amadey | f9f39997c4aa42d7d78898e61d449e32e3dd06d67a9cc94f9e4d44f3d741e4d6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe
Size

1.3MB
MD5

f6003e24c8bcc54537cdee39b9586a33
SHA1

afdeb55378dafe4aab5768982a31d6791e42ecd0
SHA256

6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818
SHA512

64590fff34f28df3bd1ea71d5e3eb275a9ffafd90e700c072d2e00339aabdc6e9894e0e69b87f01ecb9bb28bbb26a8f545523191cafe6bc073e02cea23b41d06
SSDEEP

24576:jyCsZmMwd0ng0mwo09sQElxBR3yfCQM37u4zraw0FJSb3SKph/lVVDOR1Wm:2COmMwd0nmn0glxB51379z0J83T0

Score

10^/10

amadey redline maxo norm evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

77.91.124.207/plays/chapter/index.php

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

maxo

77.91.124.145:4125

Attributes

auth_value
44cd1dfc9c943902c043f02a77e4ee3c

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor4132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor4132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az911420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az911420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az911420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az911420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor4132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor4132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor4132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az911420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az911420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor4132.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	bu495844.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	dCX46s19.exe

Executes dropped EXE 13 IoCs

pid	Process
4780	kina4148.exe
4496	kina9457.exe
3640	kina9703.exe
5036	kina3985.exe
1384	az911420.exe
116	bu495844.exe
2472	oneetx.exe
5076	cor4132.exe
3088	dCX46s19.exe
2732	1.exe
3640	en615868.exe
2364	oneetx.exe
2432	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az911420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor4132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor4132.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4148.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina4148.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina9703.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3985.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kina3985.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
3724	116	WerFault.exe	91
2124	116	WerFault.exe	91
5052	116	WerFault.exe	91
4160	116	WerFault.exe	91
4436	116	WerFault.exe	91
4616	116	WerFault.exe	91
2136	116	WerFault.exe	91
4156	116	WerFault.exe	91
3192	116	WerFault.exe	91
2500	116	WerFault.exe	91
3884	2472	WerFault.exe	110
1600	2472	WerFault.exe	110
1820	2472	WerFault.exe	110
1484	2472	WerFault.exe	110
4572	2472	WerFault.exe	110
4644	2472	WerFault.exe	110
2744	2472	WerFault.exe	110
3116	2472	WerFault.exe	110
3340	2472	WerFault.exe	110
2012	2472	WerFault.exe	110
4740	2472	WerFault.exe	110
1740	5076	WerFault.exe	130
984	3088	WerFault.exe	141
3760	2472	WerFault.exe	110
532	2364	WerFault.exe	148
1172	2472	WerFault.exe	110
3972	2472	WerFault.exe	110
1680	2472	WerFault.exe	110
4640	2432	WerFault.exe	158

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1384	az911420.exe
1384	az911420.exe
5076	cor4132.exe
5076	cor4132.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	az911420.exe
Token: SeDebugPrivilege	5076	cor4132.exe
Token: SeDebugPrivilege	3088	dCX46s19.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
116	bu495844.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4780	2428	6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe	84
PID 2428 wrote to memory of 4780	2428	6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe	84
PID 2428 wrote to memory of 4780	2428	6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe	84
PID 4780 wrote to memory of 4496	4780	kina4148.exe	85
PID 4780 wrote to memory of 4496	4780	kina4148.exe	85
PID 4780 wrote to memory of 4496	4780	kina4148.exe	85
PID 4496 wrote to memory of 3640	4496	kina9457.exe	86
PID 4496 wrote to memory of 3640	4496	kina9457.exe	86
PID 4496 wrote to memory of 3640	4496	kina9457.exe	86
PID 3640 wrote to memory of 5036	3640	kina9703.exe	87
PID 3640 wrote to memory of 5036	3640	kina9703.exe	87
PID 3640 wrote to memory of 5036	3640	kina9703.exe	87
PID 5036 wrote to memory of 1384	5036	kina3985.exe	88
PID 5036 wrote to memory of 1384	5036	kina3985.exe	88
PID 5036 wrote to memory of 116	5036	kina3985.exe	91
PID 5036 wrote to memory of 116	5036	kina3985.exe	91
PID 5036 wrote to memory of 116	5036	kina3985.exe	91
PID 116 wrote to memory of 2472	116	bu495844.exe	110
PID 116 wrote to memory of 2472	116	bu495844.exe	110
PID 116 wrote to memory of 2472	116	bu495844.exe	110
PID 2472 wrote to memory of 3964	2472	oneetx.exe	127
PID 2472 wrote to memory of 3964	2472	oneetx.exe	127
PID 2472 wrote to memory of 3964	2472	oneetx.exe	127
PID 3640 wrote to memory of 5076	3640	kina9703.exe	130
PID 3640 wrote to memory of 5076	3640	kina9703.exe	130
PID 3640 wrote to memory of 5076	3640	kina9703.exe	130
PID 4496 wrote to memory of 3088	4496	kina9457.exe	141
PID 4496 wrote to memory of 3088	4496	kina9457.exe	141
PID 4496 wrote to memory of 3088	4496	kina9457.exe	141
PID 3088 wrote to memory of 2732	3088	dCX46s19.exe	142
PID 3088 wrote to memory of 2732	3088	dCX46s19.exe	142
PID 3088 wrote to memory of 2732	3088	dCX46s19.exe	142
PID 4780 wrote to memory of 3640	4780	kina4148.exe	145
PID 4780 wrote to memory of 3640	4780	kina4148.exe	145
PID 4780 wrote to memory of 3640	4780	kina4148.exe	145
PID 2472 wrote to memory of 1736	2472	oneetx.exe	153
PID 2472 wrote to memory of 1736	2472	oneetx.exe	153
PID 2472 wrote to memory of 1736	2472	oneetx.exe	153

