amadey | fd27d374908a566548782e2bce950d7ec054ce1f41829d258123e1f21f07ef58

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe
Size

1.0MB
MD5

86ff061d2e1ce59189f88dda7f3df037
SHA1

0bb2028c3a7d6cae301969a7a7736c3b60d4b077
SHA256

0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10
SHA512

15c1837d8604aa76ad9e570c640239c34d7299ed2a695bae2407e3d5cae60cdc685b82cab64dc5aafbfa66f113365da8d9c7e17b7a29a25d0141a8326feda14c
SSDEEP

24576:+y7axvg1sK6gj31wk49I9RiyLgBLCWuyJfn:N7ax4+ngjl9LLc

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/388-40-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/388-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/388-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/388-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3664-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explonde.exeu7959879.exelegota.exet6915498.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	u7959879.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	t6915498.exe

Executes dropped EXE 14 IoCs

Processes:

z1871050.exez7038107.exez4140912.exez0098865.exeq9728319.exer4137085.exes7854910.exet6915498.exeexplonde.exeu7959879.exelegota.exew7945920.exelegota.exeexplonde.exe

pid	process
4040	z1871050.exe
4828	z7038107.exe
4220	z4140912.exe
4508	z0098865.exe
4296	q9728319.exe
4672	r4137085.exe
4276	s7854910.exe
4232	t6915498.exe
3356	explonde.exe
2140	u7959879.exe
2852	legota.exe
2788	w7945920.exe
3092	legota.exe
2832	explonde.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2556 rundll32.exe
4676 rundll32.exe

pid	process
2556	rundll32.exe
4676	rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exez1871050.exez7038107.exez4140912.exez0098865.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1871050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7038107.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4140912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0098865.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q9728319.exer4137085.exes7854910.exe

description	pid	process	target process
PID 4296 set thread context of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4672 set thread context of 388	4672	r4137085.exe	AppLaunch.exe
PID 4276 set thread context of 4840	4276	s7854910.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2776	4296	WerFault.exe	q9728319.exe
3276	4672	WerFault.exe	r4137085.exe
2792	388	WerFault.exe	AppLaunch.exe
4620	4276	WerFault.exe	s7854910.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4044 schtasks.exe
2104 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

3664 AppLaunch.exe
3664 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3664 AppLaunch.exe

pid	process
4044	schtasks.exe
2104	schtasks.exe

pid	process
3664	AppLaunch.exe
3664	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3664	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exez1871050.exez7038107.exez4140912.exez0098865.exeq9728319.exer4137085.exes7854910.exet6915498.exeexplonde.execmd.exe

