amadey | 4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2023 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe
Size

923KB
MD5

5b27977c971d55061bd4b510a05894d4
SHA1

983158d4dac796a9a0768d6cc2d0c558a85998de
SHA256

4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52
SHA512

ee4258a21ce708a7bef98ffb0e91575a12e386fc24739c73172f0d7eddd41d0bdd8752770d482bd979bde2376fc889a5abcf8eb6047bbbe744694cad5c6f3040
SSDEEP

24576:gy4F2Nm1MDBgG7UCvkoKm6C6munelGyYJZ6hzNY9:n4F29Bgivkbm2mEeqLcz

Score

10^/10

amadey redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr066124.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr066124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr066124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr066124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr066124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr066124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr066124.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/560-198-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-199-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-201-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-203-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-205-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-207-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-209-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-214-0x00000000025A0000-0x00000000025B0000-memory.dmp	family_redline
behavioral1/memory/560-213-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-217-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-219-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-221-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-223-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-225-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-227-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-229-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-231-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-233-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline
behavioral1/memory/560-235-0x00000000025B0000-0x00000000025EF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

si788072.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	si788072.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

Processes:

un587949.exeun196649.exepr066124.exequ762414.exerk552871.exesi788072.exeoneetx.exeoneetx.exeoneetx.exe

pid process

4896 un587949.exe
1220 un196649.exe
3096 pr066124.exe
560 qu762414.exe
2252 rk552871.exe
4724 si788072.exe
4912 oneetx.exe
4896 oneetx.exe
4696 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2912 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4896	un587949.exe
1220	un196649.exe
3096	pr066124.exe
560	qu762414.exe
2252	rk552871.exe
4724	si788072.exe
4912	oneetx.exe
4896	oneetx.exe
4696	oneetx.exe

pid	process
2912	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr066124.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr066124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr066124.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un196649.exe4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exeun587949.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un196649.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un587949.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un587949.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un196649.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1900	3096	WerFault.exe	pr066124.exe
760	560	WerFault.exe	qu762414.exe
4496	4724	WerFault.exe	si788072.exe
2624	4724	WerFault.exe	si788072.exe
2712	4724	WerFault.exe	si788072.exe
4212	4724	WerFault.exe	si788072.exe
4600	4724	WerFault.exe	si788072.exe
3792	4724	WerFault.exe	si788072.exe
2264	4724	WerFault.exe	si788072.exe
2160	4724	WerFault.exe	si788072.exe
3612	4724	WerFault.exe	si788072.exe
3228	4724	WerFault.exe	si788072.exe
2200	4912	WerFault.exe	oneetx.exe
2184	4912	WerFault.exe	oneetx.exe
1888	4912	WerFault.exe	oneetx.exe
1464	4912	WerFault.exe	oneetx.exe
2036	4912	WerFault.exe	oneetx.exe
2520	4912	WerFault.exe	oneetx.exe
2980	4912	WerFault.exe	oneetx.exe
812	4912	WerFault.exe	oneetx.exe
1264	4912	WerFault.exe	oneetx.exe
4612	4912	WerFault.exe	oneetx.exe
2032	4912	WerFault.exe	oneetx.exe
3304	4896	WerFault.exe	oneetx.exe
732	4912	WerFault.exe	oneetx.exe
1772	4912	WerFault.exe	oneetx.exe
3928	4912	WerFault.exe	oneetx.exe
2264	4696	WerFault.exe	oneetx.exe
3844	4912	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3680 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr066124.exequ762414.exerk552871.exe

pid process

3096 pr066124.exe
3096 pr066124.exe
560 qu762414.exe
560 qu762414.exe
2252 rk552871.exe
2252 rk552871.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr066124.exequ762414.exerk552871.exe

description pid process

Token: SeDebugPrivilege 3096 pr066124.exe
Token: SeDebugPrivilege 560 qu762414.exe
Token: SeDebugPrivilege 2252 rk552871.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si788072.exe

pid process

4724 si788072.exe

pid	process
3680	schtasks.exe

pid	process
3096	pr066124.exe
3096	pr066124.exe
560	qu762414.exe
560	qu762414.exe
2252	rk552871.exe
2252	rk552871.exe

description	pid	process
Token: SeDebugPrivilege	3096	pr066124.exe
Token: SeDebugPrivilege	560	qu762414.exe
Token: SeDebugPrivilege	2252	rk552871.exe

pid	process
4724	si788072.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exeun587949.exeun196649.exesi788072.exeoneetx.exe