C:\Users\Admin\AppData\Local\Temp\6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe
"C:\Users\Admin\AppData\Local\Temp\6ea3cd8360da5ae8137caa97560ca21e2ffc1e84ca814a160eb629dd84124818.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4148.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4148.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9457.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9457.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9703.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9703.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina3985.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina3985.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az911420.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az911420.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu495844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu495844.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 696
        7⤵
        Program crash
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 780
        7⤵
        Program crash
        
        PID:2124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 856
        7⤵
        Program crash
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 972
        7⤵
        Program crash
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 976
        7⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1000
        7⤵
        Program crash
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1220
        7⤵
        Program crash
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1268
        7⤵
        Program crash
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1324
        7⤵
        Program crash
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 692
        8⤵
        Program crash
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 844
        8⤵
        Program crash
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 912
        8⤵
        Program crash
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1052
        8⤵
        Program crash
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1072
        8⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1072
        8⤵
        Program crash
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1100
        8⤵
        Program crash
        
        PID:2744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 992
        8⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 780
        8⤵
        Program crash
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 848
        8⤵
        Program crash
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1284
        8⤵
        Program crash
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1072
        8⤵
        Program crash
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1652
        8⤵
        Program crash
        
        PID:1172
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        8⤵
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1052
        8⤵
        Program crash
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1664
        8⤵
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 776
        7⤵
        Program crash
        
        PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4132.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1108
        6⤵
        Program crash
        
        PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCX46s19.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCX46s19.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        
        PID:2732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1384
        5⤵
        Program crash
        
        PID:984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en615868.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en615868.exe
    3⤵
    - Executes dropped EXE
    PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 116 -ip 116
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 116 -ip 116
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 116 -ip 116
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 116 -ip 116
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 116 -ip 116
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 116 -ip 116
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 116 -ip 116
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 116 -ip 116
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 116 -ip 116
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 116 -ip 116
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2472 -ip 2472
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2472 -ip 2472
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2472 -ip 2472
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2472 -ip 2472
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2472 -ip 2472
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2472 -ip 2472
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2472 -ip 2472
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2472 -ip 2472
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2472 -ip 2472
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2472 -ip 2472
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2472 -ip 2472
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5076 -ip 5076
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3088 -ip 3088
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2472 -ip 2472
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 320
  2⤵
  - Program crash
  PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2364 -ip 2364
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2472 -ip 2472
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2472 -ip 2472
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2472 -ip 2472
1⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 312
  2⤵
  - Program crash
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2432 -ip 2432
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4148.exe

Filesize
1.2MB

MD5
7b842700973f115f8d9cad46d50eccaa

SHA1
f0c11e941467909820d66cb6b94b2fc69dfc22e0

SHA256
83630d36f34d4aaafb87dd65fdce84ea2aefc891c9d7e5545bdbd19e8541215b

SHA512
fcc19dc3ddbcc0934c23bc065f8f2b823bbda3e760a96a9388501994e5f28da9e690f4feb991087fb43a2a9dc3925156bd1f8201a254b802ecc0bab499b7a14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4148.exe

Filesize
1.2MB

MD5
7b842700973f115f8d9cad46d50eccaa

SHA1
f0c11e941467909820d66cb6b94b2fc69dfc22e0

SHA256
83630d36f34d4aaafb87dd65fdce84ea2aefc891c9d7e5545bdbd19e8541215b

SHA512
fcc19dc3ddbcc0934c23bc065f8f2b823bbda3e760a96a9388501994e5f28da9e690f4feb991087fb43a2a9dc3925156bd1f8201a254b802ecc0bab499b7a14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en615868.exe

