amadey | ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe
Size

1001KB
MD5

c14618d4e4b391b538cd38db7cb8c455
SHA1

66ee21e487d4b3d665571761b814d54d3b167cb3
SHA256

ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663
SHA512

6eb53170f1c5be7be1e0582eeb30769d517045a962a83c06f49ed48895428c6a1ef932c93227365a66963919e45aa238f40e1cc9460e899e1495c6be32b23c2c
SSDEEP

24576:Yy/LICA0kPmtYQUiPEWokkrboom1Q4g9X6e4sV0f7:fUCA5PCY3isWokkrd+Z0Z

Score

10^/10

amadey laplas redline lift rosn clipper discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v1797gy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v1797gy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v1797gy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v1797gy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v1797gy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v1797gy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8358.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2908-211-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-212-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-214-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-216-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-218-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-220-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-222-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-224-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-226-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-228-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-230-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-232-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-234-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-236-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-238-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-240-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-242-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline
behavioral1/memory/2908-244-0x0000000004AB0000-0x0000000004AEF000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y14Zp84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 13 IoCs

pid	Process
2740	zap1192.exe
1380	zap8522.exe
2224	zap7127.exe
1520	tz8358.exe
4496	v1797gy.exe
2908	w83rj40.exe
1256	xDoHL78.exe
2120	y14Zp84.exe
2368	oneetx.exe
2416	svhosts.exe
2636	ntlhost.exe
2280	oneetx.exe
4996	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4836	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v1797gy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v1797gy.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7127.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	svhosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1192.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8522.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7127.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3336	4496	WerFault.exe	85
2020	2908	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4960	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	18	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1520	tz8358.exe
1520	tz8358.exe
4496	v1797gy.exe
4496	v1797gy.exe
2908	w83rj40.exe
2908	w83rj40.exe
1256	xDoHL78.exe
1256	xDoHL78.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	tz8358.exe
Token: SeDebugPrivilege	4496	v1797gy.exe
Token: SeDebugPrivilege	2908	w83rj40.exe
Token: SeDebugPrivilege	1256	xDoHL78.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2120	y14Zp84.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2740	2820	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe	81
PID 2820 wrote to memory of 2740	2820	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe	81
PID 2820 wrote to memory of 2740	2820	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe	81
PID 2740 wrote to memory of 1380	2740	zap1192.exe	82
PID 2740 wrote to memory of 1380	2740	zap1192.exe	82
PID 2740 wrote to memory of 1380	2740	zap1192.exe	82
PID 1380 wrote to memory of 2224	1380	zap8522.exe	83
PID 1380 wrote to memory of 2224	1380	zap8522.exe	83
PID 1380 wrote to memory of 2224	1380	zap8522.exe	83
PID 2224 wrote to memory of 1520	2224	zap7127.exe	84
PID 2224 wrote to memory of 1520	2224	zap7127.exe	84
PID 2224 wrote to memory of 4496	2224	zap7127.exe	85
PID 2224 wrote to memory of 4496	2224	zap7127.exe	85
PID 2224 wrote to memory of 4496	2224	zap7127.exe	85
PID 1380 wrote to memory of 2908	1380	zap8522.exe	89
PID 1380 wrote to memory of 2908	1380	zap8522.exe	89
PID 1380 wrote to memory of 2908	1380	zap8522.exe	89
PID 2740 wrote to memory of 1256	2740	zap1192.exe	93
PID 2740 wrote to memory of 1256	2740	zap1192.exe	93
PID 2740 wrote to memory of 1256	2740	zap1192.exe	93
PID 2820 wrote to memory of 2120	2820	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe	94
PID 2820 wrote to memory of 2120	2820	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe	94
PID 2820 wrote to memory of 2120	2820	ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe	94
PID 2120 wrote to memory of 2368	2120	y14Zp84.exe	95
PID 2120 wrote to memory of 2368	2120	y14Zp84.exe	95
PID 2120 wrote to memory of 2368	2120	y14Zp84.exe	95
PID 2368 wrote to memory of 4960	2368	oneetx.exe	96
PID 2368 wrote to memory of 4960	2368	oneetx.exe	96
PID 2368 wrote to memory of 4960	2368	oneetx.exe	96
PID 2368 wrote to memory of 3652	2368	oneetx.exe	98
PID 2368 wrote to memory of 3652	2368	oneetx.exe	98
PID 2368 wrote to memory of 3652	2368	oneetx.exe	98
PID 3652 wrote to memory of 3708	3652	cmd.exe	100
PID 3652 wrote to memory of 3708	3652	cmd.exe	100
PID 3652 wrote to memory of 3708	3652	cmd.exe	100
PID 3652 wrote to memory of 64	3652	cmd.exe	101
PID 3652 wrote to memory of 64	3652	cmd.exe	101
PID 3652 wrote to memory of 64	3652	cmd.exe	101
PID 3652 wrote to memory of 4880	3652	cmd.exe	102
PID 3652 wrote to memory of 4880	3652	cmd.exe	102
PID 3652 wrote to memory of 4880	3652	cmd.exe	102
PID 3652 wrote to memory of 776	3652	cmd.exe	103
PID 3652 wrote to memory of 776	3652	cmd.exe	103
PID 3652 wrote to memory of 776	3652	cmd.exe	103
PID 3652 wrote to memory of 3244	3652	cmd.exe	104
PID 3652 wrote to memory of 3244	3652	cmd.exe	104
PID 3652 wrote to memory of 3244	3652	cmd.exe	104
PID 3652 wrote to memory of 3732	3652	cmd.exe	105
PID 3652 wrote to memory of 3732	3652	cmd.exe	105
PID 3652 wrote to memory of 3732	3652	cmd.exe	105
PID 2368 wrote to memory of 2416	2368	oneetx.exe	106
PID 2368 wrote to memory of 2416	2368	oneetx.exe	106
PID 2368 wrote to memory of 2416	2368	oneetx.exe	106
PID 2416 wrote to memory of 2636	2416	svhosts.exe	107
PID 2416 wrote to memory of 2636	2416	svhosts.exe	107
PID 2416 wrote to memory of 2636	2416	svhosts.exe	107
PID 2368 wrote to memory of 4836	2368	oneetx.exe	109
PID 2368 wrote to memory of 4836	2368	oneetx.exe	109
PID 2368 wrote to memory of 4836	2368	oneetx.exe	109

