amadey | bd59576a2dcca6799be262fd0d106c1652d17612ed4bdf87fa4dfb220fee7713

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe
Size

1.0MB
MD5

92e5ddafcf57a441b16a6a6b1c678bf0
SHA1

996c996716a0d5a6c3f11ecdb3a691eb9b7e529f
SHA256

ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9
SHA512

7592c46d2fb150fd6dd79b858e5be889e0c3847ef4112f5186072d90e1fc3b14b5ca2dc98a8ef02bb2a4a792965091ba6cfae3f8e4860aeb41bbb1205bac97db
SSDEEP

24576:GyGnEg0gVMJWLq5yRYYv4iLIy/fLovwljl:VsM47JlLIy

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4220-40-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4220-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4220-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4220-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2576-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	t6893901.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	u0907548.exe

Executes dropped EXE 16 IoCs

pid	Process
3184	z0651431.exe
1460	z2545763.exe
2608	z8046349.exe
4080	z8475291.exe
5084	q5148578.exe
4216	r4073781.exe
1344	s6646236.exe
3492	t6893901.exe
944	explonde.exe
2160	u0907548.exe
1956	legota.exe
3376	w5808777.exe
3184	explonde.exe
1748	legota.exe
384	explonde.exe
60	legota.exe

Loads dropped DLL 2 IoCs

pid	Process
4880	rundll32.exe
2540	rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0651431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2545763.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8046349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8475291.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5084 set thread context of 2576	5084	q5148578.exe	89
PID 4216 set thread context of 4220	4216	r4073781.exe	97
PID 1344 set thread context of 2644	1344	s6646236.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3856	5084	WerFault.exe	88
4372	4216	WerFault.exe	93
3996	4220	WerFault.exe	97
2952	1344	WerFault.exe	102

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4728	schtasks.exe
4964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	AppLaunch.exe
2576	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3184	3912	ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe	83
PID 3912 wrote to memory of 3184	3912	ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe	83
PID 3912 wrote to memory of 3184	3912	ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe	83
PID 3184 wrote to memory of 1460	3184	z0651431.exe	84
PID 3184 wrote to memory of 1460	3184	z0651431.exe	84
PID 3184 wrote to memory of 1460	3184	z0651431.exe	84
PID 1460 wrote to memory of 2608	1460	z2545763.exe	85
PID 1460 wrote to memory of 2608	1460	z2545763.exe	85
PID 1460 wrote to memory of 2608	1460	z2545763.exe	85
PID 2608 wrote to memory of 4080	2608	z8046349.exe	87
PID 2608 wrote to memory of 4080	2608	z8046349.exe	87
PID 2608 wrote to memory of 4080	2608	z8046349.exe	87
PID 4080 wrote to memory of 5084	4080	z8475291.exe	88
PID 4080 wrote to memory of 5084	4080	z8475291.exe	88
PID 4080 wrote to memory of 5084	4080	z8475291.exe	88
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 5084 wrote to memory of 2576	5084	q5148578.exe	89
PID 4080 wrote to memory of 4216	4080	z8475291.exe	93
PID 4080 wrote to memory of 4216	4080	z8475291.exe	93
PID 4080 wrote to memory of 4216	4080	z8475291.exe	93
PID 4216 wrote to memory of 4068	4216	r4073781.exe	94
PID 4216 wrote to memory of 4068	4216	r4073781.exe	94
PID 4216 wrote to memory of 4068	4216	r4073781.exe	94
PID 4216 wrote to memory of 3196	4216	r4073781.exe	95
PID 4216 wrote to memory of 3196	4216	r4073781.exe	95
PID 4216 wrote to memory of 3196	4216	r4073781.exe	95
PID 4216 wrote to memory of 3404	4216	r4073781.exe	96
PID 4216 wrote to memory of 3404	4216	r4073781.exe	96
PID 4216 wrote to memory of 3404	4216	r4073781.exe	96
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 4216 wrote to memory of 4220	4216	r4073781.exe	97
PID 2608 wrote to memory of 1344	2608	z8046349.exe	102
PID 2608 wrote to memory of 1344	2608	z8046349.exe	102
PID 2608 wrote to memory of 1344	2608	z8046349.exe	102
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1344 wrote to memory of 2644	1344	s6646236.exe	103
PID 1460 wrote to memory of 3492	1460	z2545763.exe	106
PID 1460 wrote to memory of 3492	1460	z2545763.exe	106
PID 1460 wrote to memory of 3492	1460	z2545763.exe	106
PID 3492 wrote to memory of 944	3492	t6893901.exe	107
PID 3492 wrote to memory of 944	3492	t6893901.exe	107
PID 3492 wrote to memory of 944	3492	t6893901.exe	107
PID 3184 wrote to memory of 2160	3184	z0651431.exe	108
PID 3184 wrote to memory of 2160	3184	z0651431.exe	108

