amadey | 20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908

Analysis

max time kernel
204s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d334fdbe7080a9e36d94001903199491.exe
Size

10KB
MD5

d334fdbe7080a9e36d94001903199491
SHA1

5d10fa7e8de420744a3ad3358428f16e796c3c1a
SHA256

20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908
SHA512

dc57151e73e2e23709a71fc608f6b2d9e7e2f1bbbc4999a3f80443fc3599e21cfedbb6dc735e9bcd6d3421e595dacd34be01375eda9c4a5348550b94349383ba
SSDEEP

192:4ctzdkaK/n7bEbIn+qeDFcugX8P6J8stYcFwVc03KY:4y+p7bEbIn+rgX8yJptYcFwVc03K

Score

10^/10

amadey privateloader evasion loader persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

amadey

Version

3.89

http://193.42.32.29/9bDc8sQ/index.php

Attributes

install_dir
1ff8bec27e
install_file
nhdues.exe
strings_key
2efe1b48925e9abf268903d42284c46b

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4160 created 3172	4160	uxStaxQPQNcwIymgOpTtc97U.exe	48
PID 4160 created 3172	4160	uxStaxQPQNcwIymgOpTtc97U.exe	48
PID 4160 created 3172	4160	uxStaxQPQNcwIymgOpTtc97U.exe	48
PID 4160 created 3172	4160	uxStaxQPQNcwIymgOpTtc97U.exe	48
PID 4160 created 3172	4160	uxStaxQPQNcwIymgOpTtc97U.exe	48

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	uxStaxQPQNcwIymgOpTtc97U.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	d334fdbe7080a9e36d94001903199491.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	AyNIOwYW7QVrRFLzWI4vPhzp.exe

Drops startup file 11 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kLHqIpe1aFAm5midOHa6tkzM.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G0eVjAlAV4UkwCTppPv7dSwp.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wi2bhvau07JPqjHlslWCy9km.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUPqCVjJ2PJsVPGm6cxpJrMg.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XxPif6EmHtv3BKF8OX91SYcQ.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s48uaOV9QfXqJMX7B8EGG1e3.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dCyLrHjCukpkO0qGh8JIpNvl.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RrXiOmJxDyUuwcwjg7mgrmYj.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zRYK85zn2r7DwIiqkKNlUzTS.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gs4IhRGeHWlceVVt2jgnCPed.bat	d334fdbe7080a9e36d94001903199491.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u5fWckjaXuOdZSJTnLiBoMpc.bat	d334fdbe7080a9e36d94001903199491.exe

