amadey | 5a7771194c83adc5f1f29c05a6c81fc6af10a14e0d4afdfa7bea1437d06417bb

Analysis

max time kernel
172s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe
Size

1.4MB
MD5

10ffd0e1ae5acd062f08a68b2385e940
SHA1

a072b774eec961c5251acd606eb68f6314daf8c0
SHA256

5a7771194c83adc5f1f29c05a6c81fc6af10a14e0d4afdfa7bea1437d06417bb
SHA512

cea54a8e3f21674040d364674de70c715e5ba10782bb23224c9d49e01b30af8a7c0f1e81f5f46fac0257bc232a6fce9223804b07314cb870097d77ae1aa2b0d9
SSDEEP

24576:0ykM2UiFTAhEVCzkvp24MuqjsCp67AlsQeUvb/84ApNMjPJ5/2bfwx:DkM2U0VQa2jbFY08BpNMjPJ8bf

Score

10^/10

amadey mystic redline smokeloader plost backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/4508-40-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4508-42-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4508-41-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4508-44-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/files/0x0008000000022dd8-78.dat	mystic_family
behavioral1/files/0x0008000000022dd8-79.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5012-56-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	5ue3GI8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 12 IoCs

pid	Process
2088	Pf5iE38.exe
4796	ON9sU24.exe
4456	iL0cn28.exe
4776	il6qB14.exe
3276	1eV17Ld5.exe
3476	2nr7235.exe
3092	3JR95Qp.exe
2560	4pL119ZQ.exe
2728	5ue3GI8.exe
2268	explothe.exe
1012	6ZD5xc2.exe
3580	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pf5iE38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ON9sU24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	iL0cn28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	il6qB14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 4284	3276	1eV17Ld5.exe	94
PID 3476 set thread context of 4508	3476	2nr7235.exe	96
PID 2560 set thread context of 5012	2560	4pL119ZQ.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2456	4508	WerFault.exe	96

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3JR95Qp.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3JR95Qp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3JR95Qp.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	AppLaunch.exe
4284	AppLaunch.exe
3092	3JR95Qp.exe
3092	3JR95Qp.exe
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3324	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3092	3JR95Qp.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	AppLaunch.exe
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2088	2068	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe	86
PID 2068 wrote to memory of 2088	2068	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe	86
PID 2068 wrote to memory of 2088	2068	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe	86
PID 2088 wrote to memory of 4796	2088	Pf5iE38.exe	89
PID 2088 wrote to memory of 4796	2088	Pf5iE38.exe	89
PID 2088 wrote to memory of 4796	2088	Pf5iE38.exe	89
PID 4796 wrote to memory of 4456	4796	ON9sU24.exe	91
PID 4796 wrote to memory of 4456	4796	ON9sU24.exe	91
PID 4796 wrote to memory of 4456	4796	ON9sU24.exe	91
PID 4456 wrote to memory of 4776	4456	iL0cn28.exe	92
PID 4456 wrote to memory of 4776	4456	iL0cn28.exe	92
PID 4456 wrote to memory of 4776	4456	iL0cn28.exe	92
PID 4776 wrote to memory of 3276	4776	il6qB14.exe	93
PID 4776 wrote to memory of 3276	4776	il6qB14.exe	93
PID 4776 wrote to memory of 3276	4776	il6qB14.exe	93
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 3276 wrote to memory of 4284	3276	1eV17Ld5.exe	94
PID 4776 wrote to memory of 3476	4776	il6qB14.exe	95
PID 4776 wrote to memory of 3476	4776	il6qB14.exe	95
PID 4776 wrote to memory of 3476	4776	il6qB14.exe	95
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 3476 wrote to memory of 4508	3476	2nr7235.exe	96
PID 4456 wrote to memory of 3092	4456	iL0cn28.exe	99
PID 4456 wrote to memory of 3092	4456	iL0cn28.exe	99
PID 4456 wrote to memory of 3092	4456	iL0cn28.exe	99
PID 4796 wrote to memory of 2560	4796	ON9sU24.exe	104
PID 4796 wrote to memory of 2560	4796	ON9sU24.exe	104
PID 4796 wrote to memory of 2560	4796	ON9sU24.exe	104
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2560 wrote to memory of 5012	2560	4pL119ZQ.exe	105
PID 2088 wrote to memory of 2728	2088	Pf5iE38.exe	106
PID 2088 wrote to memory of 2728	2088	Pf5iE38.exe	106
PID 2088 wrote to memory of 2728	2088	Pf5iE38.exe	106
PID 2728 wrote to memory of 2268	2728	5ue3GI8.exe	107
PID 2728 wrote to memory of 2268	2728	5ue3GI8.exe	107
PID 2728 wrote to memory of 2268	2728	5ue3GI8.exe	107
PID 2068 wrote to memory of 1012	2068	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe	108
PID 2068 wrote to memory of 1012	2068	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe	108
PID 2068 wrote to memory of 1012	2068	NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe	108
PID 2268 wrote to memory of 116	2268	explothe.exe	109
PID 2268 wrote to memory of 116	2268	explothe.exe	109
PID 2268 wrote to memory of 116	2268	explothe.exe	109
PID 2268 wrote to memory of 464	2268	explothe.exe	111
PID 2268 wrote to memory of 464	2268	explothe.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.10ffd0e1ae5acd062f08a68b2385e940.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pf5iE38.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pf5iE38.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ON9sU24.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ON9sU24.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iL0cn28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iL0cn28.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\il6qB14.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\il6qB14.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eV17Ld5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eV17Ld5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr7235.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr7235.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 540
        8⤵
        Program crash
        
        PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3JR95Qp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3JR95Qp.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pL119ZQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pL119ZQ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:5012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ue3GI8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ue3GI8.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:464
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4272
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:3884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3340
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:2076
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:2036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ZD5xc2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ZD5xc2.exe
  2⤵
  - Executes dropped EXE
  PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4508 -ip 4508
1⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ZD5xc2.exe

Filesize
181KB

MD5
4dd1e3d25f4877143b353d18b20f549f

SHA1
2612923b1bb4aae0a8d101b24cdbca4ac04f8765

SHA256
99ab8bbe540e5b032eb7b8489aa1d93868140868198ac71c7bf80436fc2326db

SHA512
109c7c600577252bd7690b7c63f811185f7564332ed1e3c35f6d88de72e37d0ae5480f5cb7307cc13f1d9263aff9f4c559a4ae2ff16beeedd45fafe77d83e4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ZD5xc2.exe

Filesize
181KB

MD5
4dd1e3d25f4877143b353d18b20f549f

SHA1
2612923b1bb4aae0a8d101b24cdbca4ac04f8765

SHA256
99ab8bbe540e5b032eb7b8489aa1d93868140868198ac71c7bf80436fc2326db

SHA512
109c7c600577252bd7690b7c63f811185f7564332ed1e3c35f6d88de72e37d0ae5480f5cb7307cc13f1d9263aff9f4c559a4ae2ff16beeedd45fafe77d83e4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pf5iE38.exe

Filesize
1.2MB

MD5
59aa242d7d1fe3fee086cc9fb6f7c737

SHA1
d8c7f1de82fdaf925ba28b82611052efc3574a85

SHA256
918320be92cc3d62c67a16aa2236f21376847429574009d31dfe4e4ac7669c82

SHA512
169a4f20afd8e81f34542928785ef4843f4ca7e5c23ba734f4e030c33bc916d0352a34f2f59190835825fb5f36487571a4a295825df4670697117f9314c68f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pf5iE38.exe