description	pid	process	target process
PID 2060 wrote to memory of 4040	2060	0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe	z1871050.exe
PID 2060 wrote to memory of 4040	2060	0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe	z1871050.exe
PID 2060 wrote to memory of 4040	2060	0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe	z1871050.exe
PID 4040 wrote to memory of 4828	4040	z1871050.exe	z7038107.exe
PID 4040 wrote to memory of 4828	4040	z1871050.exe	z7038107.exe
PID 4040 wrote to memory of 4828	4040	z1871050.exe	z7038107.exe
PID 4828 wrote to memory of 4220	4828	z7038107.exe	z4140912.exe
PID 4828 wrote to memory of 4220	4828	z7038107.exe	z4140912.exe
PID 4828 wrote to memory of 4220	4828	z7038107.exe	z4140912.exe
PID 4220 wrote to memory of 4508	4220	z4140912.exe	z0098865.exe
PID 4220 wrote to memory of 4508	4220	z4140912.exe	z0098865.exe
PID 4220 wrote to memory of 4508	4220	z4140912.exe	z0098865.exe
PID 4508 wrote to memory of 4296	4508	z0098865.exe	q9728319.exe
PID 4508 wrote to memory of 4296	4508	z0098865.exe	q9728319.exe
PID 4508 wrote to memory of 4296	4508	z0098865.exe	q9728319.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4296 wrote to memory of 3664	4296	q9728319.exe	AppLaunch.exe
PID 4508 wrote to memory of 4672	4508	z0098865.exe	r4137085.exe
PID 4508 wrote to memory of 4672	4508	z0098865.exe	r4137085.exe
PID 4508 wrote to memory of 4672	4508	z0098865.exe	r4137085.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4672 wrote to memory of 388	4672	r4137085.exe	AppLaunch.exe
PID 4220 wrote to memory of 4276	4220	z4140912.exe	s7854910.exe
PID 4220 wrote to memory of 4276	4220	z4140912.exe	s7854910.exe
PID 4220 wrote to memory of 4276	4220	z4140912.exe	s7854910.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4276 wrote to memory of 4840	4276	s7854910.exe	AppLaunch.exe
PID 4828 wrote to memory of 4232	4828	z7038107.exe	t6915498.exe
PID 4828 wrote to memory of 4232	4828	z7038107.exe	t6915498.exe
PID 4828 wrote to memory of 4232	4828	z7038107.exe	t6915498.exe
PID 4232 wrote to memory of 3356	4232	t6915498.exe	explonde.exe
PID 4232 wrote to memory of 3356	4232	t6915498.exe	explonde.exe
PID 4232 wrote to memory of 3356	4232	t6915498.exe	explonde.exe
PID 4040 wrote to memory of 2140	4040	z1871050.exe	u7959879.exe
PID 4040 wrote to memory of 2140	4040	z1871050.exe	u7959879.exe
PID 4040 wrote to memory of 2140	4040	z1871050.exe	u7959879.exe
PID 3356 wrote to memory of 4044	3356	explonde.exe	schtasks.exe
PID 3356 wrote to memory of 4044	3356	explonde.exe	schtasks.exe
PID 3356 wrote to memory of 4044	3356	explonde.exe	schtasks.exe
PID 3356 wrote to memory of 4756	3356	explonde.exe	cmd.exe
PID 3356 wrote to memory of 4756	3356	explonde.exe	cmd.exe
PID 3356 wrote to memory of 4756	3356	explonde.exe	cmd.exe
PID 4756 wrote to memory of 4696	4756	cmd.exe	cmd.exe
PID 4756 wrote to memory of 4696	4756	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe
"C:\Users\Admin\AppData\Local\Temp\0c4af16b40906032b21c7c3bfc454c2f013745dabe7486d44430552362c5cc10.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1871050.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1871050.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7038107.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7038107.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4140912.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4140912.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0098865.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0098865.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9728319.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9728319.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 604
7⤵
- Program crash
PID:2776

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4137085.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4137085.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 556
8⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 156
7⤵
- Program crash
PID:3276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854910.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854910.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 152
6⤵
- Program crash
PID:4620

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6915498.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6915498.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:4044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4696

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:4508

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2448

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:4132

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:2400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:2556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7959879.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7959879.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:2104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2632

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:4960

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:208

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:2264

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:2460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7945920.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7945920.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4296 -ip 4296
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4672 -ip 4672
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 388 -ip 388
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4276 -ip 4276
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7945920.exe
Filesize
22KB

MD5
692bd9a089e696acf3f949d1f7877dc5

SHA1
0371579475f6c46ce38be5880791ea30bee396c0

SHA256
3c8a11b1749adc5191d618ddcf9edd2e7a0c57997b22dd1645bf2370ec395f8e

SHA512
99c320aeb0c7afe8e23d37cebaeffeb7f4057a11fc941543541749990cadb3b46e656c49d1939250527a8b8c57d3bf194cea5752d1ff7dda51bdd882227dbf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7945920.exe
Filesize
22KB

MD5
692bd9a089e696acf3f949d1f7877dc5

SHA1
0371579475f6c46ce38be5880791ea30bee396c0

SHA256
3c8a11b1749adc5191d618ddcf9edd2e7a0c57997b22dd1645bf2370ec395f8e

SHA512
99c320aeb0c7afe8e23d37cebaeffeb7f4057a11fc941543541749990cadb3b46e656c49d1939250527a8b8c57d3bf194cea5752d1ff7dda51bdd882227dbf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1871050.exe
Filesize
963KB

