amadey | 32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50

Analysis

max time kernel
147s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe
Size

1.0MB
MD5

bef1e04f9a46d531a84c90a0c4089c23
SHA1

5a0f2030ef1569c478963c6373528b5f64d4b6c2
SHA256

32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50
SHA512

01401739351c258d758be744dd7be9c0261282700de408dbfcecb97989ef8d9c649c9512bd4998e19c09b8e839b1cf4cfba62dd5a68eaffe0d4afe516e83656f
SSDEEP

24576:ZyXL7k6kRCrl0Xh4ukFwPSXQu3QD9/ShJjRwtnTb72IvUlSeWD4I:MXLo6Dl9Py9/SXdwlv72yNeW0

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it368672.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it368672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it368672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it368672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it368672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it368672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it368672.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jr329234.exelr414244.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jr329234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr414244.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

Processes:

ziHR9065.exezirG8038.exeit368672.exejr329234.exe1.exekp963675.exelr414244.exeoneetx.exeoneetx.exe

pid process

2148 ziHR9065.exe
1188 zirG8038.exe
4564 it368672.exe
2500 jr329234.exe
4424 1.exe
2396 kp963675.exe
2312 lr414244.exe
1836 oneetx.exe
1920 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2604 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it368672.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it368672.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2148	ziHR9065.exe
1188	zirG8038.exe
4564	it368672.exe
2500	jr329234.exe
4424	1.exe
2396	kp963675.exe
2312	lr414244.exe
1836	oneetx.exe
1920	oneetx.exe

pid	process
2604	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it368672.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zirG8038.exe32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exeziHR9065.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zirG8038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zirG8038.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziHR9065.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziHR9065.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
684	2500	WerFault.exe	jr329234.exe
1536	2312	WerFault.exe	lr414244.exe
2036	2312	WerFault.exe	lr414244.exe
3780	2312	WerFault.exe	lr414244.exe
3996	2312	WerFault.exe	lr414244.exe
2220	2312	WerFault.exe	lr414244.exe
2724	2312	WerFault.exe	lr414244.exe
1124	2312	WerFault.exe	lr414244.exe
4228	2312	WerFault.exe	lr414244.exe
1280	2312	WerFault.exe	lr414244.exe
2712	2312	WerFault.exe	lr414244.exe
2708	2312	WerFault.exe	lr414244.exe
3552	1836	WerFault.exe	oneetx.exe
380	1836	WerFault.exe	oneetx.exe
3220	1836	WerFault.exe	oneetx.exe
4540	1836	WerFault.exe	oneetx.exe
1472	1836	WerFault.exe	oneetx.exe
1548	1836	WerFault.exe	oneetx.exe
632	1836	WerFault.exe	oneetx.exe
1432	1836	WerFault.exe	oneetx.exe
3200	1836	WerFault.exe	oneetx.exe
1112	1836	WerFault.exe	oneetx.exe
1912	1836	WerFault.exe	oneetx.exe
1752	1836	WerFault.exe	oneetx.exe
2516	1920	WerFault.exe	oneetx.exe
4416	1920	WerFault.exe	oneetx.exe
4956	1920	WerFault.exe	oneetx.exe
2368	1836	WerFault.exe	oneetx.exe
1512	1836	WerFault.exe	oneetx.exe
2096	1836	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4844 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it368672.exe1.exekp963675.exe

pid process

4564 it368672.exe
4564 it368672.exe
4424 1.exe
2396 kp963675.exe
2396 kp963675.exe
4424 1.exe

pid	process
4844	schtasks.exe

pid	process
4564	it368672.exe
4564	it368672.exe
4424	1.exe
2396	kp963675.exe
2396	kp963675.exe
4424	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it368672.exejr329234.exe1.exekp963675.exe

description	pid	process
Token: SeDebugPrivilege	4564	it368672.exe
Token: SeDebugPrivilege	2500	jr329234.exe
Token: SeDebugPrivilege	4424	1.exe
Token: SeDebugPrivilege	2396	kp963675.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr414244.exe

