amadey | 354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe
Size

1.2MB
MD5

2253da8d3cb6d5845b8f5f61cb391c95
SHA1

6797675726e128c370860c21caa58543828cfc6c
SHA256

354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79
SHA512

ffb2ca00a0eef81615d82b512b2cae8d7ba1a868286c19fdeb30da41532ac3ecaea6292b59d0827095cc54afa7706abf43cd5cd275c9a543f2a27bea2a3f779e
SSDEEP

24576:GyV5i5YXyKuC84YUSCV0nKLWCSIHzBCNIpKRo0qVY7Zl:V/i546Cl+CXWDGpqo0r

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr903737.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr903737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr903737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr903737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr903737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr903737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr903737.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qu721565.exesi834051.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	qu721565.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si834051.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

un211704.exeun416441.exepr903737.exequ721565.exe1.exerk628559.exesi834051.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
2808	un211704.exe
4716	un416441.exe
2000	pr903737.exe
4908	qu721565.exe
3096	1.exe
1656	rk628559.exe
1016	si834051.exe
2380	oneetx.exe
4792	oneetx.exe
4804	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2744 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2744	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr903737.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr903737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr903737.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un416441.exe354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exeun211704.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un416441.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un211704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un211704.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un416441.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3132	2000	WerFault.exe	pr903737.exe
4012	4908	WerFault.exe	qu721565.exe
4688	1016	WerFault.exe	si834051.exe
5100	1016	WerFault.exe	si834051.exe
1612	1016	WerFault.exe	si834051.exe
4756	1016	WerFault.exe	si834051.exe
1712	1016	WerFault.exe	si834051.exe
2848	1016	WerFault.exe	si834051.exe
2016	1016	WerFault.exe	si834051.exe
816	1016	WerFault.exe	si834051.exe
932	1016	WerFault.exe	si834051.exe
3112	1016	WerFault.exe	si834051.exe
4616	2380	WerFault.exe	oneetx.exe
1800	2380	WerFault.exe	oneetx.exe
4188	2380	WerFault.exe	oneetx.exe
4180	2380	WerFault.exe	oneetx.exe
1696	2380	WerFault.exe	oneetx.exe
3088	2380	WerFault.exe	oneetx.exe
2576	2380	WerFault.exe	oneetx.exe
424	2380	WerFault.exe	oneetx.exe
4496	2380	WerFault.exe	oneetx.exe
5096	2380	WerFault.exe	oneetx.exe
3748	2380	WerFault.exe	oneetx.exe
1656	2380	WerFault.exe	oneetx.exe
4248	4792	WerFault.exe	oneetx.exe
5020	4792	WerFault.exe	oneetx.exe
5080	4792	WerFault.exe	oneetx.exe
1204	2380	WerFault.exe	oneetx.exe
3120	2380	WerFault.exe	oneetx.exe
4108	2380	WerFault.exe	oneetx.exe
1060	4804	WerFault.exe	oneetx.exe
2588	4804	WerFault.exe	oneetx.exe
1376	4804	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1896 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr903737.exe1.exerk628559.exe

pid process

2000 pr903737.exe
2000 pr903737.exe
3096 1.exe
1656 rk628559.exe
1656 rk628559.exe
3096 1.exe

pid	process
1896	schtasks.exe

pid	process
2000	pr903737.exe
2000	pr903737.exe
3096	1.exe
1656	rk628559.exe
1656	rk628559.exe
3096	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pr903737.exequ721565.exe1.exerk628559.exe

description	pid	process
Token: SeDebugPrivilege	2000	pr903737.exe
Token: SeDebugPrivilege	4908	qu721565.exe
Token: SeDebugPrivilege	3096	1.exe
Token: SeDebugPrivilege	1656	rk628559.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si834051.exe

pid process

1016 si834051.exe

pid	process
1016	si834051.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exeun211704.exeun416441.exequ721565.exesi834051.exeoneetx.exe