Executes dropped EXE 11 IoCs

pid	Process
1420	o4yzDdxOatCQpdPwZUja452r.exe
2272	o9SOEDgICSUCGoPLXVMJ3fGC.exe
1492	arriveprospect.exe
5088	A2zD3nLckRO3f9PciK9OOCKJ.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
4056	TFobCiW98FBX168Ea13Oq4ww.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
1536	E5lUYBad9i0gZzIUHhncuaD3.exe
3936	2W39bBiYT17L52k8oNCCXY4l.exe
2376	e0ndZ9bxVyjjKzEmMcpywSfB.exe
768	IlE2pyQGKicn4xqX81aT0UPP.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022888-104.dat	upx
behavioral2/files/0x0003000000022888-119.dat	upx
behavioral2/memory/3936-126-0x0000000000F60000-0x00000000014AD000-memory.dmp	upx
behavioral2/files/0x0003000000022888-168.dat	upx
behavioral2/memory/3936-170-0x0000000000F60000-0x00000000014AD000-memory.dmp	upx
behavioral2/memory/3936-183-0x0000000000F60000-0x00000000014AD000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000600000002321a-72.dat	vmprotect
behavioral2/files/0x000600000002321a-86.dat	vmprotect
behavioral2/files/0x000600000002321a-87.dat	vmprotect
behavioral2/memory/3736-114-0x00007FF6EB350000-0x00007FF6EBA21000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	o4yzDdxOatCQpdPwZUja452r.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
95	api.myip.com
96	api.myip.com
97	ipinfo.io
98	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	AyNIOwYW7QVrRFLzWI4vPhzp.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	AyNIOwYW7QVrRFLzWI4vPhzp.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AyNIOwYW7QVrRFLzWI4vPhzp.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AyNIOwYW7QVrRFLzWI4vPhzp.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
792	sc.exe
4956	sc.exe
1964	sc.exe
1564	sc.exe
5068	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
3584	powershell.exe
3584	powershell.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
3736	AyNIOwYW7QVrRFLzWI4vPhzp.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe
4160	uxStaxQPQNcwIymgOpTtc97U.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	d334fdbe7080a9e36d94001903199491.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeShutdownPrivilege	4944	powercfg.exe
Token: SeCreatePagefilePrivilege	4944	powercfg.exe
Token: SeShutdownPrivilege	2708	powercfg.exe
Token: SeCreatePagefilePrivilege	2708	powercfg.exe
Token: SeShutdownPrivilege	3776	powercfg.exe
Token: SeCreatePagefilePrivilege	3776	powercfg.exe
Token: SeShutdownPrivilege	2312	powercfg.exe
Token: SeCreatePagefilePrivilege	2312	powercfg.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 1420	4152	d334fdbe7080a9e36d94001903199491.exe	87
PID 4152 wrote to memory of 1420	4152	d334fdbe7080a9e36d94001903199491.exe	87
PID 4152 wrote to memory of 2272	4152	d334fdbe7080a9e36d94001903199491.exe	88
PID 4152 wrote to memory of 2272	4152	d334fdbe7080a9e36d94001903199491.exe	88
PID 4152 wrote to memory of 2272	4152	d334fdbe7080a9e36d94001903199491.exe	88
PID 1420 wrote to memory of 1492	1420	o4yzDdxOatCQpdPwZUja452r.exe	89
PID 1420 wrote to memory of 1492	1420	o4yzDdxOatCQpdPwZUja452r.exe	89
PID 1420 wrote to memory of 1492	1420	o4yzDdxOatCQpdPwZUja452r.exe	89
PID 4152 wrote to memory of 5088	4152	d334fdbe7080a9e36d94001903199491.exe	90
PID 4152 wrote to memory of 5088	4152	d334fdbe7080a9e36d94001903199491.exe	90
PID 4152 wrote to memory of 5088	4152	d334fdbe7080a9e36d94001903199491.exe	90
PID 4152 wrote to memory of 3736	4152	d334fdbe7080a9e36d94001903199491.exe	91
PID 4152 wrote to memory of 3736	4152	d334fdbe7080a9e36d94001903199491.exe	91
PID 4152 wrote to memory of 4056	4152	d334fdbe7080a9e36d94001903199491.exe	94
PID 4152 wrote to memory of 4056	4152	d334fdbe7080a9e36d94001903199491.exe	94
PID 4152 wrote to memory of 4056	4152	d334fdbe7080a9e36d94001903199491.exe	94
PID 4152 wrote to memory of 4160	4152	d334fdbe7080a9e36d94001903199491.exe	92
PID 4152 wrote to memory of 4160	4152	d334fdbe7080a9e36d94001903199491.exe	92
PID 4152 wrote to memory of 1536	4152	d334fdbe7080a9e36d94001903199491.exe	93