C:\Users\Admin\AppData\Local\Temp\ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe
"C:\Users\Admin\AppData\Local\Temp\ec51637688dc99fbc7c40012b492c7fa177ed266237c2ec0315a84f48c859cd9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0651431.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0651431.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2545763.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2545763.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8046349.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8046349.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8475291.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8475291.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5148578.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5148578.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 580
        7⤵
        Program crash
        
        PID:3856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4073781.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4073781.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 540
        8⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 572
        7⤵
        Program crash
        
        PID:4372
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6646236.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6646236.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 552
        6⤵
        Program crash
        
        PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6893901.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6893901.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:944
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4728
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        7⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        7⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4984
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0907548.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0907548.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3964
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:4144
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:4748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1416
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:3652
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:1900
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5808777.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5808777.exe
  2⤵
  - Executes dropped EXE
  PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5084 -ip 5084
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4216 -ip 4216
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4220 -ip 4220
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1344 -ip 1344
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:384

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5808777.exe

Filesize
22KB

MD5
d5c77f4d65bc8f10d4289e419d55e289

SHA1
847c6e5c3af13403095712f66266717697ed1c5e

SHA256
27e578c3cfae3ac628fff59f75addc303a960a3cba390f1f46e9c98a2fed0807

SHA512
4d5dd9f48f3563c85458796f82185816e390dc9402a071ee56d871d77536bed3beaac30d8bbb5923b32eb528087e6ff7cec58ef023b76810c00e93408e9bc249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5808777.exe

Filesize
22KB

MD5
d5c77f4d65bc8f10d4289e419d55e289

SHA1
847c6e5c3af13403095712f66266717697ed1c5e

SHA256
27e578c3cfae3ac628fff59f75addc303a960a3cba390f1f46e9c98a2fed0807

SHA512
4d5dd9f48f3563c85458796f82185816e390dc9402a071ee56d871d77536bed3beaac30d8bbb5923b32eb528087e6ff7cec58ef023b76810c00e93408e9bc249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0651431.exe

Filesize
959KB

MD5
517c21893e15414d63f7e1bea561c15b

SHA1
e76e792200439ad03445c41934b84ef4fbadcca9

SHA256
f81417b90a6c72c7a12aec4fe014e2a3fb6f368eb3913a93e654e67b77eabc6d

SHA512
65aeb4c5768855b7172af00b996b28c05cbe3a5de253f7000482acaa275cad3cf5bfcbd2df812988e57aedb9853d22f21a6b29395b7a197dc08af6e17e51cf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0651431.exe

Filesize
959KB

MD5
517c21893e15414d63f7e1bea561c15b

SHA1
e76e792200439ad03445c41934b84ef4fbadcca9

SHA256
f81417b90a6c72c7a12aec4fe014e2a3fb6f368eb3913a93e654e67b77eabc6d

SHA512
65aeb4c5768855b7172af00b996b28c05cbe3a5de253f7000482acaa275cad3cf5bfcbd2df812988e57aedb9853d22f21a6b29395b7a197dc08af6e17e51cf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0907548.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0907548.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2545763.exe

Filesize
777KB

MD5
660f2ca4ae0afb4fb074e4e36cfd50ff

SHA1
2509ffd0db8961aa5a17d4919b39903a7561a5b1

SHA256
de7503747fa4185a25fe1f7798ca1531484ad9ba53777ac2c2f781d53b4cc1b9

SHA512
a37a376f9cc9eb962df1549b3e6fe6538e68b03a6607df34d2b165e305f6788c24f9523d54121eb04c036d6608f55a14007325b94a02b72b4f0bd06ccaead0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2545763.exe

Filesize
777KB

MD5
660f2ca4ae0afb4fb074e4e36cfd50ff

SHA1
2509ffd0db8961aa5a17d4919b39903a7561a5b1

SHA256
de7503747fa4185a25fe1f7798ca1531484ad9ba53777ac2c2f781d53b4cc1b9

SHA512
a37a376f9cc9eb962df1549b3e6fe6538e68b03a6607df34d2b165e305f6788c24f9523d54121eb04c036d6608f55a14007325b94a02b72b4f0bd06ccaead0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6893901.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6893901.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8046349.exe

Filesize
595KB

MD5
17c94c6db2d786c4f4517272a389cfb1

SHA1
5515ede976a07fcfefe2e9eb444bab18082c9cfa

SHA256
4a77f67966c659af7b534111148d46c2ca6ea13b78902de93f6b500142a978c9

SHA512
9c273273725c9155a40ad4154e32f6b5b0737c7cf9aeaacea1382e815314115a4060469cfb273a5b8962d6d66100df1bb276a6b5db2494558df956b4ea46fa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8046349.exe

Filesize
595KB

MD5
17c94c6db2d786c4f4517272a389cfb1

SHA1
5515ede976a07fcfefe2e9eb444bab18082c9cfa

SHA256
4a77f67966c659af7b534111148d46c2ca6ea13b78902de93f6b500142a978c9

SHA512
9c273273725c9155a40ad4154e32f6b5b0737c7cf9aeaacea1382e815314115a4060469cfb273a5b8962d6d66100df1bb276a6b5db2494558df956b4ea46fa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6646236.exe