description	pid	process	target process
PID 1836 wrote to memory of 2808	1836	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe	un211704.exe
PID 1836 wrote to memory of 2808	1836	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe	un211704.exe
PID 1836 wrote to memory of 2808	1836	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe	un211704.exe
PID 2808 wrote to memory of 4716	2808	un211704.exe	un416441.exe
PID 2808 wrote to memory of 4716	2808	un211704.exe	un416441.exe
PID 2808 wrote to memory of 4716	2808	un211704.exe	un416441.exe
PID 4716 wrote to memory of 2000	4716	un416441.exe	pr903737.exe
PID 4716 wrote to memory of 2000	4716	un416441.exe	pr903737.exe
PID 4716 wrote to memory of 2000	4716	un416441.exe	pr903737.exe
PID 4716 wrote to memory of 4908	4716	un416441.exe	qu721565.exe
PID 4716 wrote to memory of 4908	4716	un416441.exe	qu721565.exe
PID 4716 wrote to memory of 4908	4716	un416441.exe	qu721565.exe
PID 4908 wrote to memory of 3096	4908	qu721565.exe	1.exe
PID 4908 wrote to memory of 3096	4908	qu721565.exe	1.exe
PID 4908 wrote to memory of 3096	4908	qu721565.exe	1.exe
PID 2808 wrote to memory of 1656	2808	un211704.exe	rk628559.exe
PID 2808 wrote to memory of 1656	2808	un211704.exe	rk628559.exe
PID 2808 wrote to memory of 1656	2808	un211704.exe	rk628559.exe
PID 1836 wrote to memory of 1016	1836	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe	si834051.exe
PID 1836 wrote to memory of 1016	1836	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe	si834051.exe
PID 1836 wrote to memory of 1016	1836	354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe	si834051.exe
PID 1016 wrote to memory of 2380	1016	si834051.exe	oneetx.exe
PID 1016 wrote to memory of 2380	1016	si834051.exe	oneetx.exe
PID 1016 wrote to memory of 2380	1016	si834051.exe	oneetx.exe
PID 2380 wrote to memory of 1896	2380	oneetx.exe	schtasks.exe
PID 2380 wrote to memory of 1896	2380	oneetx.exe	schtasks.exe
PID 2380 wrote to memory of 1896	2380	oneetx.exe	schtasks.exe
PID 2380 wrote to memory of 2744	2380	oneetx.exe	rundll32.exe
PID 2380 wrote to memory of 2744	2380	oneetx.exe	rundll32.exe
PID 2380 wrote to memory of 2744	2380	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe
"C:\Users\Admin\AppData\Local\Temp\354355749a3c9fcba197441acb93614020bbad4ac3132166ad842ab18d9aca79.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211704.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211704.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un416441.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un416441.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr903737.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr903737.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1088
        5⤵
        Program crash
        
        PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu721565.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu721565.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1376
        5⤵
        Program crash
        
        PID:4012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628559.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628559.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si834051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si834051.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 700
    3⤵
    - Program crash
    PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 784
    3⤵
    - Program crash
    PID:5100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 860
    3⤵
    - Program crash
    PID:1612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 868
    3⤵
    - Program crash
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 996
    3⤵
    - Program crash
    PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 976
    3⤵
    - Program crash
    PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1228
    3⤵
    - Program crash
    PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1248
    3⤵
    - Program crash
    PID:816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1324
    3⤵
    - Program crash
    PID:932
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 696
      4⤵
      Program crash
      PID:4616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 820
      4⤵
      Program crash
      PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 896
      4⤵
      Program crash
      PID:4188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1056
      4⤵
      Program crash
      PID:4180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1076
      4⤵
      Program crash
      PID:1696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1076
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1112
      4⤵
      Program crash
      PID:2576
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 996
      4⤵
      Program crash
      PID:424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 780
      4⤵
      Program crash
      PID:4496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 760
      4⤵
      Program crash
      PID:5096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 820
      4⤵
      Program crash
      PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1140
      4⤵
      Program crash
      PID:1656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1644
      4⤵
      Program crash
      PID:1204
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1572
      4⤵
      Program crash
      PID:3120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1652
      4⤵
      Program crash
      PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1340
    3⤵
    - Program crash
    PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2000 -ip 2000
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4908 -ip 4908
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1016 -ip 1016
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1016 -ip 1016
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1016 -ip 1016
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1016 -ip 1016
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1016 -ip 1016
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1016 -ip 1016
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1016 -ip 1016
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1016 -ip 1016
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1016 -ip 1016
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1016 -ip 1016
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2380 -ip 2380
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2380 -ip 2380
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2380 -ip 2380
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2380 -ip 2380
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2380 -ip 2380
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2380 -ip 2380
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2380 -ip 2380
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2380 -ip 2380
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2380 -ip 2380
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2380 -ip 2380
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2380 -ip 2380
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2380 -ip 2380
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 396
  2⤵
  - Program crash
  PID:4248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 440
  2⤵
  - Program crash
  PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 440
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4792 -ip 4792
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4792 -ip 4792
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4792 -ip 4792
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2380 -ip 2380
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2380 -ip 2380
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2380 -ip 2380
1⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 396
  2⤵
  - Program crash
  PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 440
  2⤵
  - Program crash
  PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 440
  2⤵
  - Program crash
  PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4804 -ip 4804
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4804 -ip 4804
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4804 -ip 4804
1⤵
PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si834051.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si834051.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211704.exe