PID 4152 wrote to memory of 1536	4152	d334fdbe7080a9e36d94001903199491.exe	93
PID 4152 wrote to memory of 1536	4152	d334fdbe7080a9e36d94001903199491.exe	93
PID 4152 wrote to memory of 3936	4152	d334fdbe7080a9e36d94001903199491.exe	95
PID 4152 wrote to memory of 3936	4152	d334fdbe7080a9e36d94001903199491.exe	95
PID 4152 wrote to memory of 3936	4152	d334fdbe7080a9e36d94001903199491.exe	95
PID 4152 wrote to memory of 2376	4152	d334fdbe7080a9e36d94001903199491.exe	96
PID 4152 wrote to memory of 2376	4152	d334fdbe7080a9e36d94001903199491.exe	96
PID 4152 wrote to memory of 2376	4152	d334fdbe7080a9e36d94001903199491.exe	96
PID 4152 wrote to memory of 768	4152	d334fdbe7080a9e36d94001903199491.exe	97
PID 4152 wrote to memory of 768	4152	d334fdbe7080a9e36d94001903199491.exe	97
PID 4152 wrote to memory of 768	4152	d334fdbe7080a9e36d94001903199491.exe	97
PID 892 wrote to memory of 5068	892	cmd.exe	103
PID 892 wrote to memory of 5068	892	cmd.exe	103
PID 892 wrote to memory of 792	892	cmd.exe	104
PID 892 wrote to memory of 792	892	cmd.exe	104
PID 892 wrote to memory of 4956	892	cmd.exe	105
PID 892 wrote to memory of 4956	892	cmd.exe	105
PID 892 wrote to memory of 1964	892	cmd.exe	106
PID 892 wrote to memory of 1964	892	cmd.exe	106
PID 892 wrote to memory of 1564	892	cmd.exe	107
PID 892 wrote to memory of 1564	892	cmd.exe	107
PID 1800 wrote to memory of 4944	1800	cmd.exe	110
PID 1800 wrote to memory of 4944	1800	cmd.exe	110
PID 1800 wrote to memory of 2708	1800	cmd.exe	113
PID 1800 wrote to memory of 2708	1800	cmd.exe	113
PID 1800 wrote to memory of 3776	1800	cmd.exe	114
PID 1800 wrote to memory of 3776	1800	cmd.exe	114
PID 1800 wrote to memory of 2312	1800	cmd.exe	115
PID 1800 wrote to memory of 2312	1800	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Temp\d334fdbe7080a9e36d94001903199491.exe
  "C:\Users\Admin\AppData\Local\Temp\d334fdbe7080a9e36d94001903199491.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\Pictures\o4yzDdxOatCQpdPwZUja452r.exe
    "C:\Users\Admin\Pictures\o4yzDdxOatCQpdPwZUja452r.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exe
      4⤵
      Executes dropped EXE
      PID:1492
- - C:\Users\Admin\Pictures\o9SOEDgICSUCGoPLXVMJ3fGC.exe
    "C:\Users\Admin\Pictures\o9SOEDgICSUCGoPLXVMJ3fGC.exe"
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Users\Admin\Pictures\A2zD3nLckRO3f9PciK9OOCKJ.exe
    "C:\Users\Admin\Pictures\A2zD3nLckRO3f9PciK9OOCKJ.exe"
    3⤵
    - Executes dropped EXE
    PID:5088
- - C:\Users\Admin\Pictures\AyNIOwYW7QVrRFLzWI4vPhzp.exe
    "C:\Users\Admin\Pictures\AyNIOwYW7QVrRFLzWI4vPhzp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3736
- - C:\Users\Admin\Pictures\uxStaxQPQNcwIymgOpTtc97U.exe
    "C:\Users\Admin\Pictures\uxStaxQPQNcwIymgOpTtc97U.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4160
- - C:\Users\Admin\Pictures\E5lUYBad9i0gZzIUHhncuaD3.exe
    "C:\Users\Admin\Pictures\E5lUYBad9i0gZzIUHhncuaD3.exe"
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Users\Admin\Pictures\TFobCiW98FBX168Ea13Oq4ww.exe
    "C:\Users\Admin\Pictures\TFobCiW98FBX168Ea13Oq4ww.exe"
    3⤵
    - Executes dropped EXE
    PID:4056
- - C:\Users\Admin\Pictures\2W39bBiYT17L52k8oNCCXY4l.exe
    "C:\Users\Admin\Pictures\2W39bBiYT17L52k8oNCCXY4l.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    PID:3936
- - C:\Users\Admin\Pictures\e0ndZ9bxVyjjKzEmMcpywSfB.exe
    "C:\Users\Admin\Pictures\e0ndZ9bxVyjjKzEmMcpywSfB.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Users\Admin\Pictures\IlE2pyQGKicn4xqX81aT0UPP.exe
    "C:\Users\Admin\Pictures\IlE2pyQGKicn4xqX81aT0UPP.exe"
    3⤵
    - Executes dropped EXE
    PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5068
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:792
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4956
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1964
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1564
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:400
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exe