Filesize
1.2MB

MD5
59aa242d7d1fe3fee086cc9fb6f7c737

SHA1
d8c7f1de82fdaf925ba28b82611052efc3574a85

SHA256
918320be92cc3d62c67a16aa2236f21376847429574009d31dfe4e4ac7669c82

SHA512
169a4f20afd8e81f34542928785ef4843f4ca7e5c23ba734f4e030c33bc916d0352a34f2f59190835825fb5f36487571a4a295825df4670697117f9314c68f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ue3GI8.exe

Filesize
222KB

MD5
fae2c3e20e594a6ab4d91805cfdaebe8

SHA1
620ddddd864a0070af368c7042fa121c9483ec99

SHA256
d33b47ce72922c0b5448a76a3ef4d9d1837fa5deaaaa1ae5c761effb8f6a6528

SHA512
105c4e63929ae156d5da022b1c116cc128ec35ddffe40bb822097b03b0a0db41459659e62bceee6e182539af863a7113ad485236231b92c0d02f98c08fab6b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ue3GI8.exe

Filesize
222KB

MD5
fae2c3e20e594a6ab4d91805cfdaebe8

SHA1
620ddddd864a0070af368c7042fa121c9483ec99

SHA256
d33b47ce72922c0b5448a76a3ef4d9d1837fa5deaaaa1ae5c761effb8f6a6528

SHA512
105c4e63929ae156d5da022b1c116cc128ec35ddffe40bb822097b03b0a0db41459659e62bceee6e182539af863a7113ad485236231b92c0d02f98c08fab6b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ON9sU24.exe

Filesize
1.0MB

MD5
c3b63609d1e7a6ade63d2daabe51d9f5

SHA1
16ab5a204a3629394388e9960d3b4554f249d162

SHA256
0c7aa898aa180a5b3b65604921d3c7701104e03bb34a1dbeb2cd48ce4ac9bf82

SHA512
dc1afb6297f9bf1aee3e009c91f7da9948feac66377ea07745c370a8e6f64475d23828897f2700f026e26a354b2b43b2cf7f3a4127edb3d9538d46ecaf95fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ON9sU24.exe

Filesize
1.0MB

MD5
c3b63609d1e7a6ade63d2daabe51d9f5

SHA1
16ab5a204a3629394388e9960d3b4554f249d162

SHA256
0c7aa898aa180a5b3b65604921d3c7701104e03bb34a1dbeb2cd48ce4ac9bf82

SHA512
dc1afb6297f9bf1aee3e009c91f7da9948feac66377ea07745c370a8e6f64475d23828897f2700f026e26a354b2b43b2cf7f3a4127edb3d9538d46ecaf95fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pL119ZQ.exe

Filesize
1.1MB

MD5
2f1370b01ea4ceffa06be2bc2842b6ab

SHA1
be0fd87a2931811a6a769fdaeb364d4df5ca8a84

SHA256
9089c4068e08939b1bc04a6ba625726be33746e07771fe167fce559f41352e44

SHA512
3f4b7202f207950611d1822af01073da74f74acfcd1b0222ce51a73f96fecb575628c18067a945799afed0de92ace1eadf575581ad7390aec7196e91d459d6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pL119ZQ.exe

Filesize
1.1MB

MD5
2f1370b01ea4ceffa06be2bc2842b6ab

SHA1
be0fd87a2931811a6a769fdaeb364d4df5ca8a84

SHA256
9089c4068e08939b1bc04a6ba625726be33746e07771fe167fce559f41352e44

SHA512
3f4b7202f207950611d1822af01073da74f74acfcd1b0222ce51a73f96fecb575628c18067a945799afed0de92ace1eadf575581ad7390aec7196e91d459d6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iL0cn28.exe

