amadey | 56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe
Size

1.1MB
MD5

3155b1d1a84ef718bf1a107bea091925
SHA1

759eaa44740bd2a95546805e64a4c4946cf71da1
SHA256

56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9
SHA512

def523a3fbb508d7c413f05698d8b0a201cfac783ecf8faf38c6ebec6689485512b6cc4835cfd507c33ee7f3b725e22535eeeba9abfdeacdaa19b5ec4ae02156
SSDEEP

24576:Xyul8KmwzCPnoLgqld2yqguMVu9cEBBOyy+xskkNznz2:iul8KmfPoLgqj2xguCU/lLxvw

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr718561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr718561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr718561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr718561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr718561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr718561.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	qu807606.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	si892163.exe

Executes dropped EXE 10 IoCs

pid	Process
1660	un869500.exe
4980	un392265.exe
3064	pr718561.exe
4444	qu807606.exe
1924	1.exe
3252	rk010234.exe
3372	si892163.exe
3024	oneetx.exe
408	oneetx.exe
4196	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1372	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr718561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr718561.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un392265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un392265.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un869500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un869500.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4376	3064	WerFault.exe	88
3664	4444	WerFault.exe	94
3208	3372	WerFault.exe	101
640	3372	WerFault.exe	101
3580	3372	WerFault.exe	101
2620	3372	WerFault.exe	101
2912	3372	WerFault.exe	101
2196	3372	WerFault.exe	101
1792	3372	WerFault.exe	101
4656	3372	WerFault.exe	101
1848	3372	WerFault.exe	101
3376	3372	WerFault.exe	101
5112	3024	WerFault.exe	123
1196	3024	WerFault.exe	123
1520	3024	WerFault.exe	123
1580	3024	WerFault.exe	123
3092	3024	WerFault.exe	123
1796	3024	WerFault.exe	123
4688	3024	WerFault.exe	123
1612	3024	WerFault.exe	123
3704	3024	WerFault.exe	123
2740	3024	WerFault.exe	123
1100	3024	WerFault.exe	123
1868	3024	WerFault.exe	123
1044	408	WerFault.exe	152
3416	3024	WerFault.exe	123
3652	3024	WerFault.exe	123
2904	3024	WerFault.exe	123
3228	4196	WerFault.exe	162
3340	3024	WerFault.exe	123

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3064	pr718561.exe
3064	pr718561.exe
3252	rk010234.exe
1924	1.exe
1924	1.exe
3252	rk010234.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	pr718561.exe
Token: SeDebugPrivilege	4444	qu807606.exe
Token: SeDebugPrivilege	3252	rk010234.exe
Token: SeDebugPrivilege	1924	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3372	si892163.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1660	3420	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe	86
PID 3420 wrote to memory of 1660	3420	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe	86
PID 3420 wrote to memory of 1660	3420	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe	86
PID 1660 wrote to memory of 4980	1660	un869500.exe	87
PID 1660 wrote to memory of 4980	1660	un869500.exe	87
PID 1660 wrote to memory of 4980	1660	un869500.exe	87
PID 4980 wrote to memory of 3064	4980	un392265.exe	88
PID 4980 wrote to memory of 3064	4980	un392265.exe	88
PID 4980 wrote to memory of 3064	4980	un392265.exe	88
PID 4980 wrote to memory of 4444	4980	un392265.exe	94
PID 4980 wrote to memory of 4444	4980	un392265.exe	94
PID 4980 wrote to memory of 4444	4980	un392265.exe	94
PID 4444 wrote to memory of 1924	4444	qu807606.exe	95
PID 4444 wrote to memory of 1924	4444	qu807606.exe	95
PID 4444 wrote to memory of 1924	4444	qu807606.exe	95
PID 1660 wrote to memory of 3252	1660	un869500.exe	98
PID 1660 wrote to memory of 3252	1660	un869500.exe	98
PID 1660 wrote to memory of 3252	1660	un869500.exe	98
PID 3420 wrote to memory of 3372	3420	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe	101
PID 3420 wrote to memory of 3372	3420	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe	101
PID 3420 wrote to memory of 3372	3420	56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe	101
PID 3372 wrote to memory of 3024	3372	si892163.exe	123
PID 3372 wrote to memory of 3024	3372	si892163.exe	123
PID 3372 wrote to memory of 3024	3372	si892163.exe	123
PID 3024 wrote to memory of 412	3024	oneetx.exe	140
PID 3024 wrote to memory of 412	3024	oneetx.exe	140
PID 3024 wrote to memory of 412	3024	oneetx.exe	140
PID 3024 wrote to memory of 1372	3024	oneetx.exe	159
PID 3024 wrote to memory of 1372	3024	oneetx.exe	159
PID 3024 wrote to memory of 1372	3024	oneetx.exe	159

C:\Users\Admin\AppData\Local\Temp\56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe
"C:\Users\Admin\AppData\Local\Temp\56eee095cdd406fe92747f5264c67c6a9f1ec584e74adaec2ad179375dc173c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un869500.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un869500.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un392265.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un392265.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr718561.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr718561.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1084
        5⤵
        Program crash
        
        PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu807606.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu807606.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1384
        5⤵
        Program crash
        
        PID:3664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk010234.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk010234.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si892163.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si892163.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 712
    3⤵
    - Program crash
    PID:3208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 796
    3⤵
    - Program crash
    PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 860
    3⤵
    - Program crash
    PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 980
    3⤵
    - Program crash
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 988
    3⤵
    - Program crash
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 996
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1224
    3⤵
    - Program crash
    PID:1792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1248
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1320
    3⤵
    - Program crash
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 708
      4⤵
      Program crash
      PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 796
      4⤵
      Program crash
      PID:1196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 880
      4⤵
      Program crash
      PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1056
      4⤵
      Program crash
      PID:1580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1064
      4⤵
      Program crash
      PID:3092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1064
      4⤵
      Program crash
      PID:1796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1124
      4⤵
      Program crash
      PID:4688
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1012
      4⤵
      Program crash
      PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 904
      4⤵
      Program crash
      PID:3704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1264
      4⤵
      Program crash
      PID:2740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1284
      4⤵
      Program crash
      PID:1100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1436
      4⤵
      Program crash
      PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1100
      4⤵
      Program crash
      PID:3416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1656
      4⤵
      Program crash
      PID:3652
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1104
      4⤵
      Program crash
      PID:2904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1664
      4⤵
      Program crash
      PID:3340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1344
    3⤵
    - Program crash
    PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3064 -ip 3064
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4444 -ip 4444
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3372 -ip 3372
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3372 -ip 3372
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3372 -ip 3372
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3372 -ip 3372
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3372 -ip 3372
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 3372
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3372 -ip 3372
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3372 -ip 3372
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3372 -ip 3372
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3372 -ip 3372
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3024 -ip 3024
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3024 -ip 3024
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3024 -ip 3024
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3024 -ip 3024
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3024 -ip 3024
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3024 -ip 3024
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3024 -ip 3024
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3024 -ip 3024
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3024 -ip 3024
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3024 -ip 3024
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3024 -ip 3024
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3024 -ip 3024
1⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 424
  2⤵
  - Program crash
  PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 408 -ip 408
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3024 -ip 3024
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3024 -ip 3024
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3024 -ip 3024
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 432
  2⤵
  - Program crash
  PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4196 -ip 4196
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3024 -ip 3024
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si892163.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si892163.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un869500.exe

Filesize
819KB

MD5
80b5e4dba5105997f4d9c49e8b5ac5d0

SHA1
bb669bc3ec0b6c912c303ce30b5d9e26448b1284

SHA256
04358e64eb6b95d89cb3bfdbb29fb13e14d86e0313379c0188448a437921953a

SHA512
582377676f05aa0aaef1f4be2087bfb68f909c64d7f58a46c37f22e9d65bde8bb668f4361b1eb7ea68f9cd8b69c95597feb002d539533d2c6e4037ad236c8284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un869500.exe

Filesize
819KB

MD5
80b5e4dba5105997f4d9c49e8b5ac5d0

SHA1
bb669bc3ec0b6c912c303ce30b5d9e26448b1284

SHA256
04358e64eb6b95d89cb3bfdbb29fb13e14d86e0313379c0188448a437921953a

SHA512
582377676f05aa0aaef1f4be2087bfb68f909c64d7f58a46c37f22e9d65bde8bb668f4361b1eb7ea68f9cd8b69c95597feb002d539533d2c6e4037ad236c8284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk010234.exe

Filesize
168KB

MD5
9ae9a41c3cc4a0a3a52f5ca2742542ad

SHA1
7594f31023d48c5942d884f3f03337465bce4167

SHA256
f59f1aa1e26312ff4b9cd7bb2dd4e2d49af1b8d34a67852d743ecb7cf1139ef2

SHA512
30f7565096a64b1d8c71185246eb7b2729fb32729ddabdb8f6f86a5fd69c0679c270f327a607fd553f4cdae94330146b8ec982de71d0337516152ab3afed9fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk010234.exe

Filesize
168KB

MD5
9ae9a41c3cc4a0a3a52f5ca2742542ad

SHA1
7594f31023d48c5942d884f3f03337465bce4167

SHA256
f59f1aa1e26312ff4b9cd7bb2dd4e2d49af1b8d34a67852d743ecb7cf1139ef2

SHA512
30f7565096a64b1d8c71185246eb7b2729fb32729ddabdb8f6f86a5fd69c0679c270f327a607fd553f4cdae94330146b8ec982de71d0337516152ab3afed9fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un392265.exe

Filesize
666KB

MD5
feddb854cccc3dd04b37b7199dd4b6e1

SHA1
90248161f83c8d97cdf71414816633716146ba57

SHA256
878398ea0e4b4111a284b669ecf0a9d4821b183cb94b987e0040f3888cf16139

SHA512
37d430b7ca74e0ba556aacfe02bd3247f74124141d63059092930a7248fa2ee72136edcb7118d306dad49eb6c1c2a27dbbada57e52053a6be113223cf972e644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un392265.exe