description	pid	process	target process
PID 4028 wrote to memory of 4896	4028	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe	un587949.exe
PID 4028 wrote to memory of 4896	4028	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe	un587949.exe
PID 4028 wrote to memory of 4896	4028	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe	un587949.exe
PID 4896 wrote to memory of 1220	4896	un587949.exe	un196649.exe
PID 4896 wrote to memory of 1220	4896	un587949.exe	un196649.exe
PID 4896 wrote to memory of 1220	4896	un587949.exe	un196649.exe
PID 1220 wrote to memory of 3096	1220	un196649.exe	pr066124.exe
PID 1220 wrote to memory of 3096	1220	un196649.exe	pr066124.exe
PID 1220 wrote to memory of 3096	1220	un196649.exe	pr066124.exe
PID 1220 wrote to memory of 560	1220	un196649.exe	qu762414.exe
PID 1220 wrote to memory of 560	1220	un196649.exe	qu762414.exe
PID 1220 wrote to memory of 560	1220	un196649.exe	qu762414.exe
PID 4896 wrote to memory of 2252	4896	un587949.exe	rk552871.exe
PID 4896 wrote to memory of 2252	4896	un587949.exe	rk552871.exe
PID 4896 wrote to memory of 2252	4896	un587949.exe	rk552871.exe
PID 4028 wrote to memory of 4724	4028	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe	si788072.exe
PID 4028 wrote to memory of 4724	4028	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe	si788072.exe
PID 4028 wrote to memory of 4724	4028	4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe	si788072.exe
PID 4724 wrote to memory of 4912	4724	si788072.exe	oneetx.exe
PID 4724 wrote to memory of 4912	4724	si788072.exe	oneetx.exe
PID 4724 wrote to memory of 4912	4724	si788072.exe	oneetx.exe
PID 4912 wrote to memory of 3680	4912	oneetx.exe	schtasks.exe
PID 4912 wrote to memory of 3680	4912	oneetx.exe	schtasks.exe
PID 4912 wrote to memory of 3680	4912	oneetx.exe	schtasks.exe
PID 4912 wrote to memory of 2912	4912	oneetx.exe	rundll32.exe
PID 4912 wrote to memory of 2912	4912	oneetx.exe	rundll32.exe
PID 4912 wrote to memory of 2912	4912	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe
"C:\Users\Admin\AppData\Local\Temp\4f86f98aba79bb30e8761ff0c89e0153b662e13ce43600233bab8165b5cacb52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un587949.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un587949.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un196649.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un196649.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr066124.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr066124.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1084
5⤵
- Program crash
PID:1900

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu762414.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu762414.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1328
5⤵
- Program crash
PID:760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552871.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552871.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788072.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788072.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 704
3⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 780
3⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 784
3⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 952
3⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 872
3⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 976
3⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1208
3⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1232
3⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1316
3⤵
- Program crash
PID:3612

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
4⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 828
4⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 904
4⤵
- Program crash
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1052
4⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1072
4⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1052
4⤵
- Program crash
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1072
4⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 992
4⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
4⤵
- Program crash
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 684
4⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1304
4⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1132
4⤵
- Program crash
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1628
4⤵
- Program crash
PID:1772

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1368
4⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1608
4⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 728
3⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3096 -ip 3096
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 560 -ip 560
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4724 -ip 4724
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4724 -ip 4724
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4724 -ip 4724
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4724 -ip 4724
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4724 -ip 4724
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4724 -ip 4724
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4724 -ip 4724
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4724 -ip 4724
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4724 -ip 4724
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4724 -ip 4724
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4912 -ip 4912
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4912 -ip 4912
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4912 -ip 4912
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4912 -ip 4912
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4912 -ip 4912
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4912 -ip 4912
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4912 -ip 4912
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4912 -ip 4912
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4912 -ip 4912
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4912 -ip 4912
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4912 -ip 4912
1⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 320
2⤵
- Program crash
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4896 -ip 4896
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4912 -ip 4912
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4912 -ip 4912
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4912 -ip 4912
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 312
2⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4696 -ip 4696
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4912 -ip 4912
1⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788072.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788072.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un587949.exe
Filesize
661KB

MD5
cbf6bb681a7c1bf3696de06038b5eaac

SHA1
2316411985abba420621fbc1a8d0fe2623c93cfe

SHA256
d78c8e2e9e248ae88aa2ae2c848347b487bb05df980ca1f758a2cafbf2fe02dd

SHA512
29e64c36d4283d64b57d7d92b31cbad86b3cb2800a9956b78b70244359eeae2e7905d6d023110163e0e650b47dfb52c188e187886f5506690f52bd6a2422a3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un587949.exe
Filesize
661KB

MD5
cbf6bb681a7c1bf3696de06038b5eaac

SHA1
2316411985abba420621fbc1a8d0fe2623c93cfe

SHA256
d78c8e2e9e248ae88aa2ae2c848347b487bb05df980ca1f758a2cafbf2fe02dd

SHA512
29e64c36d4283d64b57d7d92b31cbad86b3cb2800a9956b78b70244359eeae2e7905d6d023110163e0e650b47dfb52c188e187886f5506690f52bd6a2422a3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552871.exe
Filesize
175KB