Filesize
384KB

MD5
c83e4730f6b9a758f366109b2c653645

SHA1
3eb0fa4eff2118d3ce1dc67b616b182cef2cae1b

SHA256
fec8ae8a4c79d1064e81d516ed6577cb23090dc76d4fea15638cbba97e5ac903

SHA512
0cf5201a1f90757655abb81e27512552c13c9899af47b84ef7ec20a4acd8bf348070bfb92c3ccdaaab2c8edd8b67caf9dcad3cb0f352895c19e015a72160d1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6646236.exe

Filesize
384KB

MD5
c83e4730f6b9a758f366109b2c653645

SHA1
3eb0fa4eff2118d3ce1dc67b616b182cef2cae1b

SHA256
fec8ae8a4c79d1064e81d516ed6577cb23090dc76d4fea15638cbba97e5ac903

SHA512
0cf5201a1f90757655abb81e27512552c13c9899af47b84ef7ec20a4acd8bf348070bfb92c3ccdaaab2c8edd8b67caf9dcad3cb0f352895c19e015a72160d1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8475291.exe

Filesize
334KB

MD5
52c5054bac6ac62133640adc9ad86d26

SHA1
4e42619b6920125ab5f57a1b2af0913b424383b2

SHA256
2f88117172afa4a8fee183660cabfa4d9dd05c5b39780b81753e81c19c2b67c4

SHA512
25fa2b4925500afe695b98d6a0a8ef250aa283b2d75f50f06b784be385b0d02bb0cb07f6d58838453efcf55c02e55db66791cce3d320937ca709b55168a0308c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8475291.exe

Filesize
334KB

MD5
52c5054bac6ac62133640adc9ad86d26

SHA1
4e42619b6920125ab5f57a1b2af0913b424383b2

SHA256
2f88117172afa4a8fee183660cabfa4d9dd05c5b39780b81753e81c19c2b67c4

SHA512
25fa2b4925500afe695b98d6a0a8ef250aa283b2d75f50f06b784be385b0d02bb0cb07f6d58838453efcf55c02e55db66791cce3d320937ca709b55168a0308c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5148578.exe

Filesize
221KB

MD5
5c5ff45e284ac0819ac844abb26a282c

SHA1
92bdf28bfb609ae237ecc3742348ec43cb60ac3b

SHA256
6a6b1fdcb2c55a389ef4ee717b9570801b887d4ff8bc2ea8198ec4c37df814ad

SHA512
f9035dea0d186db5a96968761ee056b7111fe57e21e5ac66642c8605af85aa62e1006b138e1194a8c07aa871fbdbf964a3e9a85be1a5b8edfa57fa02f63aeb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5148578.exe

Filesize
221KB

MD5
5c5ff45e284ac0819ac844abb26a282c

SHA1
92bdf28bfb609ae237ecc3742348ec43cb60ac3b

SHA256
6a6b1fdcb2c55a389ef4ee717b9570801b887d4ff8bc2ea8198ec4c37df814ad

SHA512
f9035dea0d186db5a96968761ee056b7111fe57e21e5ac66642c8605af85aa62e1006b138e1194a8c07aa871fbdbf964a3e9a85be1a5b8edfa57fa02f63aeb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4073781.exe

Filesize
350KB

MD5
3385a11f64492e8634ce39d01d6137be

SHA1
d87848392032ea86650cb55f72656a784f564344

SHA256
b40f98ea1169986be1d6c143cb008866c096641a6648853253c04a9f397dc425

SHA512
6cdd853223b857724b5d98a10405186bad0fabf48c15fdb882bdebf9e7fa5923afbd38a25b4e5b1eb647af0ea1d162b978d22836f22e12faa2461af56388f861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4073781.exe

Filesize
350KB

MD5
3385a11f64492e8634ce39d01d6137be

SHA1
d87848392032ea86650cb55f72656a784f564344

SHA256
b40f98ea1169986be1d6c143cb008866c096641a6648853253c04a9f397dc425

SHA512
6cdd853223b857724b5d98a10405186bad0fabf48c15fdb882bdebf9e7fa5923afbd38a25b4e5b1eb647af0ea1d162b978d22836f22e12faa2461af56388f861

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
memory/2576-86-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2576-84-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2576-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2576-36-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-51-0x0000000005150000-0x0000000005768000-memory.dmp

Filesize
6.1MB

Download
memory/2644-49-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/2644-87-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-88-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/2644-52-0x0000000004C40000-0x0000000004D4A000-memory.dmp

Filesize
1.0MB

Download
memory/2644-61-0x0000000002530000-0x000000000257C000-memory.dmp

Filesize
304KB

Download
memory/2644-50-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-54-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/2644-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2644-58-0x00000000023D0000-0x000000000240C000-memory.dmp

Filesize
240KB

Download
memory/2644-53-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4220-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4220-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4220-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4220-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download