Filesize
431KB

MD5
6c39c3c2f069b9412dc555cbb94d4b50

SHA1
cde852a5ec57a4a16783c20d0f08ed12bcbc10ec

SHA256
cd467aaa6925086185f20083c6a2e382ea1b09c658d4173db8a8df21c6877858

SHA512
63b0d52edd1de8cb8d86e58899220df68cd7c02e466251ace868fe7211f73d4c729e463b7426b8bb66c501fc2f61f5af7a1f3ba9cfd7d2468eb3c3883dd4d650

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exe

Filesize
431KB

MD5
6c39c3c2f069b9412dc555cbb94d4b50

SHA1
cde852a5ec57a4a16783c20d0f08ed12bcbc10ec

SHA256
cd467aaa6925086185f20083c6a2e382ea1b09c658d4173db8a8df21c6877858

SHA512
63b0d52edd1de8cb8d86e58899220df68cd7c02e466251ace868fe7211f73d4c729e463b7426b8bb66c501fc2f61f5af7a1f3ba9cfd7d2468eb3c3883dd4d650

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kj5n050k.b2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\Pictures\2W39bBiYT17L52k8oNCCXY4l.exe

Filesize
2.8MB

MD5
7eb32c69e8d1313fd6591f44a89518cd

SHA1
c6fb21323ff5d0f8d2c0acb0782f1666488e19d9

SHA256
93a51cf885fb27a6eda1950e862edec6a38808c2fe79dddfd5f892b7957bbb95

SHA512
8682dcff15ed66dc05fec162602391eec3a89984c9e2ebcbd45b4eb34cffeefdb4c46f09f2506f23fd04b0e39ff069ff5dbec92d02806b1212501a81317467d6

Download Submit
C:\Users\Admin\Pictures\2W39bBiYT17L52k8oNCCXY4l.exe

Filesize
2.8MB

MD5
7eb32c69e8d1313fd6591f44a89518cd

SHA1
c6fb21323ff5d0f8d2c0acb0782f1666488e19d9

SHA256
93a51cf885fb27a6eda1950e862edec6a38808c2fe79dddfd5f892b7957bbb95

SHA512
8682dcff15ed66dc05fec162602391eec3a89984c9e2ebcbd45b4eb34cffeefdb4c46f09f2506f23fd04b0e39ff069ff5dbec92d02806b1212501a81317467d6

Download Submit
C:\Users\Admin\Pictures\2W39bBiYT17L52k8oNCCXY4l.exe

Filesize
2.8MB

MD5
7eb32c69e8d1313fd6591f44a89518cd

SHA1
c6fb21323ff5d0f8d2c0acb0782f1666488e19d9

SHA256
93a51cf885fb27a6eda1950e862edec6a38808c2fe79dddfd5f892b7957bbb95

SHA512
8682dcff15ed66dc05fec162602391eec3a89984c9e2ebcbd45b4eb34cffeefdb4c46f09f2506f23fd04b0e39ff069ff5dbec92d02806b1212501a81317467d6

Download Submit
C:\Users\Admin\Pictures\A2zD3nLckRO3f9PciK9OOCKJ.exe

Filesize
4.1MB

MD5
57d386d0858a5f2150f0b82af4e67de7

SHA1
06916048d99a85666a97ddaa08694ec8a4b684b7

SHA256
03e8ce6519475df85008e4abed555b02150fb60d8afb039b98a3fae433679c4c

SHA512
877df87c871fcef37c0eb86495786bab95832e68ebaaca2849b3dfcd03503f5627ee3f6b56c0e84ab979c4fc7a4ea67f7682c333977127b8011d7c72d4403f46