Filesize
639KB

MD5
dab60560ecb6c3cf5037239d0dbc7c02

SHA1
1a8603946984015a72de8e736717a4aa73a8d0ad

SHA256
756d67f0f1a9eb3ecd9811aa2645969a0399a6904fc24c012eb08d2a0496b50a

SHA512
8c9eb4f718fafabab18045de6ed7f4e66108d7e880be82a24a5f1fad33d899e6f5c6ebba5d71fa4b1dc42435a7caee64bb9b62c175a285530c914811e4a36285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iL0cn28.exe

Filesize
639KB

MD5
dab60560ecb6c3cf5037239d0dbc7c02

SHA1
1a8603946984015a72de8e736717a4aa73a8d0ad

SHA256
756d67f0f1a9eb3ecd9811aa2645969a0399a6904fc24c012eb08d2a0496b50a

SHA512
8c9eb4f718fafabab18045de6ed7f4e66108d7e880be82a24a5f1fad33d899e6f5c6ebba5d71fa4b1dc42435a7caee64bb9b62c175a285530c914811e4a36285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3JR95Qp.exe

Filesize
31KB

MD5
e6c9c671480ffa253eecbfa88e3e4bc7

SHA1
d9b1e12e926497c19a36bbed07f75d0ddda84202

SHA256
6d1cbf1aa2de66d8ebc81083bf4666c1ac80f89a2f710798533c296beaa17b92

SHA512
c8b840d042fa827aae9f7a2ba4c4934a0ed5f704d44648c460375e11f76ec2e8725179246527cf508f5d5f57288bb11f32184e13d0c4cc5eedc0da5b03a9956a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3JR95Qp.exe

Filesize
31KB

MD5
e6c9c671480ffa253eecbfa88e3e4bc7

SHA1
d9b1e12e926497c19a36bbed07f75d0ddda84202

SHA256
6d1cbf1aa2de66d8ebc81083bf4666c1ac80f89a2f710798533c296beaa17b92

SHA512
c8b840d042fa827aae9f7a2ba4c4934a0ed5f704d44648c460375e11f76ec2e8725179246527cf508f5d5f57288bb11f32184e13d0c4cc5eedc0da5b03a9956a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\il6qB14.exe

Filesize
515KB

MD5
0821772d84cc1175d91af95c85765c95

SHA1
4eb184aaaaaecfae13094313271f84ae0545294b

SHA256
65807ed0516d50e14830dc9dc936355bbd84ee0b087feb289d38afb1d3f46b40

SHA512
c5ed3704e3f65d337185a43f40df6763f6c755a5d36058d94d4b26e2caa12c4c849c006197f21ac03bf86c2f37c76fdf5a345ae5b3c5016c0a466471f54ee528

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\il6qB14.exe

Filesize
515KB

MD5
0821772d84cc1175d91af95c85765c95

SHA1
4eb184aaaaaecfae13094313271f84ae0545294b

SHA256
65807ed0516d50e14830dc9dc936355bbd84ee0b087feb289d38afb1d3f46b40

SHA512
c5ed3704e3f65d337185a43f40df6763f6c755a5d36058d94d4b26e2caa12c4c849c006197f21ac03bf86c2f37c76fdf5a345ae5b3c5016c0a466471f54ee528

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eV17Ld5.exe

Filesize
869KB

MD5
5f0632d60d00f8f6ab677ee7f8727416

SHA1
ab4db63850568f0d3ea91e0c2665b59317fa22c9

SHA256
7247d13084eea57e8d80d6fdb483bb8ec4ad8a96c846e9c1193390829daeb08d

SHA512
254af7965a2d6662afa77650a79954bd754bc7727384bf7b4d60cae49c49c3bbc6173f4b461a3f1af5cafb5b83531a6ffe9660cd92ee3824f896f8861c76dbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eV17Ld5.exe

Filesize
869KB

MD5
5f0632d60d00f8f6ab677ee7f8727416

SHA1
ab4db63850568f0d3ea91e0c2665b59317fa22c9

SHA256
7247d13084eea57e8d80d6fdb483bb8ec4ad8a96c846e9c1193390829daeb08d

SHA512
254af7965a2d6662afa77650a79954bd754bc7727384bf7b4d60cae49c49c3bbc6173f4b461a3f1af5cafb5b83531a6ffe9660cd92ee3824f896f8861c76dbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr7235.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr7235.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
fae2c3e20e594a6ab4d91805cfdaebe8

