amadey | 2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44b

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe
Size

1.8MB
MD5

b9871990e4935f2f4858e4b773b29471
SHA1

08267e88f73a7b3bba6b4f54df33cdb8a0809a3e
SHA256

2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44b
SHA512

0e0e6ebb52534119d782462c86029012bf5c2e069126206ce54e40dbef08e1e05e12b4289864a67bd761b41f2920d8052a66eef8ac5dfeafc0d525cce05e7fb0
SSDEEP

24576:2cyeTlPhHAjm16WcVzoNNcYEJecgMla9bvUh9y6DUT7pNlUj+R0ifihFBqQpeAno:WeZpGm5cVtgMIbvUhc6oc+R/64ahv

Score

10^/10

amadey redline smokeloader plost backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2356-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	5Nj0jC6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	7bM7tg68.exe

Executes dropped EXE 15 IoCs

pid	Process
3436	iT5qt15.exe
4468	Ob9GD75.exe
5108	OV9Xu96.exe
4812	XW7Hr80.exe
1148	iG3aH61.exe
2032	1sr58DM2.exe
3144	2en7201.exe
4168	3QQ90VW.exe
1608	4Wq049wo.exe
3808	5Nj0jC6.exe
4820	explothe.exe
4220	6WL4Rv3.exe
1612	7bM7tg68.exe
2752	explothe.exe
3692	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	XW7Hr80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	iG3aH61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iT5qt15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ob9GD75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OV9Xu96.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1596	2032	1sr58DM2.exe	98
PID 3144 set thread context of 4108	3144	2en7201.exe	101
PID 1608 set thread context of 2356	1608	4Wq049wo.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4028	4108	WerFault.exe	101

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3QQ90VW.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3QQ90VW.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3QQ90VW.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4168	3QQ90VW.exe
4168	3QQ90VW.exe
1596	AppLaunch.exe
1596	AppLaunch.exe
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4168	3QQ90VW.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	AppLaunch.exe
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3156	Process not Found
3156	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 3436	3868	NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe	89
PID 3868 wrote to memory of 3436	3868	NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe	89
PID 3868 wrote to memory of 3436	3868	NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe	89
PID 3436 wrote to memory of 4468	3436	iT5qt15.exe	91
PID 3436 wrote to memory of 4468	3436	iT5qt15.exe	91
PID 3436 wrote to memory of 4468	3436	iT5qt15.exe	91
PID 4468 wrote to memory of 5108	4468	Ob9GD75.exe	93
PID 4468 wrote to memory of 5108	4468	Ob9GD75.exe	93
PID 4468 wrote to memory of 5108	4468	Ob9GD75.exe	93
PID 5108 wrote to memory of 4812	5108	OV9Xu96.exe	94
PID 5108 wrote to memory of 4812	5108	OV9Xu96.exe	94
PID 5108 wrote to memory of 4812	5108	OV9Xu96.exe	94
PID 4812 wrote to memory of 1148	4812	XW7Hr80.exe	95
PID 4812 wrote to memory of 1148	4812	XW7Hr80.exe	95
PID 4812 wrote to memory of 1148	4812	XW7Hr80.exe	95
PID 1148 wrote to memory of 2032	1148	iG3aH61.exe	96
PID 1148 wrote to memory of 2032	1148	iG3aH61.exe	96
PID 1148 wrote to memory of 2032	1148	iG3aH61.exe	96
PID 2032 wrote to memory of 3556	2032	1sr58DM2.exe	97
PID 2032 wrote to memory of 3556	2032	1sr58DM2.exe	97
PID 2032 wrote to memory of 3556	2032	1sr58DM2.exe	97
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 2032 wrote to memory of 1596	2032	1sr58DM2.exe	98
PID 1148 wrote to memory of 3144	1148	iG3aH61.exe	99
PID 1148 wrote to memory of 3144	1148	iG3aH61.exe	99
PID 1148 wrote to memory of 3144	1148	iG3aH61.exe	99
PID 3144 wrote to memory of 4552	3144	2en7201.exe	100
PID 3144 wrote to memory of 4552	3144	2en7201.exe	100
PID 3144 wrote to memory of 4552	3144	2en7201.exe	100
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 3144 wrote to memory of 4108	3144	2en7201.exe	101
PID 4812 wrote to memory of 4168	4812	XW7Hr80.exe	102
PID 4812 wrote to memory of 4168	4812	XW7Hr80.exe	102
PID 4812 wrote to memory of 4168	4812	XW7Hr80.exe	102
PID 5108 wrote to memory of 1608	5108	OV9Xu96.exe	108
PID 5108 wrote to memory of 1608	5108	OV9Xu96.exe	108
PID 5108 wrote to memory of 1608	5108	OV9Xu96.exe	108
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 1608 wrote to memory of 2356	1608	4Wq049wo.exe	109
PID 4468 wrote to memory of 3808	4468	Ob9GD75.exe	111
PID 4468 wrote to memory of 3808	4468	Ob9GD75.exe	111
PID 4468 wrote to memory of 3808	4468	Ob9GD75.exe	111
PID 3808 wrote to memory of 4820	3808	5Nj0jC6.exe	112
PID 3808 wrote to memory of 4820	3808	5Nj0jC6.exe	112