pid process

2312 lr414244.exe

pid	process
2312	lr414244.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exeziHR9065.exezirG8038.exejr329234.exelr414244.exeoneetx.exe

description	pid	process	target process
PID 1028 wrote to memory of 2148	1028	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe	ziHR9065.exe
PID 1028 wrote to memory of 2148	1028	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe	ziHR9065.exe
PID 1028 wrote to memory of 2148	1028	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe	ziHR9065.exe
PID 2148 wrote to memory of 1188	2148	ziHR9065.exe	zirG8038.exe
PID 2148 wrote to memory of 1188	2148	ziHR9065.exe	zirG8038.exe
PID 2148 wrote to memory of 1188	2148	ziHR9065.exe	zirG8038.exe
PID 1188 wrote to memory of 4564	1188	zirG8038.exe	it368672.exe
PID 1188 wrote to memory of 4564	1188	zirG8038.exe	it368672.exe
PID 1188 wrote to memory of 2500	1188	zirG8038.exe	jr329234.exe
PID 1188 wrote to memory of 2500	1188	zirG8038.exe	jr329234.exe
PID 1188 wrote to memory of 2500	1188	zirG8038.exe	jr329234.exe
PID 2500 wrote to memory of 4424	2500	jr329234.exe	1.exe
PID 2500 wrote to memory of 4424	2500	jr329234.exe	1.exe
PID 2500 wrote to memory of 4424	2500	jr329234.exe	1.exe
PID 2148 wrote to memory of 2396	2148	ziHR9065.exe	kp963675.exe
PID 2148 wrote to memory of 2396	2148	ziHR9065.exe	kp963675.exe
PID 2148 wrote to memory of 2396	2148	ziHR9065.exe	kp963675.exe
PID 1028 wrote to memory of 2312	1028	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe	lr414244.exe
PID 1028 wrote to memory of 2312	1028	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe	lr414244.exe
PID 1028 wrote to memory of 2312	1028	32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe	lr414244.exe
PID 2312 wrote to memory of 1836	2312	lr414244.exe	oneetx.exe
PID 2312 wrote to memory of 1836	2312	lr414244.exe	oneetx.exe
PID 2312 wrote to memory of 1836	2312	lr414244.exe	oneetx.exe
PID 1836 wrote to memory of 4844	1836	oneetx.exe	schtasks.exe
PID 1836 wrote to memory of 4844	1836	oneetx.exe	schtasks.exe
PID 1836 wrote to memory of 4844	1836	oneetx.exe	schtasks.exe
PID 1836 wrote to memory of 2604	1836	oneetx.exe	rundll32.exe
PID 1836 wrote to memory of 2604	1836	oneetx.exe	rundll32.exe
PID 1836 wrote to memory of 2604	1836	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe
"C:\Users\Admin\AppData\Local\Temp\32468e8c49dbc74c1b19de54eeefb5c4a04e8d0f8d21b6180d97ff2a5bf1fd50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHR9065.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHR9065.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zirG8038.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zirG8038.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368672.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr329234.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr329234.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1380
        5⤵
        Program crash
        