Filesize
168KB

MD5
aa30d708504f8f57c0cbec61b0fa99db

SHA1
cbd1221a5259df4a234e3fac89c8d0fb9a8d5f93

SHA256
bc55e70f9a1df82d1ec1158b882315558f7cf44c908488f8a4bcecbb62ad6c2a

SHA512
050ec64b5c41774738626ca081e613c34891278e15391c0a03a26c943e4d3d36adf92497a948cdc7b07d95ae7c9e34da09c98baf7290184466352f7c5549fbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en615868.exe

Filesize
168KB

MD5
aa30d708504f8f57c0cbec61b0fa99db

SHA1
cbd1221a5259df4a234e3fac89c8d0fb9a8d5f93

SHA256
bc55e70f9a1df82d1ec1158b882315558f7cf44c908488f8a4bcecbb62ad6c2a

SHA512
050ec64b5c41774738626ca081e613c34891278e15391c0a03a26c943e4d3d36adf92497a948cdc7b07d95ae7c9e34da09c98baf7290184466352f7c5549fbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9457.exe

Filesize
1.0MB

MD5
9377cd7f1526da17cc6e67b3e9309bfe

SHA1
e2945874ab2a0048fc0c7138fec8984f0cd3ea6b

SHA256
ebaebce8cecc1f4983f2168ecc83bdcdc51c94813ebb189c6c36667d8a791475

SHA512
a834ab3bedcdf0f636c8455ae465f8e35785029c4f44590fb186aaa21122e00d602b23e693b9d2e9098fffa14ad322f183112ad1d969ab40353ef4b52aed4fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9457.exe

Filesize
1.0MB

MD5
9377cd7f1526da17cc6e67b3e9309bfe

SHA1
e2945874ab2a0048fc0c7138fec8984f0cd3ea6b

SHA256
ebaebce8cecc1f4983f2168ecc83bdcdc51c94813ebb189c6c36667d8a791475

SHA512
a834ab3bedcdf0f636c8455ae465f8e35785029c4f44590fb186aaa21122e00d602b23e693b9d2e9098fffa14ad322f183112ad1d969ab40353ef4b52aed4fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCX46s19.exe

Filesize
426KB

MD5
704ca523a3f6446152bd7c01769266e2

SHA1
97c79aa6dcc94a4fe03f0b8c132b34989c40154b

SHA256
1dabb4d9cc2e2cd65f611af864d6ee09031c6b82553c9afd2516871fb01ef2d4

SHA512
1c883e4a35358859d5a0b15226a9b5e34fdb4d201fea12debd015bf648d710f3089aec4359434826b3bb9d0c6f73eb4a41cd8e17597bbb37c227cccea57470a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCX46s19.exe

Filesize
426KB

MD5
704ca523a3f6446152bd7c01769266e2

SHA1
97c79aa6dcc94a4fe03f0b8c132b34989c40154b

SHA256
1dabb4d9cc2e2cd65f611af864d6ee09031c6b82553c9afd2516871fb01ef2d4

SHA512
1c883e4a35358859d5a0b15226a9b5e34fdb4d201fea12debd015bf648d710f3089aec4359434826b3bb9d0c6f73eb4a41cd8e17597bbb37c227cccea57470a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9703.exe

Filesize
589KB

MD5
f3c9acce9df4e8ca2f2bb8c5f7457e30

SHA1
b0a956df6f1b5b519650aeead4b53191edd34e1c

SHA256
981c62a2f7d1224400b86ed7ef86488c8c46a50f0511c135606f72119cdc2d89

SHA512
1048b0ef718cdda53adb8935890c3c27f1468a16dd2a947cded9c58ccea391e44a0223b7554054133ebd81849e7502fa66251090e01e9bb26e82f4c1c4ed37a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9703.exe

Filesize
589KB

MD5
f3c9acce9df4e8ca2f2bb8c5f7457e30

SHA1
b0a956df6f1b5b519650aeead4b53191edd34e1c

SHA256
981c62a2f7d1224400b86ed7ef86488c8c46a50f0511c135606f72119cdc2d89

SHA512
1048b0ef718cdda53adb8935890c3c27f1468a16dd2a947cded9c58ccea391e44a0223b7554054133ebd81849e7502fa66251090e01e9bb26e82f4c1c4ed37a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4132.exe

Filesize
243KB

MD5
2df0a4fa594ac982422ca2a90d56e496

SHA1
b008cc53fdb709c76442adaf00ab5380957bbe7f

SHA256
812342650a04974eb4e6ad2675706f59c3ee3e41023f3392a278bdfe3459855f

SHA512
c599086c36fab5d92aee0077d2cb7c65acbd2783616949c592d9eac3e3c152f8832ef6ddb0e4af5d13c7fbb3ec4173789a90588bec8783857989610cb0a6dd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4132.exe

