amadey | 38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe
Size

1.0MB
MD5

a9bf97ca3429bffcd3df83630bf2a3db
SHA1

75f275d64b2849689bca681a65d38c0e5a7007f5
SHA256

38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980
SHA512

7beea7a1d8ca41cdd041b3576451ecc37fb2c9d38516665901aea067026cf56632adaddf01c0c91e0e87d320a4cc15c47b5424af1b8b0f120af5b71c8d81f322
SSDEEP

24576:byfXKQgqLoNDMGcKkQAoBpFCv+MTsUZuffFVgPhbF:OfXKQgqLTbolCWisU4Nq

Score

10^/10

amadey redline nord rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

77.91.124.207/plays/chapter/index.php

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nord

176.113.115.145:4125

Attributes

auth_value
ebb7d38cdbd7c83cf6363ef3feb3a530

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az628816.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az628816.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor4683.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor4683.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor4683.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor4683.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor4683.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az628816.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az628816.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az628816.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az628816.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor4683.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

resource	yara_rule
behavioral1/memory/3424-235-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-240-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-236-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-241-0x0000000004C00000-0x0000000004C10000-memory.dmp	family_redline
behavioral1/memory/3424-243-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-245-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-247-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-249-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-251-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-253-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-255-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-257-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-259-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-261-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-263-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-265-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3424-267-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	bu088656.exe

Executes dropped EXE 11 IoCs

pid	Process
2320	kina9741.exe
4840	kina6824.exe
4292	kina0994.exe
2684	az628816.exe
1472	bu088656.exe
3820	oneetx.exe
880	cor4683.exe
2104	oneetx.exe
3424	dbL51s91.exe
2392	ge555530.exe
1336	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az628816.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor4683.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor4683.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina9741.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina6824.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina6824.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina0994.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina0994.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
2744	1472	WerFault.exe	87
1580	1472	WerFault.exe	87
2636	1472	WerFault.exe	87
208	1472	WerFault.exe	87
4868	1472	WerFault.exe	87
3608	1472	WerFault.exe	87
3896	1472	WerFault.exe	87
1696	1472	WerFault.exe	87
704	1472	WerFault.exe	87
4244	1472	WerFault.exe	87
2392	3820	WerFault.exe	107
3068	3820	WerFault.exe	107
4400	3820	WerFault.exe	107
4452	3820	WerFault.exe	107
928	3820	WerFault.exe	107
2660	3820	WerFault.exe	107
4424	3820	WerFault.exe	107
3728	3820	WerFault.exe	107
2864	3820	WerFault.exe	107
4848	3820	WerFault.exe	107
4304	3820	WerFault.exe	107
736	3820	WerFault.exe	107
4300	880	WerFault.exe	112
3028	2104	WerFault.exe	137
1340	3424	WerFault.exe	140
3412	3820	WerFault.exe	107
4224	3820	WerFault.exe	107
2664	3820	WerFault.exe	107
1072	1336	WerFault.exe	153
1732	3820	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2684	az628816.exe
2684	az628816.exe
880	cor4683.exe
880	cor4683.exe
3424	dbL51s91.exe
3424	dbL51s91.exe
2392	ge555530.exe
2392	ge555530.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	az628816.exe
Token: SeDebugPrivilege	880	cor4683.exe
Token: SeDebugPrivilege	3424	dbL51s91.exe
Token: SeDebugPrivilege	2392	ge555530.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1472	bu088656.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2320	896	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe	83
PID 896 wrote to memory of 2320	896	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe	83
PID 896 wrote to memory of 2320	896	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe	83
PID 2320 wrote to memory of 4840	2320	kina9741.exe	84
PID 2320 wrote to memory of 4840	2320	kina9741.exe	84
PID 2320 wrote to memory of 4840	2320	kina9741.exe	84
PID 4840 wrote to memory of 4292	4840	kina6824.exe	85
PID 4840 wrote to memory of 4292	4840	kina6824.exe	85
PID 4840 wrote to memory of 4292	4840	kina6824.exe	85
PID 4292 wrote to memory of 2684	4292	kina0994.exe	86
PID 4292 wrote to memory of 2684	4292	kina0994.exe	86
PID 4292 wrote to memory of 1472	4292	kina0994.exe	87
PID 4292 wrote to memory of 1472	4292	kina0994.exe	87
PID 4292 wrote to memory of 1472	4292	kina0994.exe	87
PID 1472 wrote to memory of 3820	1472	bu088656.exe	107
PID 1472 wrote to memory of 3820	1472	bu088656.exe	107
PID 1472 wrote to memory of 3820	1472	bu088656.exe	107
PID 4840 wrote to memory of 880	4840	kina6824.exe	112
PID 4840 wrote to memory of 880	4840	kina6824.exe	112
PID 4840 wrote to memory of 880	4840	kina6824.exe	112
PID 3820 wrote to memory of 456	3820	oneetx.exe	127
PID 3820 wrote to memory of 456	3820	oneetx.exe	127
PID 3820 wrote to memory of 456	3820	oneetx.exe	127
PID 2320 wrote to memory of 3424	2320	kina9741.exe	140
PID 2320 wrote to memory of 3424	2320	kina9741.exe	140
PID 2320 wrote to memory of 3424	2320	kina9741.exe	140
PID 896 wrote to memory of 2392	896	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe	145
PID 896 wrote to memory of 2392	896	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe	145
PID 896 wrote to memory of 2392	896	38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe	145
PID 3820 wrote to memory of 2160	3820	oneetx.exe	150
PID 3820 wrote to memory of 2160	3820	oneetx.exe	150
PID 3820 wrote to memory of 2160	3820	oneetx.exe	150