        PID:684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp963675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp963675.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr414244.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr414244.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 700
    3⤵
    - Program crash
    PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 720
    3⤵
    - Program crash
    PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 860
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 976
    3⤵
    - Program crash
    PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 980
    3⤵
    - Program crash
    PID:2220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 980
    3⤵
    - Program crash
    PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1200
    3⤵
    - Program crash
    PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1240
    3⤵
    - Program crash
    PID:4228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1320
    3⤵
    - Program crash
    PID:1280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1316
    3⤵
    - Program crash
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 696
      4⤵
      Program crash
      PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 840
      4⤵
      Program crash
      PID:380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 936
      4⤵
      Program crash
      PID:3220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1056
      4⤵
      Program crash
      PID:4540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1076
      4⤵
      Program crash
      PID:1472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1076
      4⤵
      Program crash
      PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1092
      4⤵
      Program crash
      PID:632
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1004
      4⤵
      Program crash
      PID:1432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 732
      4⤵
      Program crash
      PID:3200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1304
      4⤵
      Program crash
      PID:1112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1344
      4⤵
      Program crash
      PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1420
      4⤵
      Program crash
      PID:1752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1628
      4⤵
      Program crash
      PID:2368
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1580
      4⤵
      Program crash
      PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1636
      4⤵
      Program crash
      PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 772
    3⤵
    - Program crash
    PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2500 -ip 2500
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2312 -ip 2312
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2312 -ip 2312
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2312 -ip 2312
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2312 -ip 2312
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2312 -ip 2312
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2312 -ip 2312
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1836 -ip 1836
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1836 -ip 1836
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1836 -ip 1836
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1836 -ip 1836
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1836 -ip 1836
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1836 -ip 1836
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1836 -ip 1836
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1836 -ip 1836
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1836 -ip 1836
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1836 -ip 1836
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1836 -ip 1836
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1836 -ip 1836
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 396
  2⤵
  - Program crash
  PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 440
  2⤵
  - Program crash
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 440
  2⤵
  - Program crash
  PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1920 -ip 1920
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1920 -ip 1920
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1920 -ip 1920
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1836 -ip 1836
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1836 -ip 1836
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1836 -ip 1836
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr414244.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr414244.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHR9065.exe

Filesize
724KB

MD5
335f59e618fbbbbe9985ae434842fb0b

SHA1
3a12379c32327cebaa69a02f9300402adfe785d6

SHA256
393799f9e0aa549db8a1dba5c45a08ee867735114f6a0666a1a25b19d23420c1

SHA512
4e47f36d6b2bc247452ff81be0bcdada1b0f812ae1571519472865ef454a05183b6d364bef3c8688c3b31f4b748076dbd93fdcf292cc647e5a9f5ddf46d8aea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHR9065.exe

Filesize
724KB

MD5
335f59e618fbbbbe9985ae434842fb0b

SHA1
3a12379c32327cebaa69a02f9300402adfe785d6

SHA256
393799f9e0aa549db8a1dba5c45a08ee867735114f6a0666a1a25b19d23420c1

SHA512
4e47f36d6b2bc247452ff81be0bcdada1b0f812ae1571519472865ef454a05183b6d364bef3c8688c3b31f4b748076dbd93fdcf292cc647e5a9f5ddf46d8aea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp963675.exe

Filesize
169KB

MD5
fd0599129ec47a933c16ac2045d0a907

SHA1
5fa889243cb9e9e8256fd6f9ad84e54d2d1c6c3a

SHA256
5e39b97a75a8c5c2e2368c201c21ce5264b730480753ea0a25e6906e3f9f83c3

SHA512
e91508e683d4cbd37538dd7270e1f282b35440cb49af1d21de8c56a6f3c6da50bef29471b6404c7ebee1d18696784b0764d6ebb1474a3d08012d054aa63797c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp963675.exe

Filesize
169KB

MD5
fd0599129ec47a933c16ac2045d0a907

SHA1
5fa889243cb9e9e8256fd6f9ad84e54d2d1c6c3a

SHA256
5e39b97a75a8c5c2e2368c201c21ce5264b730480753ea0a25e6906e3f9f83c3

SHA512
e91508e683d4cbd37538dd7270e1f282b35440cb49af1d21de8c56a6f3c6da50bef29471b6404c7ebee1d18696784b0764d6ebb1474a3d08012d054aa63797c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zirG8038.exe

Filesize
570KB

MD5
86fa176c25bf46f76460c3e2f5c6b4a7

SHA1
c5fbe1c0c65b45ed8df010eae7d703657fd980fe

SHA256
f5ca50a0f7afd227802d3a798502ca6848f6591b15cb56a335eb322155a24df2

SHA512
0bac90c342965603dfd0d57be1d2932057cd59c2bce3f14c8b9d67eb9d6a9d237d44bcde9fa9542483c4ab9e030e177e3c8f4e4b2b9c52e316a415e0ab0a65fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zirG8038.exe