Download Submit
C:\Users\Admin\Pictures\A2zD3nLckRO3f9PciK9OOCKJ.exe

Filesize
4.1MB

MD5
57d386d0858a5f2150f0b82af4e67de7

SHA1
06916048d99a85666a97ddaa08694ec8a4b684b7

SHA256
03e8ce6519475df85008e4abed555b02150fb60d8afb039b98a3fae433679c4c

SHA512
877df87c871fcef37c0eb86495786bab95832e68ebaaca2849b3dfcd03503f5627ee3f6b56c0e84ab979c4fc7a4ea67f7682c333977127b8011d7c72d4403f46

Download Submit
C:\Users\Admin\Pictures\A2zD3nLckRO3f9PciK9OOCKJ.exe

Filesize
4.1MB

MD5
57d386d0858a5f2150f0b82af4e67de7

SHA1
06916048d99a85666a97ddaa08694ec8a4b684b7

SHA256
03e8ce6519475df85008e4abed555b02150fb60d8afb039b98a3fae433679c4c

SHA512
877df87c871fcef37c0eb86495786bab95832e68ebaaca2849b3dfcd03503f5627ee3f6b56c0e84ab979c4fc7a4ea67f7682c333977127b8011d7c72d4403f46

Download Submit
C:\Users\Admin\Pictures\AyNIOwYW7QVrRFLzWI4vPhzp.exe

Filesize
2.6MB

MD5
9f2721fbcc5f835a7dd623dc875937b7

SHA1
6754efe8281fb17677866277fc0a88a7852b0367

SHA256
bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

SHA512
785d378cd4435a7a0e672bf82e8aa7519926ae47a6d00377c389f5cb917c50af0f47148e403e2443c21f876e2056eb26aeeef1e23d9a61ff0d7e15b8249b81dc

Download Submit
C:\Users\Admin\Pictures\AyNIOwYW7QVrRFLzWI4vPhzp.exe

Filesize
2.6MB

MD5
9f2721fbcc5f835a7dd623dc875937b7

SHA1
6754efe8281fb17677866277fc0a88a7852b0367

SHA256
bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

SHA512
785d378cd4435a7a0e672bf82e8aa7519926ae47a6d00377c389f5cb917c50af0f47148e403e2443c21f876e2056eb26aeeef1e23d9a61ff0d7e15b8249b81dc

Download Submit
C:\Users\Admin\Pictures\AyNIOwYW7QVrRFLzWI4vPhzp.exe

Filesize
2.6MB

MD5
9f2721fbcc5f835a7dd623dc875937b7

SHA1
6754efe8281fb17677866277fc0a88a7852b0367

SHA256
bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

SHA512
785d378cd4435a7a0e672bf82e8aa7519926ae47a6d00377c389f5cb917c50af0f47148e403e2443c21f876e2056eb26aeeef1e23d9a61ff0d7e15b8249b81dc

Download Submit
C:\Users\Admin\Pictures\E5lUYBad9i0gZzIUHhncuaD3.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\E5lUYBad9i0gZzIUHhncuaD3.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\E5lUYBad9i0gZzIUHhncuaD3.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\IlE2pyQGKicn4xqX81aT0UPP.exe

Filesize
7.2MB

MD5
3ced118256af2b36b3b07ca4af5711b6

SHA1
cce998454a2fb212ca044a6534f94d0f77db252a

SHA256
ce220e7d5b1abe8a11d1a097be6523fa603d3c5b5d79378cdc3f40486b0747c6

SHA512
3e59e853fb3a9e3e94547ccdb9bfaa0c4b4493ffd53fae550adc0f52c335fb53e1004455e112c718dba353232b6c0eecc7eb4bb56a457c4f2076e3e87d09ab4e