C:\Users\Admin\AppData\Local\Temp\ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe
"C:\Users\Admin\AppData\Local\Temp\ba4087b371a5c11d1b5d44c162366287d6811f21f55ee3c6ea01f98fab3d3663.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1192.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1192.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8522.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7127.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7127.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8358.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8358.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1797gy.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1797gy.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1084
        6⤵
        Program crash
        
        PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83rj40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83rj40.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1348
        5⤵
        Program crash
        
        PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xDoHL78.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xDoHL78.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Zp84.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Zp84.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:64
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:776
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c5d2db5804" /P "Admin:N"
        5⤵
        
        PID:3244
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c5d2db5804" /P "Admin:R" /E
        5⤵
        
        PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
      "C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Executes dropped EXE
        
        PID:2636
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4496 -ip 4496
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2908 -ip 2908
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe

Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe

Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe

Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Zp84.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Zp84.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1192.exe

Filesize
816KB

MD5
7d216ff3ae3b4e85836918b54c970ac7

SHA1
6aa701e351c3e5dea16c64bfcb4e3feceac423b1

SHA256
35d0c9d2aaa252cdf0e102d58f4b6fb7ec3a79ff5e3c76570ae3015bbf6e9d00

SHA512
3032a9db11e49c375b70999fb3c97b5c6d520c68f6f3c07ad775c7f42ba44d61ab4a19ce8f91f0c6d00b6aacfb53d0df16b7369471fb8f3797ce2f920feb728d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1192.exe

Filesize
816KB

MD5
7d216ff3ae3b4e85836918b54c970ac7

SHA1
6aa701e351c3e5dea16c64bfcb4e3feceac423b1

SHA256
35d0c9d2aaa252cdf0e102d58f4b6fb7ec3a79ff5e3c76570ae3015bbf6e9d00

SHA512
3032a9db11e49c375b70999fb3c97b5c6d520c68f6f3c07ad775c7f42ba44d61ab4a19ce8f91f0c6d00b6aacfb53d0df16b7369471fb8f3797ce2f920feb728d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xDoHL78.exe

Filesize
175KB

MD5
308d80f0c7b53e0f7fb9d829489d6d16

SHA1
7f8c5d1238451477f4a2421187c9942a8474ba50

SHA256
981627d4d7dafd0b1e4ddc7a3030c9746dc96ccdf571939d8d6fc4464328e105

SHA512
1af5a2138447f330fa92ce024aabdd6045647c43bd69812f8283f81abb206b8df8ba27c2ebfb73d7416c2039a77a798380721f9affcd4ba3875c2efc12ecde16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xDoHL78.exe