MD5
b1d86ce7b4c53fa98c648cf0cab51789

SHA1
5f64b9c3a65b8d95412d11a1b193f817ffd2d45a

SHA256
0b571d5cc438659be9bd08173a3b1e15bd9e42cc0886e8679003a7a199a94299

SHA512
5475e7e611e63925e2149d7be0cf4e18e2ba5f525b7a9834f26cc3108eb5fe3ec71411bfb968c8550bd2ffe876836cd1abda95b18635f841470531a705881b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1871050.exe
Filesize
963KB

MD5
b1d86ce7b4c53fa98c648cf0cab51789

SHA1
5f64b9c3a65b8d95412d11a1b193f817ffd2d45a

SHA256
0b571d5cc438659be9bd08173a3b1e15bd9e42cc0886e8679003a7a199a94299

SHA512
5475e7e611e63925e2149d7be0cf4e18e2ba5f525b7a9834f26cc3108eb5fe3ec71411bfb968c8550bd2ffe876836cd1abda95b18635f841470531a705881b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7959879.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7959879.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7038107.exe
Filesize
781KB

MD5
0c5c04ded200194e8c1c91528bd9a932

SHA1
e9feffd99d1030eaad9876c89fbc326b7a9b2069

SHA256
95c364d8f1cb3231b1e617f633d6e4b176353db37369f2772db9465f5dcfa227

SHA512
02b71a93e37526e10543a41c6febf21450d330bdebfc98486a6c32e1f0fb6cb3824c561976b2bad6a40ca4f2886aedc5663b8db14ce19f2f378b7aac3b64e656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7038107.exe
Filesize
781KB

MD5
0c5c04ded200194e8c1c91528bd9a932

SHA1
e9feffd99d1030eaad9876c89fbc326b7a9b2069

SHA256
95c364d8f1cb3231b1e617f633d6e4b176353db37369f2772db9465f5dcfa227

SHA512
02b71a93e37526e10543a41c6febf21450d330bdebfc98486a6c32e1f0fb6cb3824c561976b2bad6a40ca4f2886aedc5663b8db14ce19f2f378b7aac3b64e656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6915498.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6915498.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4140912.exe
Filesize
599KB

MD5
5513fcdd0300493b2155151b61168c6f

SHA1
507c74d587df1495d87c352d7877f91b38f6eacb

SHA256
dfd2776842e0edcfbaf13bf3ac21d22bc84604a4600f1cdb1ab0ce7c5b40bcb3

SHA512
f32f60b6d80407db193fcd94b071a17a3c270e635906e2910091d81aac69285cf2a852e2f0fbe9da4d1c87aa6adb3945cc8f02c989383d09ee6463f836c1f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4140912.exe
Filesize
599KB

MD5
5513fcdd0300493b2155151b61168c6f

SHA1
507c74d587df1495d87c352d7877f91b38f6eacb

SHA256
dfd2776842e0edcfbaf13bf3ac21d22bc84604a4600f1cdb1ab0ce7c5b40bcb3

SHA512
f32f60b6d80407db193fcd94b071a17a3c270e635906e2910091d81aac69285cf2a852e2f0fbe9da4d1c87aa6adb3945cc8f02c989383d09ee6463f836c1f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854910.exe
Filesize
380KB

MD5
6022a8828384140e02b46f86bed32c9a

SHA1
fbbc200c6fb693592f3f7d684781075a6f20f422

SHA256
3a260fda00d608f9869bed19f5b8b6f0420618a6c16f9a4633fcdadf3740b819

SHA512
a31f01aa1fd9fa0ccb4039af43353835aa2d9da6802ad907e7464924fab73853030bd9fb346f1cb3fb0993d7a4c7ec61d32049c4f53e52ceb2756e59581901c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854910.exe
Filesize
380KB

MD5
6022a8828384140e02b46f86bed32c9a

SHA1
fbbc200c6fb693592f3f7d684781075a6f20f422

SHA256
3a260fda00d608f9869bed19f5b8b6f0420618a6c16f9a4633fcdadf3740b819

SHA512
a31f01aa1fd9fa0ccb4039af43353835aa2d9da6802ad907e7464924fab73853030bd9fb346f1cb3fb0993d7a4c7ec61d32049c4f53e52ceb2756e59581901c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0098865.exe
Filesize
336KB