C:\Users\Admin\AppData\Local\Temp\38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe
"C:\Users\Admin\AppData\Local\Temp\38171da5df6c35748ea394a698e024f7f85f12005cf5fc0e86f1c005209bd980.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9741.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9741.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6824.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6824.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0994.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0994.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az628816.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az628816.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu088656.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu088656.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 696
        6⤵
        Program crash
        
        PID:2744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 780
        6⤵
        Program crash
        
        PID:1580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 856
        6⤵
        Program crash
        
        PID:2636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 968
        6⤵
        Program crash
        
        PID:208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 988
        6⤵
        Program crash
        
        PID:4868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 988
        6⤵
        Program crash
        
        PID:3608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1204
        6⤵
        Program crash
        
        PID:3896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1224
        6⤵
        Program crash
        
        PID:1696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1320
        6⤵
        Program crash
        
        PID:704
      - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 696
        7⤵
        Program crash
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1004
        7⤵
        Program crash
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1012
        7⤵
        Program crash
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1088
        7⤵
        Program crash
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1112
        7⤵
        Program crash
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1080
        7⤵
        Program crash
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1112
        7⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1108
        7⤵
        Program crash
        
        PID:3728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 992
        7⤵
        Program crash
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1260
        7⤵
        Program crash
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 752
        7⤵
        Program crash
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 988
        7⤵
        Program crash
        
        PID:736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1120
        7⤵
        Program crash
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1628
        7⤵
        Program crash
        
        PID:4224
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1588
        7⤵
        Program crash
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1644
        7⤵
        Program crash
        
        PID:1732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1364
        6⤵
        Program crash
        
        PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor4683.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor4683.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1080
        5⤵
        Program crash
        
        PID:4300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbL51s91.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbL51s91.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1352
      4⤵
      Program crash
      PID:1340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge555530.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge555530.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1472 -ip 1472
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1472 -ip 1472
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1472 -ip 1472
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1472 -ip 1472
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1472 -ip 1472
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1472 -ip 1472
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1472 -ip 1472
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1472 -ip 1472
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1472 -ip 1472
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1472 -ip 1472
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3820 -ip 3820
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3820 -ip 3820
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3820 -ip 3820
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3820 -ip 3820
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3820 -ip 3820
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3820 -ip 3820
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3820 -ip 3820
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3820 -ip 3820
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3820 -ip 3820
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3820 -ip 3820
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3820 -ip 3820
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3820 -ip 3820
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 312
  2⤵
  - Program crash
  PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 880 -ip 880
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2104 -ip 2104
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3424 -ip 3424
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3820 -ip 3820
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3820 -ip 3820
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3820 -ip 3820
1⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 320
  2⤵
  - Program crash
  PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1336 -ip 1336
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3820 -ip 3820
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge555530.exe