Download Submit
C:\Users\Admin\Pictures\IlE2pyQGKicn4xqX81aT0UPP.exe

Filesize
7.2MB

MD5
3ced118256af2b36b3b07ca4af5711b6

SHA1
cce998454a2fb212ca044a6534f94d0f77db252a

SHA256
ce220e7d5b1abe8a11d1a097be6523fa603d3c5b5d79378cdc3f40486b0747c6

SHA512
3e59e853fb3a9e3e94547ccdb9bfaa0c4b4493ffd53fae550adc0f52c335fb53e1004455e112c718dba353232b6c0eecc7eb4bb56a457c4f2076e3e87d09ab4e

Download Submit
C:\Users\Admin\Pictures\IlE2pyQGKicn4xqX81aT0UPP.exe

Filesize
7.2MB

MD5
3ced118256af2b36b3b07ca4af5711b6

SHA1
cce998454a2fb212ca044a6534f94d0f77db252a

SHA256
ce220e7d5b1abe8a11d1a097be6523fa603d3c5b5d79378cdc3f40486b0747c6

SHA512
3e59e853fb3a9e3e94547ccdb9bfaa0c4b4493ffd53fae550adc0f52c335fb53e1004455e112c718dba353232b6c0eecc7eb4bb56a457c4f2076e3e87d09ab4e

Download Submit
C:\Users\Admin\Pictures\PqeVr1R8V94lIPjo5hcRHySu.exe

Filesize
7B

MD5
24fe48030f7d3097d5882535b04c3fa8

SHA1
a689a999a5e62055bda8c21b1dbe92c119308def

SHA256
424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e

SHA512
45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

Download Submit
C:\Users\Admin\Pictures\TFobCiW98FBX168Ea13Oq4ww.exe

Filesize
4.1MB

MD5
00d3f8bf977bcb9b594448010e8d58f0

SHA1
8a318339666915dda2ea4111afc4208152a5245f

SHA256
c05d208e8dd72d708e56fade55a82587c4f70e37f0efa96b88cb552d492cf4f5

SHA512
ca2a2baab091eef4bb25d207d6870e1927efba59241c50ca37e7aa52ca5514d8ed74c92af6f8fd20bcee1cc5f9707144a606da77da815983963f6888a88a9933

Download Submit
C:\Users\Admin\Pictures\TFobCiW98FBX168Ea13Oq4ww.exe

Filesize
4.1MB

MD5
00d3f8bf977bcb9b594448010e8d58f0

SHA1
8a318339666915dda2ea4111afc4208152a5245f

SHA256
c05d208e8dd72d708e56fade55a82587c4f70e37f0efa96b88cb552d492cf4f5

SHA512
ca2a2baab091eef4bb25d207d6870e1927efba59241c50ca37e7aa52ca5514d8ed74c92af6f8fd20bcee1cc5f9707144a606da77da815983963f6888a88a9933

Download Submit
C:\Users\Admin\Pictures\e0ndZ9bxVyjjKzEmMcpywSfB.exe

Filesize
5.6MB

MD5
fe469d9ce18f3bd33de41b8fd8701c4d

SHA1
99411eab81e0d7e8607e8fe0f715f635e541e52a

SHA256
b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a

SHA512
5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

Download Submit
C:\Users\Admin\Pictures\e0ndZ9bxVyjjKzEmMcpywSfB.exe

Filesize
5.6MB

MD5
fe469d9ce18f3bd33de41b8fd8701c4d

SHA1
99411eab81e0d7e8607e8fe0f715f635e541e52a

SHA256
b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a

SHA512
5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

Download Submit
C:\Users\Admin\Pictures\e0ndZ9bxVyjjKzEmMcpywSfB.exe

Filesize
5.6MB

MD5
fe469d9ce18f3bd33de41b8fd8701c4d

SHA1
99411eab81e0d7e8607e8fe0f715f635e541e52a

SHA256
b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a

SHA512
5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

Download Submit
C:\Users\Admin\Pictures\o4yzDdxOatCQpdPwZUja452r.exe

Filesize
375KB

MD5
2244407bb2d42d5f4eac695f41b6fb5f

SHA1
2ee287f5bf702944ced22a521be320e540a0dca0

SHA256
f0fdafa368b856b837a7f9ea91945e72f620792018f98626d9c44ef9ee948959

SHA512
02bce15c288b32f2cdf79dd45c456f9d30ba8fe75620430fd9bc9b2ba0b58ad9e37fc7f4d124e20d1d0fa9aae5a1f1c7127746b6b08fb7900640d7217f8543ac

