amadey | 39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe
Size

1.0MB
MD5

4dd91c6b91f4af0efb128ef9fd8ec008
SHA1

048962b927d4da4bdfb0b915938502845906f30a
SHA256

39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7
SHA512

961f85c0c703adf3db65ba1b16b15f089ee2cd4ef50c8561cd13831da26fd08062daa82d744dba6d66d1e317f3c61c5dcad8749590dc7322b2396cead1b94a62
SSDEEP

24576:6y46U3CYFIAC8ZvcbeXuMWMJ5C7h0xfPz0kcS5vQ:BFhYyACgcbe+MfJ5Ct0xngkcS5v

Score

10^/10

amadey redline brat rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

77.91.124.207/plays/chapter/index.php

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

brat

176.113.115.145:4125

Attributes

auth_value
1f9c658aed2f70f42f99a57a005561cf

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

az079360.execor0356.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az079360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az079360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az079360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az079360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az079360.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az079360.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-231-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-232-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-234-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-236-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-238-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-242-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-244-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-240-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-246-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-248-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-250-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-252-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-254-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-256-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-258-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-262-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/2056-266-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bu612983.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	bu612983.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

kina3232.exekina9878.exekina9785.exeaz079360.exebu612983.exeoneetx.execor0356.exedBU99s84.exeen626375.exeoneetx.exeoneetx.exe

pid	process
2544	kina3232.exe
4924	kina9878.exe
2948	kina9785.exe
1336	az079360.exe
1232	bu612983.exe
2832	oneetx.exe
2916	cor0356.exe
2056	dBU99s84.exe
3108	en626375.exe
4952	oneetx.exe
4064	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4656 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4656	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor0356.exeaz079360.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az079360.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0356.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina9785.exe39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exekina3232.exekina9878.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina9785.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina3232.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9878.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9878.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9785.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4584	1232	WerFault.exe	bu612983.exe
3408	1232	WerFault.exe	bu612983.exe
5100	1232	WerFault.exe	bu612983.exe
1972	1232	WerFault.exe	bu612983.exe
868	1232	WerFault.exe	bu612983.exe
3404	1232	WerFault.exe	bu612983.exe
916	1232	WerFault.exe	bu612983.exe
4768	1232	WerFault.exe	bu612983.exe
4092	1232	WerFault.exe	bu612983.exe
4292	1232	WerFault.exe	bu612983.exe
4176	2832	WerFault.exe	oneetx.exe
220	2832	WerFault.exe	oneetx.exe
3024	2832	WerFault.exe	oneetx.exe
4836	2832	WerFault.exe	oneetx.exe
376	2832	WerFault.exe	oneetx.exe
1140	2832	WerFault.exe	oneetx.exe
1932	2832	WerFault.exe	oneetx.exe
1992	2832	WerFault.exe	oneetx.exe
4612	2832	WerFault.exe	oneetx.exe
1668	2832	WerFault.exe	oneetx.exe
4596	2832	WerFault.exe	oneetx.exe
3832	2832	WerFault.exe	oneetx.exe
1712	2916	WerFault.exe	cor0356.exe
3056	2056	WerFault.exe	dBU99s84.exe
4352	2832	WerFault.exe	oneetx.exe
4456	4952	WerFault.exe	oneetx.exe
2280	2832	WerFault.exe	oneetx.exe
4344	2832	WerFault.exe	oneetx.exe
1052	2832	WerFault.exe	oneetx.exe
3856	4064	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3952 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

az079360.execor0356.exedBU99s84.exeen626375.exe

pid process

1336 az079360.exe
1336 az079360.exe
2916 cor0356.exe
2916 cor0356.exe
2056 dBU99s84.exe
2056 dBU99s84.exe
3108 en626375.exe
3108 en626375.exe

pid	process
3952	schtasks.exe

pid	process
1336	az079360.exe
1336	az079360.exe
2916	cor0356.exe
2916	cor0356.exe
2056	dBU99s84.exe
2056	dBU99s84.exe
3108	en626375.exe
3108	en626375.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

az079360.execor0356.exedBU99s84.exeen626375.exe

description	pid	process
Token: SeDebugPrivilege	1336	az079360.exe
Token: SeDebugPrivilege	2916	cor0356.exe
Token: SeDebugPrivilege	2056	dBU99s84.exe
Token: SeDebugPrivilege	3108	en626375.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bu612983.exe

pid process

1232 bu612983.exe

pid	process
1232	bu612983.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exekina3232.exekina9878.exekina9785.exebu612983.exeoneetx.exe