Filesize
666KB

MD5
feddb854cccc3dd04b37b7199dd4b6e1

SHA1
90248161f83c8d97cdf71414816633716146ba57

SHA256
878398ea0e4b4111a284b669ecf0a9d4821b183cb94b987e0040f3888cf16139

SHA512
37d430b7ca74e0ba556aacfe02bd3247f74124141d63059092930a7248fa2ee72136edcb7118d306dad49eb6c1c2a27dbbada57e52053a6be113223cf972e644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr718561.exe

Filesize
318KB

MD5
d6583b4e04f6a249b5ccacd939637642

SHA1
ef4c14c66b23f39874397e3adeb58baa0a94de64

SHA256
2a630ab8aebbce7877933155bd5ce5ec5dc880a335d924c863780c3bf66dc179

SHA512
9bb13d588f8f53f8aa0600dbe6c3270d8a8f25f0c692e91261cf2d42635f2db200fcd00041821073be0f951f00500320391d4d510a0b07f941979e80d3d1e7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr718561.exe

Filesize
318KB

MD5
d6583b4e04f6a249b5ccacd939637642

SHA1
ef4c14c66b23f39874397e3adeb58baa0a94de64

SHA256
2a630ab8aebbce7877933155bd5ce5ec5dc880a335d924c863780c3bf66dc179

SHA512
9bb13d588f8f53f8aa0600dbe6c3270d8a8f25f0c692e91261cf2d42635f2db200fcd00041821073be0f951f00500320391d4d510a0b07f941979e80d3d1e7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu807606.exe

Filesize
502KB

MD5
f4bd5d622f616872b0c2c90fcd32d7db

SHA1
e7f1e10003fd314cdea583a187987bdbe397e359

SHA256
cf5ebf69d90a70ec0e2b84f0dc2492007ceca49632679bfa0ff5d98d088f501b

SHA512
f0dadcc0dcb8a661a6345abbc2c20e795cbff9d0dc3137bc69fd2d58800e74a433148766488c3caf8cca1583968d7054f59e6ca5ab41b011ba8123b7670cbee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu807606.exe

Filesize
502KB

MD5
f4bd5d622f616872b0c2c90fcd32d7db

SHA1
e7f1e10003fd314cdea583a187987bdbe397e359

SHA256
cf5ebf69d90a70ec0e2b84f0dc2492007ceca49632679bfa0ff5d98d088f501b

SHA512
f0dadcc0dcb8a661a6345abbc2c20e795cbff9d0dc3137bc69fd2d58800e74a433148766488c3caf8cca1583968d7054f59e6ca5ab41b011ba8123b7670cbee2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1924-2362-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/1924-2368-0x0000000005730000-0x00000000057A6000-memory.dmp

Filesize
472KB

Download
memory/1924-2374-0x0000000006970000-0x0000000006B32000-memory.dmp

Filesize
1.8MB

Download
memory/1924-2363-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/1924-2356-0x0000000000A70000-0x0000000000A9E000-memory.dmp

Filesize
184KB

Download
memory/1924-2364-0x00000000052C0000-0x00000000052D2000-memory.dmp

Filesize
72KB

Download
memory/1924-2371-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1924-2365-0x0000000005320000-0x000000000535C000-memory.dmp

Filesize
240KB

Download
memory/1924-2366-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3064-185-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-191-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3064-155-0x0000000000720000-0x000000000074D000-memory.dmp

Filesize
180KB

Download
memory/3064-156-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3064-157-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3064-158-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-159-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-161-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-165-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-167-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-169-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-171-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-163-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-173-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-175-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-179-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-183-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-181-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-177-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3064-186-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3064-187-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3064-188-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3064-189-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3064-193-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3064-192-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3252-2372-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3252-2367-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3252-2361-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/3252-2375-0x000000000C480000-0x000000000C9AC000-memory.dmp

Filesize
5.2MB

Download
memory/3252-2373-0x000000000B4C0000-0x000000000B510000-memory.dmp

Filesize
320KB

Download
memory/3252-2370-0x000000000A860000-0x000000000A8C6000-memory.dmp

Filesize
408KB

Download
memory/3252-2369-0x000000000A7C0000-0x000000000A852000-memory.dmp

Filesize
584KB

Download
memory/3372-2382-0x0000000002000000-0x000000000203B000-memory.dmp

Filesize
236KB

Download
memory/4444-226-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-221-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4444-223-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4444-228-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-230-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-224-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-199-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-232-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-219-0x0000000002120000-0x000000000217B000-memory.dmp

Filesize
364KB

Download
memory/4444-234-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-220-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-198-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-2345-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4444-217-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-215-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-213-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-211-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-209-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-207-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-205-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-203-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download
memory/4444-201-0x00000000025B0000-0x0000000002610000-memory.dmp

Filesize
384KB

Download