C:\Users\Admin\AppData\Local\Temp\NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2ffecc77953d5e6aaaaf4746ae37628289c3f04ec5cd31dcba5a08244c9ef44bexe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT5qt15.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT5qt15.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ob9GD75.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ob9GD75.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OV9Xu96.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OV9Xu96.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XW7Hr80.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XW7Hr80.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iG3aH61.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iG3aH61.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1sr58DM2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1sr58DM2.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2en7201.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2en7201.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 540
        9⤵
        Program crash
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3QQ90VW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3QQ90VW.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Wq049wo.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Wq049wo.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Nj0jC6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Nj0jC6.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4820
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:336
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6WL4Rv3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6WL4Rv3.exe
    3⤵
    - Executes dropped EXE
    PID:4220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bM7tg68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bM7tg68.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4108 -ip 4108
1⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bM7tg68.exe

Filesize
72KB

MD5
99ca70c08ef473dd24fcf6e0ae4687b2

SHA1
ead83af6d9170d8ed7be8c4128f3a2d1c3f11df0

SHA256
67f57410674748c1ae0972bb614466635b55252c313fd58735a368c11e4ca515

SHA512
a85b6eafd377eb9db848ef5997b8132a9c289bab758fc87630da6d99f1f91e6bbd6056e4f6840d652e73269b4fc8a4f4f1b82df73ff0cfe9901bed01399200ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bM7tg68.exe

Filesize
72KB

MD5
99ca70c08ef473dd24fcf6e0ae4687b2

SHA1
ead83af6d9170d8ed7be8c4128f3a2d1c3f11df0

SHA256
67f57410674748c1ae0972bb614466635b55252c313fd58735a368c11e4ca515

SHA512
a85b6eafd377eb9db848ef5997b8132a9c289bab758fc87630da6d99f1f91e6bbd6056e4f6840d652e73269b4fc8a4f4f1b82df73ff0cfe9901bed01399200ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT5qt15.exe

Filesize
1.7MB

MD5
3867c51d53a64f089bf726fe0fedd070

SHA1
2725a97443935bec764c3bfdd02784d56d293c4a

SHA256
e560b5e3c82e2146f2dcec2a7a4b07bb672e2e5abad5d7471944bcba2bcf1521

SHA512
6b660ea453264f4c931835c270c08a09ae55f15d1084f10171f3a6032639b4fc52eb75303e2bb1d0759150257a7e7a62a7fa998f1953386c7ea96ae0f0cce14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iT5qt15.exe