description	pid	process	target process
PID 4296 wrote to memory of 2544	4296	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe	kina3232.exe
PID 4296 wrote to memory of 2544	4296	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe	kina3232.exe
PID 4296 wrote to memory of 2544	4296	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe	kina3232.exe
PID 2544 wrote to memory of 4924	2544	kina3232.exe	kina9878.exe
PID 2544 wrote to memory of 4924	2544	kina3232.exe	kina9878.exe
PID 2544 wrote to memory of 4924	2544	kina3232.exe	kina9878.exe
PID 4924 wrote to memory of 2948	4924	kina9878.exe	kina9785.exe
PID 4924 wrote to memory of 2948	4924	kina9878.exe	kina9785.exe
PID 4924 wrote to memory of 2948	4924	kina9878.exe	kina9785.exe
PID 2948 wrote to memory of 1336	2948	kina9785.exe	az079360.exe
PID 2948 wrote to memory of 1336	2948	kina9785.exe	az079360.exe
PID 2948 wrote to memory of 1232	2948	kina9785.exe	bu612983.exe
PID 2948 wrote to memory of 1232	2948	kina9785.exe	bu612983.exe
PID 2948 wrote to memory of 1232	2948	kina9785.exe	bu612983.exe
PID 1232 wrote to memory of 2832	1232	bu612983.exe	oneetx.exe
PID 1232 wrote to memory of 2832	1232	bu612983.exe	oneetx.exe
PID 1232 wrote to memory of 2832	1232	bu612983.exe	oneetx.exe
PID 4924 wrote to memory of 2916	4924	kina9878.exe	cor0356.exe
PID 4924 wrote to memory of 2916	4924	kina9878.exe	cor0356.exe
PID 4924 wrote to memory of 2916	4924	kina9878.exe	cor0356.exe
PID 2832 wrote to memory of 3952	2832	oneetx.exe	schtasks.exe
PID 2832 wrote to memory of 3952	2832	oneetx.exe	schtasks.exe
PID 2832 wrote to memory of 3952	2832	oneetx.exe	schtasks.exe
PID 2544 wrote to memory of 2056	2544	kina3232.exe	dBU99s84.exe
PID 2544 wrote to memory of 2056	2544	kina3232.exe	dBU99s84.exe
PID 2544 wrote to memory of 2056	2544	kina3232.exe	dBU99s84.exe
PID 4296 wrote to memory of 3108	4296	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe	en626375.exe
PID 4296 wrote to memory of 3108	4296	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe	en626375.exe
PID 4296 wrote to memory of 3108	4296	39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe	en626375.exe
PID 2832 wrote to memory of 4656	2832	oneetx.exe	rundll32.exe
PID 2832 wrote to memory of 4656	2832	oneetx.exe	rundll32.exe
PID 2832 wrote to memory of 4656	2832	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe
"C:\Users\Admin\AppData\Local\Temp\39ed8e8dd028533bc42b810ed35020d7ab94d33ac2463e3e984e9da64f75a8f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3232.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3232.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9878.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9878.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9785.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9785.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az079360.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az079360.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu612983.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu612983.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 696
6⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 780
6⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 856
6⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 960
6⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 976
6⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 996
6⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1216
6⤵
- Program crash
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1232
6⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1320
6⤵
- Program crash
PID:4092

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 692
7⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 844
7⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1016
7⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1008
7⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1080
7⤵
- Program crash
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1080
7⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1092
7⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
7⤵
- Creates scheduled task(s)
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 992
7⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 752
7⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 892
7⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1288
7⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1428
7⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1100
7⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1628
7⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1436
7⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1644
7⤵
- Program crash
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1360
6⤵
- Program crash
PID:4292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0356.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0356.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1076
5⤵
- Program crash
PID:1712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dBU99s84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dBU99s84.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1348
4⤵
- Program crash
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en626375.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en626375.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1232 -ip 1232
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1232 -ip 1232
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1232 -ip 1232
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1232 -ip 1232
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1232 -ip 1232
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1232 -ip 1232
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1232 -ip 1232
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1232 -ip 1232
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1232 -ip 1232
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1232 -ip 1232
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2832 -ip 2832
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2832 -ip 2832
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2832 -ip 2832
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2832 -ip 2832
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2832 -ip 2832
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2832 -ip 2832
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2832 -ip 2832
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2832 -ip 2832
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2832 -ip 2832
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2832 -ip 2832
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2832 -ip 2832
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2832 -ip 2832
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2916 -ip 2916
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2056 -ip 2056
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2832 -ip 2832
1⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 312
2⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4952 -ip 4952
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2832 -ip 2832
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2832 -ip 2832
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2832 -ip 2832
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 312
2⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4064 -ip 4064
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en626375.exe
Filesize
168KB