Filesize
175KB

MD5
47b52e7049909e34f093a814f4d0a4aa

SHA1
af61fcd6bba0cba8fd43d5082cadd754a58db5c1

SHA256
ab6ea41c93266c2e20a168fdc19f03efb8d2296e268868b2898704023318e02d

SHA512
4a6315154352c8b16a2fecc70db4ad5a48e6ed9bbc16d7e030c2bb87a9a7314e6c131fb232066267fcb8122c96b8fbb3c639569438c75fb42268c02a199ded43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge555530.exe

Filesize
175KB

MD5
47b52e7049909e34f093a814f4d0a4aa

SHA1
af61fcd6bba0cba8fd43d5082cadd754a58db5c1

SHA256
ab6ea41c93266c2e20a168fdc19f03efb8d2296e268868b2898704023318e02d

SHA512
4a6315154352c8b16a2fecc70db4ad5a48e6ed9bbc16d7e030c2bb87a9a7314e6c131fb232066267fcb8122c96b8fbb3c639569438c75fb42268c02a199ded43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9741.exe

Filesize
919KB

MD5
fcdb30b2cbbc75f31c8d7c3f7a5e2b0e

SHA1
1ad3f8dc5f13c35265d26df577d03c9e6c541ec7

SHA256
c45a8e9898ad5d72d69746550b6edbd994ca8dea1fd8ec3beb5327add39b0e4e

SHA512
7322d86713bc81e419e623f081067c845803778ac58cfc210ec651dac86acd481a8c0deca72a586f27938d9740a095f21f277f970e4cfcc160f308d6bc477e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9741.exe

Filesize
919KB

MD5
fcdb30b2cbbc75f31c8d7c3f7a5e2b0e

SHA1
1ad3f8dc5f13c35265d26df577d03c9e6c541ec7

SHA256
c45a8e9898ad5d72d69746550b6edbd994ca8dea1fd8ec3beb5327add39b0e4e

SHA512
7322d86713bc81e419e623f081067c845803778ac58cfc210ec651dac86acd481a8c0deca72a586f27938d9740a095f21f277f970e4cfcc160f308d6bc477e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbL51s91.exe

Filesize
297KB

MD5
91cca8438f0f59e00b3ceaf34f66426d

SHA1
4307a1004b42773117bc31df5526025a1b39ce1a

SHA256
451b44ef19d90478c2a76688982d4bf5e652b2a252d457cea6fb48e7e4197c8a

SHA512
47fee0624dc64ee0f83a1b230060ac8d03bda10edc0d102f784cb59f9464ddc96a466f83ea369c7b84a61262798fd47777a0ab693c42c057faa47a93a753dd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbL51s91.exe

Filesize
297KB

MD5
91cca8438f0f59e00b3ceaf34f66426d

SHA1
4307a1004b42773117bc31df5526025a1b39ce1a

SHA256
451b44ef19d90478c2a76688982d4bf5e652b2a252d457cea6fb48e7e4197c8a

SHA512
47fee0624dc64ee0f83a1b230060ac8d03bda10edc0d102f784cb59f9464ddc96a466f83ea369c7b84a61262798fd47777a0ab693c42c057faa47a93a753dd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6824.exe

Filesize
588KB

MD5
ea58800ce16c3ec230f1e2defefba425

SHA1
9385b8c66ec8e2a65f209ce64fc5c115722a71bc

SHA256
6fe5b5881e72160c8ac17b1c00a5aa8285d89e07425b3c8cc58eaab7bd09f2b5

SHA512
bfeda5e3e1a6968e191db9b1bd6142d6270be4f4c0ab6c3a90c78b405d75add2d8e259ccc972195503fdd1f105548af925e5e39c454fa3e1d5c97f21d4752f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6824.exe

Filesize
588KB

MD5
ea58800ce16c3ec230f1e2defefba425

SHA1
9385b8c66ec8e2a65f209ce64fc5c115722a71bc

SHA256
6fe5b5881e72160c8ac17b1c00a5aa8285d89e07425b3c8cc58eaab7bd09f2b5

SHA512
bfeda5e3e1a6968e191db9b1bd6142d6270be4f4c0ab6c3a90c78b405d75add2d8e259ccc972195503fdd1f105548af925e5e39c454fa3e1d5c97f21d4752f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor4683.exe