Filesize
1.7MB

MD5
3867c51d53a64f089bf726fe0fedd070

SHA1
2725a97443935bec764c3bfdd02784d56d293c4a

SHA256
e560b5e3c82e2146f2dcec2a7a4b07bb672e2e5abad5d7471944bcba2bcf1521

SHA512
6b660ea453264f4c931835c270c08a09ae55f15d1084f10171f3a6032639b4fc52eb75303e2bb1d0759150257a7e7a62a7fa998f1953386c7ea96ae0f0cce14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6WL4Rv3.exe

Filesize
181KB

MD5
a64590e4bc730327c29c98d00d96345f

SHA1
0c08498ec5118b22988b6b91b20d86414ecf02a0

SHA256
9cdcd5fc25b4df9e658cdf72cb01cbdea900efe63a5880388cf3ed19284e123c

SHA512
487df186b32b6822d5c14351f6b5ed866166696013378df9b916ac1d0c868340aab313d622312d561697d7850f37cd20aa3a3a0eb313912441b5916b62f6e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6WL4Rv3.exe

Filesize
181KB

MD5
a64590e4bc730327c29c98d00d96345f

SHA1
0c08498ec5118b22988b6b91b20d86414ecf02a0

SHA256
9cdcd5fc25b4df9e658cdf72cb01cbdea900efe63a5880388cf3ed19284e123c

SHA512
487df186b32b6822d5c14351f6b5ed866166696013378df9b916ac1d0c868340aab313d622312d561697d7850f37cd20aa3a3a0eb313912441b5916b62f6e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ob9GD75.exe

Filesize
1.5MB

MD5
66389df63b55189b9d9650c312429df1

SHA1
0d1ff94f9eb3dcc126da82286de372febcb2d226

SHA256
ea3ed462bc7906495919b9445a9340b8f25d2b2b5f7d8b35907033ca541e25d4

SHA512
b247b33587e52e2a7522dfa524ea5c0851111b851908fe213ed22a7a99ea64f036777caded78e63505628fa4abd72f5702eaf8a7b07de0e1b922fd1bf111bc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ob9GD75.exe

Filesize
1.5MB

MD5
66389df63b55189b9d9650c312429df1

SHA1
0d1ff94f9eb3dcc126da82286de372febcb2d226

SHA256
ea3ed462bc7906495919b9445a9340b8f25d2b2b5f7d8b35907033ca541e25d4

SHA512
b247b33587e52e2a7522dfa524ea5c0851111b851908fe213ed22a7a99ea64f036777caded78e63505628fa4abd72f5702eaf8a7b07de0e1b922fd1bf111bc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Nj0jC6.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Nj0jC6.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OV9Xu96.exe

Filesize
1.3MB

MD5
b2cf11cf9b4c71655274fc80bc927b84

SHA1
78337bb3cdb7dd5a66b51bb4d60aeb10593631dc

SHA256
d56d18efee83ac5515216b70a280b5c9f323199fc8b45115c9c806c226f2ba68

SHA512
6075e102dcd4384ee49d3355f7891f63685ee3502f330fbc288b9c2303a51072ce8760ecc18d606c5b8b96e01d4444d61d1fe7c97dc152e3622438b73785320e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OV9Xu96.exe

Filesize
1.3MB

MD5
b2cf11cf9b4c71655274fc80bc927b84

SHA1
78337bb3cdb7dd5a66b51bb4d60aeb10593631dc

SHA256
d56d18efee83ac5515216b70a280b5c9f323199fc8b45115c9c806c226f2ba68

SHA512
6075e102dcd4384ee49d3355f7891f63685ee3502f330fbc288b9c2303a51072ce8760ecc18d606c5b8b96e01d4444d61d1fe7c97dc152e3622438b73785320e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Wq049wo.exe