MD5
41a71ae93348897ccce18c9eb70a4313

SHA1
60d7795812e9293161ebbfb8a046d4c1282939d7

SHA256
a0fcc736644b9aa62613ea7038296de169a65648c2615c3f7ce8deb2081806d9

SHA512
92860b1e30bb20295f37723f32aea4c914626d804450707bc68c2b7ab34c4fea26d42dc3d27bc6e52ad4aa4ff74784265504f089e0ab09cfb39e02321fb3c3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en626375.exe
Filesize
168KB

MD5
41a71ae93348897ccce18c9eb70a4313

SHA1
60d7795812e9293161ebbfb8a046d4c1282939d7

SHA256
a0fcc736644b9aa62613ea7038296de169a65648c2615c3f7ce8deb2081806d9

SHA512
92860b1e30bb20295f37723f32aea4c914626d804450707bc68c2b7ab34c4fea26d42dc3d27bc6e52ad4aa4ff74784265504f089e0ab09cfb39e02321fb3c3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3232.exe
Filesize
920KB

MD5
2946bc39ca2a4658d20aefd85e4638dd

SHA1
7b7d1788fafe924e94edc87c798cf68f9c0ddf18

SHA256
9be1aff27342580fac41983f8db40be2288efa11a6223338b389d8d29a9cbac2

SHA512
d0891ed73580fe1e9059bf79a85ae80af396989ff9661aafe333a2d4927f1293f749b4d40a270f1b7eeb6170488ad46a7227489895ebc43f517d4c50c578d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3232.exe
Filesize
920KB

MD5
2946bc39ca2a4658d20aefd85e4638dd

SHA1
7b7d1788fafe924e94edc87c798cf68f9c0ddf18

SHA256
9be1aff27342580fac41983f8db40be2288efa11a6223338b389d8d29a9cbac2

SHA512
d0891ed73580fe1e9059bf79a85ae80af396989ff9661aafe333a2d4927f1293f749b4d40a270f1b7eeb6170488ad46a7227489895ebc43f517d4c50c578d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dBU99s84.exe
Filesize
297KB

MD5
ce158e5bcbd34adc21464ea9747be762

SHA1
7e276f4b6a09744bd334b27b3954f4ff9d871f31

SHA256
25a4d24deed995c23ca140f887743cdbe061ad7dbc56c2a5d97b67853de6be87

SHA512
a88457f86f4da51be9bef0837f01709a87e00a8c2899f69a2b9132f599e81614f17777e6c56b504adb83ef3a8e0b690c8f8d3d6323f6a0931bfa43c8c78ff0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dBU99s84.exe
Filesize
297KB

MD5
ce158e5bcbd34adc21464ea9747be762

SHA1
7e276f4b6a09744bd334b27b3954f4ff9d871f31

SHA256
25a4d24deed995c23ca140f887743cdbe061ad7dbc56c2a5d97b67853de6be87

SHA512
a88457f86f4da51be9bef0837f01709a87e00a8c2899f69a2b9132f599e81614f17777e6c56b504adb83ef3a8e0b690c8f8d3d6323f6a0931bfa43c8c78ff0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9878.exe
Filesize
589KB

MD5
bcb59cb904ec449eb8afd6eda87fcc61

SHA1
95d7c580313d0dc30d319685e15dd2d7de016d7f

SHA256
69ebcb1b50ca2698731622fa01ec9db02e31ed3eabec17802657fe5aa1efde54

SHA512
9fe5b45ecda1f14b070c9b0c64d039ca482de74713859b76d7d371c620846a922150a5561410fb88410710f22cad9235b1c9af34e60cd873f1df8436ecf782e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9878.exe
Filesize
589KB

MD5
bcb59cb904ec449eb8afd6eda87fcc61

SHA1
95d7c580313d0dc30d319685e15dd2d7de016d7f

SHA256
69ebcb1b50ca2698731622fa01ec9db02e31ed3eabec17802657fe5aa1efde54

SHA512
9fe5b45ecda1f14b070c9b0c64d039ca482de74713859b76d7d371c620846a922150a5561410fb88410710f22cad9235b1c9af34e60cd873f1df8436ecf782e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0356.exe
Filesize
239KB