Download Submit
C:\Users\Admin\Pictures\o4yzDdxOatCQpdPwZUja452r.exe

Filesize
375KB

MD5
2244407bb2d42d5f4eac695f41b6fb5f

SHA1
2ee287f5bf702944ced22a521be320e540a0dca0

SHA256
f0fdafa368b856b837a7f9ea91945e72f620792018f98626d9c44ef9ee948959

SHA512
02bce15c288b32f2cdf79dd45c456f9d30ba8fe75620430fd9bc9b2ba0b58ad9e37fc7f4d124e20d1d0fa9aae5a1f1c7127746b6b08fb7900640d7217f8543ac

Download Submit
C:\Users\Admin\Pictures\o4yzDdxOatCQpdPwZUja452r.exe

Filesize
375KB

MD5
2244407bb2d42d5f4eac695f41b6fb5f

SHA1
2ee287f5bf702944ced22a521be320e540a0dca0

SHA256
f0fdafa368b856b837a7f9ea91945e72f620792018f98626d9c44ef9ee948959

SHA512
02bce15c288b32f2cdf79dd45c456f9d30ba8fe75620430fd9bc9b2ba0b58ad9e37fc7f4d124e20d1d0fa9aae5a1f1c7127746b6b08fb7900640d7217f8543ac

Download Submit
C:\Users\Admin\Pictures\o9SOEDgICSUCGoPLXVMJ3fGC.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\Pictures\o9SOEDgICSUCGoPLXVMJ3fGC.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\Pictures\o9SOEDgICSUCGoPLXVMJ3fGC.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\Pictures\uxStaxQPQNcwIymgOpTtc97U.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\uxStaxQPQNcwIymgOpTtc97U.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\uxStaxQPQNcwIymgOpTtc97U.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/2376-173-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3584-157-0x00007FFA8F8A0000-0x00007FFA90361000-memory.dmp

Filesize
10.8MB

Download
memory/3584-174-0x00007FFA8F8A0000-0x00007FFA90361000-memory.dmp

Filesize
10.8MB

Download
memory/3584-145-0x00000244F8570000-0x00000244F8592000-memory.dmp

Filesize
136KB

Download
memory/3736-114-0x00007FF6EB350000-0x00007FF6EBA21000-memory.dmp

Filesize
6.8MB

Download
memory/3936-126-0x0000000000F60000-0x00000000014AD000-memory.dmp

Filesize
5.3MB

Download
memory/3936-170-0x0000000000F60000-0x00000000014AD000-memory.dmp

Filesize
5.3MB

Download
memory/3936-183-0x0000000000F60000-0x00000000014AD000-memory.dmp

Filesize
5.3MB

Download
memory/4152-1-0x00007FFA8F8A0000-0x00007FFA90361000-memory.dmp

Filesize
10.8MB

Download
memory/4152-0-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/4152-3-0x00007FFA8F8A0000-0x00007FFA90361000-memory.dmp

Filesize
10.8MB

Download
memory/4152-4-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/4152-2-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/4160-139-0x00007FF69B580000-0x00007FF69BAC3000-memory.dmp

Filesize
5.3MB

Download
memory/4160-120-0x00007FF69B580000-0x00007FF69BAC3000-memory.dmp

Filesize
5.3MB

Download
memory/4160-179-0x00007FF69B580000-0x00007FF69BAC3000-memory.dmp

Filesize
5.3MB

Download
memory/4160-159-0x00007FF69B580000-0x00007FF69BAC3000-memory.dmp

Filesize
5.3MB

Download