Filesize
1.9MB

MD5
c8f1a9fae4a42af4386aa093995d0114

SHA1
0516d6fe77107462892249068db0c1e1307de199

SHA256
e23eda350293a0031c18d0e8d338678c93fc4f7d059088b54e04e974576e68d0

SHA512
a2fbb5d545f629defd6edf2955b6009068e3f254b8b4471b2defc2213c8636827f957c30fe28aaddd3b45d96f9893cfd83f72604f95f3330a5dd85a7530f39d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Wq049wo.exe

Filesize
1.9MB

MD5
c8f1a9fae4a42af4386aa093995d0114

SHA1
0516d6fe77107462892249068db0c1e1307de199

SHA256
e23eda350293a0031c18d0e8d338678c93fc4f7d059088b54e04e974576e68d0

SHA512
a2fbb5d545f629defd6edf2955b6009068e3f254b8b4471b2defc2213c8636827f957c30fe28aaddd3b45d96f9893cfd83f72604f95f3330a5dd85a7530f39d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XW7Hr80.exe

Filesize
782KB

MD5
3d72bc9b8db8e58b42d1a77a800f522b

SHA1
b75bad17ac3ae7dded1c5d1bde240496fe6f06b5

SHA256
e27ef3eb96ca33411d52d971af97229392ff6fe24b5d6c59bb1a39eddb615bda

SHA512
367a254fa6264f1b12671a2f3c038cb9c08fbf4085910ab60d6b7268da75efeb25f623ac167aa618fbce17d7ab4b2a50d8c350ae8fd8e6fb55fd615f4d13585a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XW7Hr80.exe

Filesize
782KB

MD5
3d72bc9b8db8e58b42d1a77a800f522b

SHA1
b75bad17ac3ae7dded1c5d1bde240496fe6f06b5

SHA256
e27ef3eb96ca33411d52d971af97229392ff6fe24b5d6c59bb1a39eddb615bda

SHA512
367a254fa6264f1b12671a2f3c038cb9c08fbf4085910ab60d6b7268da75efeb25f623ac167aa618fbce17d7ab4b2a50d8c350ae8fd8e6fb55fd615f4d13585a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3QQ90VW.exe

Filesize
31KB

MD5
2e262b37dc4f14a9861d9595fcd4abb6

SHA1
e680e36c8770eb3ecb623e22b32b7061e6fbb6a3

SHA256
5bb4002ec0fd79cf1e211a6acc720dc802e39a4c888c964c504fa318f1db6758

SHA512
3598bf24c766d5f011e12cd70cfae13ba587950b7d533c86c44cfe122c0fe6122e12d4007b4beb512e2242213ae1179db98804869221ed8656e07feb7911fc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3QQ90VW.exe

Filesize
31KB

MD5
2e262b37dc4f14a9861d9595fcd4abb6

SHA1
e680e36c8770eb3ecb623e22b32b7061e6fbb6a3

SHA256
5bb4002ec0fd79cf1e211a6acc720dc802e39a4c888c964c504fa318f1db6758

SHA512
3598bf24c766d5f011e12cd70cfae13ba587950b7d533c86c44cfe122c0fe6122e12d4007b4beb512e2242213ae1179db98804869221ed8656e07feb7911fc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iG3aH61.exe

Filesize
658KB

MD5
7f078cc7dd4f712aab1eedaf9a6a06f6

SHA1
ed9d0909a2e5cbe51a4064ad9ccc77849c13b4a7

SHA256
f03c482efc261d160db3948f4064b4b77370cafd2315a3d2e0edbab0eb22b128

SHA512
efd9b6ec1040a996f6368dbd6bbd6f9df5333f727257a39dc395092ea676ee52a9eb2a51c9ab4812a2ec656c35744e9f570ec2d0882db5cf393e4e0535c048eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iG3aH61.exe

Filesize
658KB

MD5
7f078cc7dd4f712aab1eedaf9a6a06f6

SHA1
ed9d0909a2e5cbe51a4064ad9ccc77849c13b4a7

SHA256
f03c482efc261d160db3948f4064b4b77370cafd2315a3d2e0edbab0eb22b128

SHA512
efd9b6ec1040a996f6368dbd6bbd6f9df5333f727257a39dc395092ea676ee52a9eb2a51c9ab4812a2ec656c35744e9f570ec2d0882db5cf393e4e0535c048eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1sr58DM2.exe