SHA1
620ddddd864a0070af368c7042fa121c9483ec99

SHA256
d33b47ce72922c0b5448a76a3ef4d9d1837fa5deaaaa1ae5c761effb8f6a6528

SHA512
105c4e63929ae156d5da022b1c116cc128ec35ddffe40bb822097b03b0a0db41459659e62bceee6e182539af863a7113ad485236231b92c0d02f98c08fab6b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
fae2c3e20e594a6ab4d91805cfdaebe8

SHA1
620ddddd864a0070af368c7042fa121c9483ec99

SHA256
d33b47ce72922c0b5448a76a3ef4d9d1837fa5deaaaa1ae5c761effb8f6a6528

SHA512
105c4e63929ae156d5da022b1c116cc128ec35ddffe40bb822097b03b0a0db41459659e62bceee6e182539af863a7113ad485236231b92c0d02f98c08fab6b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
fae2c3e20e594a6ab4d91805cfdaebe8

SHA1
620ddddd864a0070af368c7042fa121c9483ec99

SHA256
d33b47ce72922c0b5448a76a3ef4d9d1837fa5deaaaa1ae5c761effb8f6a6528

SHA512
105c4e63929ae156d5da022b1c116cc128ec35ddffe40bb822097b03b0a0db41459659e62bceee6e182539af863a7113ad485236231b92c0d02f98c08fab6b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
fae2c3e20e594a6ab4d91805cfdaebe8

SHA1
620ddddd864a0070af368c7042fa121c9483ec99

SHA256
d33b47ce72922c0b5448a76a3ef4d9d1837fa5deaaaa1ae5c761effb8f6a6528

SHA512
105c4e63929ae156d5da022b1c116cc128ec35ddffe40bb822097b03b0a0db41459659e62bceee6e182539af863a7113ad485236231b92c0d02f98c08fab6b52

Download Submit
memory/3092-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3092-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3324-93-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-114-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-159-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/3324-158-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-157-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-49-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/3324-156-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-155-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-150-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-154-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-152-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-153-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-151-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/3324-149-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-148-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-147-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-145-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-146-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-142-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-144-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-140-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-87-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-88-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-89-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/3324-90-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-91-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-92-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-94-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-139-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/3324-96-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-98-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-99-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-100-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/3324-101-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-102-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-106-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-108-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-104-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-103-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/3324-111-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-110-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-112-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-113-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/3324-138-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-117-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-116-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-115-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-118-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-119-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-120-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-121-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/3324-137-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-123-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-125-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/3324-124-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-126-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-127-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-128-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-129-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-132-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-130-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-134-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-135-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3324-136-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/4284-61-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-39-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-66-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4508-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-84-0x0000000008100000-0x000000000814C000-memory.dmp

Filesize
304KB

Download
memory/5012-80-0x0000000008D70000-0x0000000009388000-memory.dmp

Filesize
6.1MB

Download
memory/5012-81-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/5012-82-0x0000000007F20000-0x0000000007F32000-memory.dmp

Filesize
72KB

Download
memory/5012-83-0x0000000007F80000-0x0000000007FBC000-memory.dmp

Filesize
240KB

Download
memory/5012-85-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-73-0x0000000007D40000-0x0000000007D4A000-memory.dmp

Filesize
40KB

Download
memory/5012-68-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/5012-67-0x0000000007C90000-0x0000000007D22000-memory.dmp

Filesize
584KB

Download
memory/5012-86-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/5012-65-0x00000000081A0000-0x0000000008744000-memory.dmp

Filesize
5.6MB

Download
memory/5012-57-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download