Filesize
175KB

MD5
308d80f0c7b53e0f7fb9d829489d6d16

SHA1
7f8c5d1238451477f4a2421187c9942a8474ba50

SHA256
981627d4d7dafd0b1e4ddc7a3030c9746dc96ccdf571939d8d6fc4464328e105

SHA512
1af5a2138447f330fa92ce024aabdd6045647c43bd69812f8283f81abb206b8df8ba27c2ebfb73d7416c2039a77a798380721f9affcd4ba3875c2efc12ecde16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8522.exe

Filesize
674KB

MD5
b226aaa0f12cf504bce906e01b798d72

SHA1
b9d0cce68be6ba9d9f6c91b7a52051c3df203457

SHA256
a370703548dd9d064d064a9188c88323b0ee417e3f0b0676785245a024f9ba9b

SHA512
adc4b5bf6aa8ae9e35537620dd6450f67d0efed7f264a7f1434e1d07b58497d66e823b710931fdcdbcc911dbee93444f8dcb33b72153fc5a488e2fcf9c90d05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8522.exe

Filesize
674KB

MD5
b226aaa0f12cf504bce906e01b798d72

SHA1
b9d0cce68be6ba9d9f6c91b7a52051c3df203457

SHA256
a370703548dd9d064d064a9188c88323b0ee417e3f0b0676785245a024f9ba9b

SHA512
adc4b5bf6aa8ae9e35537620dd6450f67d0efed7f264a7f1434e1d07b58497d66e823b710931fdcdbcc911dbee93444f8dcb33b72153fc5a488e2fcf9c90d05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83rj40.exe

Filesize
318KB

MD5
eb867f2b5aa8a67a8717f74e972e2cab

SHA1
aa6a4cd59b90a6a194f4258e65ae81e1d090e8d4

SHA256
f98d76436ea76ef075cff1975e7c87451a317eed3ef32bc3e8e5977b6c079445

SHA512
c531e7bf0c7e59d1a500105f8ecdbcc52aca360b4d3a1ccc14ed23e10bfc6a09cdab3a4ce0f263190f865e1ceae9111e77618880f6562c6d29dd4c8313733938

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83rj40.exe

Filesize
318KB

MD5
eb867f2b5aa8a67a8717f74e972e2cab

SHA1
aa6a4cd59b90a6a194f4258e65ae81e1d090e8d4

SHA256
f98d76436ea76ef075cff1975e7c87451a317eed3ef32bc3e8e5977b6c079445

SHA512
c531e7bf0c7e59d1a500105f8ecdbcc52aca360b4d3a1ccc14ed23e10bfc6a09cdab3a4ce0f263190f865e1ceae9111e77618880f6562c6d29dd4c8313733938

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7127.exe

Filesize
334KB

MD5
9c635d3c09a5d05ee23d297f6d750432

SHA1
1f28c1d8fb7bcdf1197e1d0f37f1691f3bc9a7d3

SHA256
6e438401122ff5152a656f9fed3c3ed13d131ffec660a888e460b8ba31fbcdf5

SHA512
431c7dadbf1711121e509a3a8fa42eb0826258300ae66c1e930367fd8ce44d82d28c23768e9584015df5b19e64fde2a710740fad71abb76e5b7eabb9d9c7fade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7127.exe

Filesize
334KB

MD5
9c635d3c09a5d05ee23d297f6d750432

SHA1
1f28c1d8fb7bcdf1197e1d0f37f1691f3bc9a7d3

SHA256
6e438401122ff5152a656f9fed3c3ed13d131ffec660a888e460b8ba31fbcdf5

SHA512
431c7dadbf1711121e509a3a8fa42eb0826258300ae66c1e930367fd8ce44d82d28c23768e9584015df5b19e64fde2a710740fad71abb76e5b7eabb9d9c7fade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8358.exe

Filesize
11KB

MD5
56437247eac756c77d8358b886d51dd3

SHA1
697718c23e3e4725f7327d69128bd3fff4d6c2f6

SHA256
30f08dc44e1d8dfc1d1c568415abaa51805e07d8abe233fac97fe89724a4426e

SHA512
c7be7a9450262fa574941c2e212a6f69d7a9ed1b4faf04ef912313ca75e82e8bfc9932c569ce357f3c3c8dd2b95a57eb12aaaf49a0c378bf888986d262b5f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8358.exe

