fde08be81a2bf038a53d2f0a6e906aaa41d06ee16c09ca510

SHA512
78f136a3e056f61b79136f4e7827d63cf8d2b8724bd8b1bee236323222e7e39d70fafa8ef30f3e4501ed3157c976419a3b31b732f75a9e26c4f8d95acd770c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QP112px.exe

Filesize
221KB

MD5
d08de733d2dd80f99ae95946c33571df

SHA1
a788b52677a4dba88c1dc08a3258bc12a00aa624

SHA256
d83f27f9e10b548fde08be81a2bf038a53d2f0a6e906aaa41d06ee16c09ca510

SHA512
78f136a3e056f61b79136f4e7827d63cf8d2b8724bd8b1bee236323222e7e39d70fafa8ef30f3e4501ed3157c976419a3b31b732f75a9e26c4f8d95acd770c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
memory/412-73-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/412-97-0x00007FFDB2D70000-0x00007FFDB3831000-memory.dmp

Filesize
10.8MB

Download
memory/412-83-0x00007FFDB2D70000-0x00007FFDB3831000-memory.dmp

Filesize
10.8MB

Download
memory/1108-124-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/1316-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-2-0x0000000006E00000-0x0000000006E16000-memory.dmp

Filesize
88KB

Download
memory/3848-104-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/3848-85-0x0000000007DA0000-0x0000000008344000-memory.dmp

Filesize
5.6MB

Download
memory/3848-84-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/3848-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-99-0x0000000007890000-0x0000000007922000-memory.dmp

Filesize
584KB

Download
memory/4240-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-130-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/4424-125-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-126-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/4500-111-0x00000000005D0000-0x000000000062A000-memory.dmp

Filesize
360KB

Download
memory/4500-112-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4500-116-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/4696-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4696-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4696-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5064-103-0x0000000000090000-0x0000000000FBA000-memory.dmp

Filesize
15.2MB

Download
memory/5064-105-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/5064-102-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download