Filesize
238KB

MD5
886b7cd62fe3ba4a65b95270676807fb

SHA1
a2a7c5733e930750e84f9fbf1bd183ded53c3ba2

SHA256
e1f7d92c192ceab5df1764827aa8035efb9894ea7fddb328addbcf21048e3059

SHA512
a1c36e6ad42a1806eb8593d4a3f8507a3011e147d4acb93d6faf7d4da1c07e16c85800ffc6851696c57507e391be891f6fba4862bf69bf955603154c07edfb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor4683.exe

Filesize
238KB

MD5
886b7cd62fe3ba4a65b95270676807fb

SHA1
a2a7c5733e930750e84f9fbf1bd183ded53c3ba2

SHA256
e1f7d92c192ceab5df1764827aa8035efb9894ea7fddb328addbcf21048e3059

SHA512
a1c36e6ad42a1806eb8593d4a3f8507a3011e147d4acb93d6faf7d4da1c07e16c85800ffc6851696c57507e391be891f6fba4862bf69bf955603154c07edfb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0994.exe

Filesize
315KB

MD5
61ddd92753660ce28295dc132a8ecfda

SHA1
08725878d5c7c2e1fcb2ca1bd80eb5c55208cf23

SHA256
5480d12d3a9ca534d7d1fa3d65d944c23f967abcda24ece0ce41248c7e9ee2b2

SHA512
2ad9c139cfec8db5d55f95f391a7a0d656684a4a83daf72fb1d8f217fe57477427bd0328d1d2735739ddca0de29032e679cfd382ac261edf1f6f1a0ae4cf0c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0994.exe

Filesize
315KB

MD5
61ddd92753660ce28295dc132a8ecfda

SHA1
08725878d5c7c2e1fcb2ca1bd80eb5c55208cf23

SHA256
5480d12d3a9ca534d7d1fa3d65d944c23f967abcda24ece0ce41248c7e9ee2b2

SHA512
2ad9c139cfec8db5d55f95f391a7a0d656684a4a83daf72fb1d8f217fe57477427bd0328d1d2735739ddca0de29032e679cfd382ac261edf1f6f1a0ae4cf0c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az628816.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az628816.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu088656.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu088656.exe

Filesize
230KB

MD5
a7caa96759620dc55b4a298fe90efeb6

SHA1
480d06b4464cd8f4ffac02d582d11ccc474dd38e

SHA256
94414772252da78304fb7834e79efe93179f5e62a9293b8c350ea3dd9d1d5575

SHA512
59faeb9232b72e324ef0a8ca25f2c54f742bf9238f00688ab78ce4cf67c2117aada695030300ca5d7a2b1ff694248e6c2e534da4a71147b3002c337aed9b574d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/880-195-0x00000000005A0000-0x00000000005CD000-memory.dmp

Filesize
180KB

Download
memory/880-196-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-201-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/880-200-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-203-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-205-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-207-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-209-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-211-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-213-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-215-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-217-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-219-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-191-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-221-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/880-199-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/880-223-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/880-224-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/880-225-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/880-228-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/880-197-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/880-193-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-189-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-188-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/880-187-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1472-182-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1472-167-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/2104-233-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-1168-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2392-1167-0x0000000000360000-0x0000000000392000-memory.dmp

Filesize
200KB

Download
memory/2684-161-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/3424-249-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-1151-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-245-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-251-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-253-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-255-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-257-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-259-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-261-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-263-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-265-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-267-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-1144-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/3424-1145-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/3424-1146-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/3424-1147-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-1148-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/3424-247-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-1152-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-1153-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-1154-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/3424-1155-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/3424-1156-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/3424-1157-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1158-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-1159-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/3424-1160-0x0000000006E90000-0x0000000006EE0000-memory.dmp

Filesize
320KB

Download
memory/3424-243-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-241-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-236-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-240-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-239-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-237-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3424-235-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3424-234-0x00000000006B0000-0x00000000006FB000-memory.dmp

Filesize
300KB

Download
memory/3820-220-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download