Filesize
11KB

MD5
56437247eac756c77d8358b886d51dd3

SHA1
697718c23e3e4725f7327d69128bd3fff4d6c2f6

SHA256
30f08dc44e1d8dfc1d1c568415abaa51805e07d8abe233fac97fe89724a4426e

SHA512
c7be7a9450262fa574941c2e212a6f69d7a9ed1b4faf04ef912313ca75e82e8bfc9932c569ce357f3c3c8dd2b95a57eb12aaaf49a0c378bf888986d262b5f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1797gy.exe

Filesize
259KB

MD5
93aab3e6788b25d382229e1beb7c827e

SHA1
f4bc5179dcb6d6cc163b03f8ffac1cf6f3f9bdab

SHA256
06068056188dbe8a0493252e4b7c6d2ef4da2d0dc3cb390cf310e4311d5bbe13

SHA512
4f0e75a7a75cd697abf1ce10c64d594fa5eb90f16d415a9418c11c76ff6ca6f90ac8689231e24665f66f2ac6cad4ccb9a2191d567d4c18a07fdcf205e1975809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1797gy.exe

Filesize
259KB

MD5
93aab3e6788b25d382229e1beb7c827e

SHA1
f4bc5179dcb6d6cc163b03f8ffac1cf6f3f9bdab

SHA256
06068056188dbe8a0493252e4b7c6d2ef4da2d0dc3cb390cf310e4311d5bbe13

SHA512
4f0e75a7a75cd697abf1ce10c64d594fa5eb90f16d415a9418c11c76ff6ca6f90ac8689231e24665f66f2ac6cad4ccb9a2191d567d4c18a07fdcf205e1975809

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
606.6MB

MD5
7d3df8378885760023d27027b33fa273

SHA1
a118994b3dc761ea144e4e881fc474b6bfeb1ce4

SHA256
b7d477a49cf5a2043428dce24a45480cf91bd9ec74782ebddcce82b0b57de3ee

SHA512
164a50f565cfe61f5275b3e9caa87382e7b8afb32386b049fad269d2c0701b47266e9f93ba57f8e6a5f6d63b40b2a97a1365a53f2a730c268a130d95c1ef8799

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
598.2MB

MD5
41c21de74b76906c6b0f4ce4b220488f

SHA1
05aaa9186fa317d9e7afef322452ca0ef244abaa

SHA256
d25226a6d75cef02beb13462486174458bbc638f15f5f200e8cc1637164c95a8

SHA512
ee7d518bb92379b9a8c5e52c0f96e669fbcd3df0db06d6c96322704a34d62b483be6cf2450b90fa58dab97278fdbf77fc6a66affe9a12895e6219ee85e5dfa62

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1256-1140-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/1256-1139-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/1256-1138-0x0000000000FC0000-0x0000000000FF2000-memory.dmp

Filesize
200KB

Download
memory/1520-161-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/2416-1175-0x0000000002700000-0x0000000002AD0000-memory.dmp

Filesize
3.8MB

Download
memory/2908-1130-0x0000000006CE0000-0x0000000006D56000-memory.dmp

Filesize
472KB

Download
memory/2908-1125-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-209-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-210-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-211-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-212-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-214-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-216-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-218-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-220-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-222-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-224-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-226-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-228-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-230-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-232-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-234-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-236-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-238-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-240-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-242-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-244-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

Filesize
252KB

Download
memory/2908-1117-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/2908-1118-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/2908-1119-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/2908-1120-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/2908-1121-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-1122-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/2908-1123-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/2908-208-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-1126-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-1127-0x0000000006370000-0x0000000006532000-memory.dmp

Filesize
1.8MB

Download
memory/2908-1128-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2908-1129-0x0000000006550000-0x0000000006A7C000-memory.dmp

Filesize
5.2MB

Download
memory/2908-207-0x0000000000770000-0x00000000007BB000-memory.dmp

Filesize
300KB

Download
memory/2908-1131-0x0000000006D80000-0x0000000006DD0000-memory.dmp

Filesize
320KB

Download
memory/4496-183-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-199-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-181-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-197-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-195-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-193-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-191-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-189-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-179-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-185-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-167-0x0000000000620000-0x000000000064D000-memory.dmp

Filesize
180KB

Download
memory/4496-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4496-187-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-177-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-175-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-173-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-172-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4496-168-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4496-171-0x0000000004D10000-0x00000000052B4000-memory.dmp

Filesize
5.6MB

Download
memory/4496-170-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4496-169-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4496-202-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download