MD5
fcbd0fdf28b8ffa7cffc1e8a67a35f73

SHA1
91409fda3d799e7db85be850853039b2ce43d89b

SHA256
f62c9ea7992104b600459fbaf43b81ad0470d7597ad63ac0732efe2db177eb99

SHA512
30da4efc7b1b23de462e8c686367317449000a3cf8e348c7b0b7b49df24eded23eca6d1e0fe712b8aaa836e67258e403c35ec65a4436d7715b78f6cd7731bde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0098865.exe
Filesize
336KB

MD5
fcbd0fdf28b8ffa7cffc1e8a67a35f73

SHA1
91409fda3d799e7db85be850853039b2ce43d89b

SHA256
f62c9ea7992104b600459fbaf43b81ad0470d7597ad63ac0732efe2db177eb99

SHA512
30da4efc7b1b23de462e8c686367317449000a3cf8e348c7b0b7b49df24eded23eca6d1e0fe712b8aaa836e67258e403c35ec65a4436d7715b78f6cd7731bde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9728319.exe
Filesize
217KB

MD5
371c38cce4bb7d3d599b46591d7da321

SHA1
110034ef0f527de48cd450db0cf390f22d94f71c

SHA256
bcb70587245ebd4fe1bbcabf879b63fabecae612705156b1a93cd80c2c522cfb

SHA512
63896f48ae59d7492570f3cddc2bf31fda0fd51f405f1ec31f6e4d636afe9d6080479b2f78535fdd39b104863d883503f0965b35f59d1d0be1098baed50ad286

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9728319.exe
Filesize
217KB

MD5
371c38cce4bb7d3d599b46591d7da321

SHA1
110034ef0f527de48cd450db0cf390f22d94f71c

SHA256
bcb70587245ebd4fe1bbcabf879b63fabecae612705156b1a93cd80c2c522cfb

SHA512
63896f48ae59d7492570f3cddc2bf31fda0fd51f405f1ec31f6e4d636afe9d6080479b2f78535fdd39b104863d883503f0965b35f59d1d0be1098baed50ad286

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4137085.exe
Filesize
346KB

MD5
b4e1b247d9f78b054097521364c7291b

SHA1
4e5a9b7dfe4d0b98cc6993b084bdb315b05d7d61

SHA256
8a23480a169fbeb9026082e23530ac31b31bfdbae242d1da153e4d7dbae4587c

SHA512
c74808ff1165bec1bb2b2d9d48c4d83f2138f152d11fa7e23bd2ac83d59ab92216d19435038f05ada4a5e7a4b26c953f55f7e366df3a341ca43fb6c5a204434e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4137085.exe
Filesize
346KB

MD5
b4e1b247d9f78b054097521364c7291b

SHA1
4e5a9b7dfe4d0b98cc6993b084bdb315b05d7d61

SHA256
8a23480a169fbeb9026082e23530ac31b31bfdbae242d1da153e4d7dbae4587c

SHA512
c74808ff1165bec1bb2b2d9d48c4d83f2138f152d11fa7e23bd2ac83d59ab92216d19435038f05ada4a5e7a4b26c953f55f7e366df3a341ca43fb6c5a204434e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
0c459e65bcc6d38574f0c0d63a87088a

SHA1
41e53d5f2b3e7ca859b842a1c7b677e0847e6d65

SHA256
871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4

SHA512
be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
memory/388-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/388-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/388-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/388-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3664-54-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-51-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-36-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4840-73-0x00000000056D0000-0x000000000570C000-memory.dmp

Filesize
240KB

Download
memory/4840-88-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4840-79-0x0000000005850000-0x000000000589C000-memory.dmp

Filesize
304KB

Download
memory/4840-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4840-66-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4840-67-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/4840-65-0x0000000005740000-0x000000000584A000-memory.dmp

Filesize
1.0MB

Download
memory/4840-61-0x0000000005C20000-0x0000000006238000-memory.dmp

Filesize
6.1MB

Download
memory/4840-52-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-50-0x0000000002E90000-0x0000000002E96000-memory.dmp

Filesize
24KB

Download
memory/4840-49-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download