Filesize
1.6MB

MD5
a8d7e0d70c385476925a55c1622f0ea2

SHA1
49a609c628eab5dfd33534081a8b73046020c84c

SHA256
8d61a486948dbc05fde492a13589f96171d12b8639b8934eccaa890c100908b4

SHA512
8b8f574ce51ebfc46b3ced3c86d124aa207b394a149c89977fcf62f0f56cd3882e993596abbe90cc7dac5d3c8f2fa3627f96bc6c9677e29d339747536b1aca92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1sr58DM2.exe

Filesize
1.6MB

MD5
a8d7e0d70c385476925a55c1622f0ea2

SHA1
49a609c628eab5dfd33534081a8b73046020c84c

SHA256
8d61a486948dbc05fde492a13589f96171d12b8639b8934eccaa890c100908b4

SHA512
8b8f574ce51ebfc46b3ced3c86d124aa207b394a149c89977fcf62f0f56cd3882e993596abbe90cc7dac5d3c8f2fa3627f96bc6c9677e29d339747536b1aca92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2en7201.exe

Filesize
1.8MB

MD5
92985af71528d7a6606d0fb1a65c40d9

SHA1
1dc292edecefdf46fdd9cd1fc34c464db4b04926

SHA256
0dad62e15df80d1d8079ee1489272cc8d21992fe692e46e1e46aff5b5f02bb4f

SHA512
95b6582a4064c90b1ccb07bfcca598a22f421ac63e61fce1a9eae24846a56de6d2d4c5245835b24a4990781fa687240ffb5242a15d0bad0ff8ca163d13d95936

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2en7201.exe

Filesize
1.8MB

MD5
92985af71528d7a6606d0fb1a65c40d9

SHA1
1dc292edecefdf46fdd9cd1fc34c464db4b04926

SHA256
0dad62e15df80d1d8079ee1489272cc8d21992fe692e46e1e46aff5b5f02bb4f

SHA512
95b6582a4064c90b1ccb07bfcca598a22f421ac63e61fce1a9eae24846a56de6d2d4c5245835b24a4990781fa687240ffb5242a15d0bad0ff8ca163d13d95936

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
106a5f31f6c03b969fb376040a0e466e

SHA1
114a32da7bd375153a0b29347c6c536ead8d2f95

SHA256
576a796be2ae0863e05689d1688372ca371daf0e9ec19ac491170f3889210dc4

SHA512
7333c74b50f28bb2a1611935d21d69b2534e8f11c468030f775ebb5fcf29607f4d59b9c111b1a96cfa63045e05badd9f3045d045e25ccac79e3b6f45c5e11cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/1596-90-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/1596-103-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/1596-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1596-55-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/2356-91-0x0000000007DA0000-0x0000000007EAA000-memory.dmp

Filesize
1.0MB

Download
memory/2356-104-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/2356-72-0x00000000079F0000-0x0000000007A00000-memory.dmp

Filesize
64KB

Download
memory/2356-71-0x0000000007A70000-0x0000000007B02000-memory.dmp

Filesize
584KB

Download
memory/2356-70-0x0000000007F80000-0x0000000008524000-memory.dmp

Filesize
5.6MB

Download
memory/2356-67-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/2356-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2356-87-0x0000000008B50000-0x0000000009168000-memory.dmp

Filesize
6.1MB

Download
memory/2356-105-0x00000000079F0000-0x0000000007A00000-memory.dmp

Filesize
64KB

Download
memory/2356-77-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/2356-94-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

Filesize
72KB

Download
memory/2356-95-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/2356-96-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

Filesize
304KB

Download
memory/3156-56-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/4108-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4168-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download