Filesize
570KB

MD5
86fa176c25bf46f76460c3e2f5c6b4a7

SHA1
c5fbe1c0c65b45ed8df010eae7d703657fd980fe

SHA256
f5ca50a0f7afd227802d3a798502ca6848f6591b15cb56a335eb322155a24df2

SHA512
0bac90c342965603dfd0d57be1d2932057cd59c2bce3f14c8b9d67eb9d6a9d237d44bcde9fa9542483c4ab9e030e177e3c8f4e4b2b9c52e316a415e0ab0a65fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368672.exe

Filesize
11KB

MD5
e990d9289a11a53f8f3d4782ec48ace0

SHA1
da68207df1d2d60c65aa8026e0d15d0bfdcc9109

SHA256
7a87d2934f6764e8e9c3671a5f61a2e8c1315d61333d6780444b6c6b794684d0

SHA512
9926c7d4c4210bae835528b74ab1a7c504468faa674f7640f997e34c1d7b6ae9244268bb42005083f71666083e70dcda11f4212c28f054849fc17516f3ea6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368672.exe

Filesize
11KB

MD5
e990d9289a11a53f8f3d4782ec48ace0

SHA1
da68207df1d2d60c65aa8026e0d15d0bfdcc9109

SHA256
7a87d2934f6764e8e9c3671a5f61a2e8c1315d61333d6780444b6c6b794684d0

SHA512
9926c7d4c4210bae835528b74ab1a7c504468faa674f7640f997e34c1d7b6ae9244268bb42005083f71666083e70dcda11f4212c28f054849fc17516f3ea6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr329234.exe

Filesize
588KB

MD5
ca49fa3fc2b5ae9bf8ba7b973255b953

SHA1
da3e557bc8efc2f53c858f94b5566420db6f596f

SHA256
a98fe41d8e1b1bec29e2ca1e6b8f875db704082866702a070b6c6995827d0108

SHA512
d089ae895597c6d47f44b0006787c040725f8f73df95d7c16cfe65e2772ff4e59321512922875d6ad31a4aa57f83c9b7fe73663d172d54adcae3b3b51045c73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr329234.exe

Filesize
588KB

MD5
ca49fa3fc2b5ae9bf8ba7b973255b953

SHA1
da3e557bc8efc2f53c858f94b5566420db6f596f

SHA256
a98fe41d8e1b1bec29e2ca1e6b8f875db704082866702a070b6c6995827d0108

SHA512
d089ae895597c6d47f44b0006787c040725f8f73df95d7c16cfe65e2772ff4e59321512922875d6ad31a4aa57f83c9b7fe73663d172d54adcae3b3b51045c73c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2312-2346-0x0000000000BA0000-0x0000000000BDB000-memory.dmp

Filesize
236KB

Download
memory/2396-2336-0x00000000065F0000-0x00000000067B2000-memory.dmp

Filesize
1.8MB

Download
memory/2396-2332-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2396-2331-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/2396-2337-0x0000000008AA0000-0x0000000008FCC000-memory.dmp

Filesize
5.2MB

Download
memory/2500-176-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-178-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-197-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-199-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-201-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-203-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-205-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-207-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-209-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-211-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-213-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-215-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-217-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-219-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-221-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-223-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-225-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-227-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-193-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-191-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-187-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2500-2316-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2500-160-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/2500-161-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2500-162-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/2500-163-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-164-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-2325-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2500-166-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-189-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-186-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-184-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-180-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-168-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-170-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-172-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-182-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-195-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/2500-174-0x0000000002A20000-0x0000000002A80000-memory.dmp

Filesize
384KB

Download
memory/4424-2339-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/4424-2338-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/4424-2335-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/4424-2334-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/4424-2333-0x00000000057A0000-0x0000000005816000-memory.dmp

Filesize
472KB

Download
memory/4424-2326-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/4424-2323-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/4424-2322-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/4424-2321-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/4424-2320-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/4424-2319-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

Filesize
184KB

Download
memory/4564-154-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download