MD5
bb6d43fa4ebafe62b98ec4dea4ff49d9

SHA1
d8188e664ac977f59d3ec26589e3cf67b1fab23b

SHA256
1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

SHA512
679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552871.exe
Filesize
175KB

MD5
bb6d43fa4ebafe62b98ec4dea4ff49d9

SHA1
d8188e664ac977f59d3ec26589e3cf67b1fab23b

SHA256
1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

SHA512
679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un196649.exe
Filesize
519KB

MD5
a7cd1ada1148f9642939ec8f81bf97f7

SHA1
7c08732af0b02a43ee6cfe8e3ed70346dbf1ed65

SHA256
ecf709d7814a196fdd079e95acd0b3429388b6703cd483fa957cb11c815afbc6

SHA512
c30dd02d0194fe46b16fd46c77a0d90e89a55bdabbf446af51530c2b71cdb2691b62c94e2533e346f07464a3ca22d7ca49bc5651f1a13e2db0a4f240e74050b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un196649.exe
Filesize
519KB

MD5
a7cd1ada1148f9642939ec8f81bf97f7

SHA1
7c08732af0b02a43ee6cfe8e3ed70346dbf1ed65

SHA256
ecf709d7814a196fdd079e95acd0b3429388b6703cd483fa957cb11c815afbc6

SHA512
c30dd02d0194fe46b16fd46c77a0d90e89a55bdabbf446af51530c2b71cdb2691b62c94e2533e346f07464a3ca22d7ca49bc5651f1a13e2db0a4f240e74050b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr066124.exe
Filesize
235KB

MD5
9d9e0fefe02134fd8470f405166255ab

SHA1
40606abba691c003c6f12bed1505e5dbde4c0699

SHA256
f2e616a2912841619f5b15335aa7232632134f3b6009ed0fc42870876958b99e

SHA512
7d9193da4bb585678765d00e09a7c74afceed409151bd423187bfdbf4fb281bc95f016baa2f6236554fcda54c6ee312deb42078579c78d4c162952a9806962e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr066124.exe
Filesize
235KB

MD5
9d9e0fefe02134fd8470f405166255ab

SHA1
40606abba691c003c6f12bed1505e5dbde4c0699

SHA256
f2e616a2912841619f5b15335aa7232632134f3b6009ed0fc42870876958b99e

SHA512
7d9193da4bb585678765d00e09a7c74afceed409151bd423187bfdbf4fb281bc95f016baa2f6236554fcda54c6ee312deb42078579c78d4c162952a9806962e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu762414.exe
Filesize
292KB

MD5
5b7a2f473089f2ac55f8439ecfd8fa9c

SHA1
f056c2b612c47cf4296b63c90368900fd1835028

SHA256
8c55678774ecdac074b3d2b8d56071c41f1334b80b9bd98abecd15946e1ddb3e

SHA512
2ddcc722eabd511bd47a87af225ca9d81da60d003c8826cf5f36e547a08c4df703f21aa07850ea3b47c47a192829a251d5e08acf3d214248838e21d5006c8301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu762414.exe
Filesize
292KB

MD5
5b7a2f473089f2ac55f8439ecfd8fa9c

SHA1
f056c2b612c47cf4296b63c90368900fd1835028

SHA256
8c55678774ecdac074b3d2b8d56071c41f1334b80b9bd98abecd15946e1ddb3e

SHA512
2ddcc722eabd511bd47a87af225ca9d81da60d003c8826cf5f36e547a08c4df703f21aa07850ea3b47c47a192829a251d5e08acf3d214248838e21d5006c8301

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/560-1117-0x00000000063B0000-0x0000000006442000-memory.dmp

Filesize
584KB

Download
memory/560-231-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-1122-0x0000000006FC0000-0x0000000007010000-memory.dmp

Filesize
320KB

Download
memory/560-1121-0x0000000006F40000-0x0000000006FB6000-memory.dmp

Filesize
472KB

Download
memory/560-1120-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-1119-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/560-1118-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/560-1116-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-1115-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-1114-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/560-1112-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-1111-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/560-198-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-199-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-201-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-203-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-205-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-207-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-209-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-210-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/560-212-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-214-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-213-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-216-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/560-217-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-219-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-221-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-223-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-225-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-227-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-229-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-1110-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/560-233-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-235-0x00000000025B0000-0x00000000025EF000-memory.dmp

Filesize
252KB

Download
memory/560-1108-0x0000000005250000-0x0000000005868000-memory.dmp

Filesize
6.1MB

Download
memory/560-1109-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/2252-1128-0x0000000000550000-0x0000000000582000-memory.dmp

Filesize
200KB

Download
memory/2252-1129-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3096-190-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3096-192-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3096-180-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-172-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-178-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-184-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-188-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3096-187-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3096-186-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3096-185-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3096-176-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-174-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-155-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/3096-193-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3096-191-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3096-170-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-182-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-168-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-166-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-164-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-162-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-160-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-158-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-157-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/3096-156-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/4724-1135-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download