Filesize
243KB

MD5
2df0a4fa594ac982422ca2a90d56e496

SHA1
b008cc53fdb709c76442adaf00ab5380957bbe7f

SHA256
812342650a04974eb4e6ad2675706f59c3ee3e41023f3392a278bdfe3459855f

SHA512
c599086c36fab5d92aee0077d2cb7c65acbd2783616949c592d9eac3e3c152f8832ef6ddb0e4af5d13c7fbb3ec4173789a90588bec8783857989610cb0a6dd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina3985.exe

Filesize
316KB

MD5
6097c2ff209d8c93db84767fe82216e2

SHA1
9a483f83038ba275ae6660d2b8cdb0c7b82656fa

SHA256
c34d0710792b148e2da2538d1197742174e584a31a3c84fc4c8cefb498cb90a8

SHA512
f6280ecf33fae702bb1be7db2b2f6991f2e19e153cfa8501d23318b52590a3aac007b7c23c6451c95a6f831d73533cd52182c8d0c791d69083bbeb9c640b24ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina3985.exe

Filesize
316KB

MD5
6097c2ff209d8c93db84767fe82216e2

SHA1
9a483f83038ba275ae6660d2b8cdb0c7b82656fa

SHA256
c34d0710792b148e2da2538d1197742174e584a31a3c84fc4c8cefb498cb90a8

SHA512
f6280ecf33fae702bb1be7db2b2f6991f2e19e153cfa8501d23318b52590a3aac007b7c23c6451c95a6f831d73533cd52182c8d0c791d69083bbeb9c640b24ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az911420.exe

Filesize
15KB

MD5
b9acd89334e88fd95a70e2c7d4c4cb55

SHA1
1cfd70b71d30e5ea526e5265dce8c0e325fc8ddb

SHA256
78fdb70ff5905f821f168b141439dfe1f70af57dec849e5649bf9c0f6b7c27c5

SHA512
b89211485193ab4b096cb6bc40caa1fada7ea2142579221483d24a1b44b6603506badbaae79d5cc9b14913ada7d84d0e0115772f7722ce638b4718a0fd63691f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az911420.exe

Filesize
15KB

MD5
b9acd89334e88fd95a70e2c7d4c4cb55

SHA1
1cfd70b71d30e5ea526e5265dce8c0e325fc8ddb

SHA256
78fdb70ff5905f821f168b141439dfe1f70af57dec849e5649bf9c0f6b7c27c5

SHA512
b89211485193ab4b096cb6bc40caa1fada7ea2142579221483d24a1b44b6603506badbaae79d5cc9b14913ada7d84d0e0115772f7722ce638b4718a0fd63691f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu495844.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu495844.exe

Filesize
235KB

MD5
b1abaf3c770b3eb68e4cc22c63d0360b

SHA1
25e4c48780e0d5ee0941049e139ee3b289a70d14

SHA256
afb811bb5729bcc581919e249af3b79ea84a9f0a12bf7d76cc68ad6018017943

SHA512
619e01ed5a8a4f994ac096bf9f1c8734c23f4058863943676cbf7a56a3325b9b80035ceef6c350e90e53ac4f49ddd149302c173d3a36efe73590af5ecabb6d0b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/116-174-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/116-189-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1384-168-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/2472-228-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-2338-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/2732-2345-0x0000000004FE0000-0x000000000501C000-memory.dmp

Filesize
240KB

Download
memory/2732-2339-0x0000000005090000-0x000000000519A000-memory.dmp

Filesize
1.0MB

Download
memory/2732-2342-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2732-2337-0x0000000000620000-0x0000000000650000-memory.dmp

Filesize
192KB

Download
memory/2732-2340-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/2732-2350-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3088-240-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-255-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3088-266-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-272-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-270-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-268-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-264-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-239-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-262-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-242-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-244-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-246-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-248-0x00000000004E0000-0x000000000053B000-memory.dmp

Filesize
364KB

Download
memory/3088-249-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-251-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3088-253-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3088-2332-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3088-252-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-256-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-258-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3088-260-0x00000000051B0000-0x000000000520F000-memory.dmp

Filesize
380KB

Download
memory/3640-2347-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/3640-2351-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/3640-2348-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/5076-197-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/5076-234-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5076-232-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/5076-231-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/5076-230-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/5076-229-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5076-227-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-225-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-223-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-221-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-219-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-217-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-215-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-213-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-211-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-209-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-207-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-205-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-203-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-201-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-200-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5076-198-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/5076-199-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/5076-196-0x0000000000590000-0x00000000005BD000-memory.dmp

Filesize
180KB

Download
memory/5076-195-0x0000000004D50000-0x00000000052F4000-memory.dmp

Filesize
5.6MB

Download