MD5
1b74e4b2899bd92459e69d43b46e956b

SHA1
ee767bb5b7e36ba80e6b7293c29534fde8fdbcc1

SHA256
4fc67893dc421952a10656bb99b4bceaaa647529813cc218941b62feb6a0e2b8

SHA512
427ad5491998379caf0608c045c3ca9efac30382709614f88d6045e05f301ed4c5ad2ccd010013e0094c5711459089c5438d7328a7095706ad200d22fd57bb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0356.exe
Filesize
239KB

MD5
1b74e4b2899bd92459e69d43b46e956b

SHA1
ee767bb5b7e36ba80e6b7293c29534fde8fdbcc1

SHA256
4fc67893dc421952a10656bb99b4bceaaa647529813cc218941b62feb6a0e2b8

SHA512
427ad5491998379caf0608c045c3ca9efac30382709614f88d6045e05f301ed4c5ad2ccd010013e0094c5711459089c5438d7328a7095706ad200d22fd57bb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9785.exe
Filesize
316KB

MD5
e52cc44624108d54a5844fc3ea81d69b

SHA1
1341103e9fa999c6618d3e5f6efbd52f2743efe2

SHA256
af4804d7583020bf87fdd262a254afafcdf94fd48c3cc57600da13a78eb90059

SHA512
024b49b219d6d9991ae188e6a31841be8c3b3f8bf86cee90e45648893feaa8febe6377ea73e366287e9a11e312aad0837102f7161dbe9acf54ec94e078fd87ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9785.exe
Filesize
316KB

MD5
e52cc44624108d54a5844fc3ea81d69b

SHA1
1341103e9fa999c6618d3e5f6efbd52f2743efe2

SHA256
af4804d7583020bf87fdd262a254afafcdf94fd48c3cc57600da13a78eb90059

SHA512
024b49b219d6d9991ae188e6a31841be8c3b3f8bf86cee90e45648893feaa8febe6377ea73e366287e9a11e312aad0837102f7161dbe9acf54ec94e078fd87ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az079360.exe
Filesize
11KB

MD5
d97c7c5b39de9b6792ca318d796b512b

SHA1
0f0ec0621e8b4a7e3a79b7b85e65168675279eaa

SHA256
9410938297d9cbcec3ff420b46239a18fd0da4e15cb14d8e788056adc616a221

SHA512
eabed4daacd917e21ec6741cf94104ef8731800caefb71750538b32f9317a936489bff35388eaca08cb0092d204f630a89fb9d2a9fd2bfecea8723b4c684a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az079360.exe
Filesize
11KB

MD5
d97c7c5b39de9b6792ca318d796b512b

SHA1
0f0ec0621e8b4a7e3a79b7b85e65168675279eaa

SHA256
9410938297d9cbcec3ff420b46239a18fd0da4e15cb14d8e788056adc616a221

SHA512
eabed4daacd917e21ec6741cf94104ef8731800caefb71750538b32f9317a936489bff35388eaca08cb0092d204f630a89fb9d2a9fd2bfecea8723b4c684a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu612983.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu612983.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1232-182-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1232-167-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1336-161-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/2056-1143-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/2056-1150-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2056-1157-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2056-1155-0x0000000007B30000-0x000000000805C000-memory.dmp

Filesize
5.2MB

Download
memory/2056-1154-0x0000000007950000-0x0000000007B12000-memory.dmp

Filesize
1.8MB

Download
memory/2056-1153-0x00000000078F0000-0x0000000007940000-memory.dmp

Filesize
320KB

Download
memory/2056-1152-0x0000000007860000-0x00000000078D6000-memory.dmp

Filesize
472KB

Download
memory/2056-1151-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2056-1149-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/2056-1148-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/2056-1145-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2056-1144-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/2056-1142-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/2056-1141-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/2056-264-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2056-266-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-262-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-263-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2056-231-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-232-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-234-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-236-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-238-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-242-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-244-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-240-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-246-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-248-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-250-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-252-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-254-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-256-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-259-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/2056-258-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/2056-261-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2832-220-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2916-211-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-189-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2916-224-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2916-223-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2916-222-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2916-197-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-221-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2916-201-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-219-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-217-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-203-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-215-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-187-0x0000000000680000-0x00000000006AD000-memory.dmp

Filesize
180KB

Download
memory/2916-226-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2916-192-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-205-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-207-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-195-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-209-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-213-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-190-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2916-193-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-199-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2916-191-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/2916-188-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3108-1169-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/3108-1164-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/3108-1163-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download