Filesize
861KB

MD5
41feec7161c9a282af644bdcdc71e3f7

SHA1
b897afab7dcf1196c553d5921162432f27edffbe

SHA256
ed2d3600aa758cbf67a7d9252e87d69f7463bbbb83b81c0cf32e8b891ded80ce

SHA512
7d377e77b194a6d13ccc8b1c39087d4f96af3b804029ea5ac9cd4a1d1e2b28db2061e3d556bd987119f4a994fc855b7bab9472efe8d878abd5de7abd2b274fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211704.exe

Filesize
861KB

MD5
41feec7161c9a282af644bdcdc71e3f7

SHA1
b897afab7dcf1196c553d5921162432f27edffbe

SHA256
ed2d3600aa758cbf67a7d9252e87d69f7463bbbb83b81c0cf32e8b891ded80ce

SHA512
7d377e77b194a6d13ccc8b1c39087d4f96af3b804029ea5ac9cd4a1d1e2b28db2061e3d556bd987119f4a994fc855b7bab9472efe8d878abd5de7abd2b274fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628559.exe

Filesize
169KB

MD5
44ee7f1366d47836b91cd141afbf1a5b

SHA1
830830074de84f9093a51bf2e2825d6e44fc7e20

SHA256
a35ad01e99128daf02f194591c3ecc81472815a3231f7dac5ce045139d74dbc9

SHA512
99c8ab5434c8d27753b200c3ccf24d541a2a639e1c8d3b8f15a07762e6dd5ce44dcd51d2364bc5c3ecfdd54420f261b3a8456c777ee368942d30e2c54771655b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628559.exe

Filesize
169KB

MD5
44ee7f1366d47836b91cd141afbf1a5b

SHA1
830830074de84f9093a51bf2e2825d6e44fc7e20

SHA256
a35ad01e99128daf02f194591c3ecc81472815a3231f7dac5ce045139d74dbc9

SHA512
99c8ab5434c8d27753b200c3ccf24d541a2a639e1c8d3b8f15a07762e6dd5ce44dcd51d2364bc5c3ecfdd54420f261b3a8456c777ee368942d30e2c54771655b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un416441.exe

Filesize
707KB

MD5
2f6aaa1f54147bfd42905a7817784197

SHA1
e43afc06076c840fd7a02b9139e1ce59c7612c9d

SHA256
3d0ddc49542368c0a765a9965d577e9ddbcec8b4e828cce7387f03c69b05daad

SHA512
60959aa6786589ccd3a08169c9e164a767d0306ac066d772372be3e5b7761b3ab8a407e30fa9810e9d3a65cbe679ee8dff318abe899b7e8b19bbe19a6f325316

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un416441.exe

Filesize
707KB

MD5
2f6aaa1f54147bfd42905a7817784197

SHA1
e43afc06076c840fd7a02b9139e1ce59c7612c9d

SHA256
3d0ddc49542368c0a765a9965d577e9ddbcec8b4e828cce7387f03c69b05daad

SHA512
60959aa6786589ccd3a08169c9e164a767d0306ac066d772372be3e5b7761b3ab8a407e30fa9810e9d3a65cbe679ee8dff318abe899b7e8b19bbe19a6f325316

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr903737.exe

Filesize
404KB

MD5
1d95b9e4ccbe1c9e48a9703153753eff

SHA1
8b8bcf98225fcebbad92e5ca79fc2dedeca79cf8

SHA256
35b224441491aa2dbc0795db44ded1f463ba92a444c4c570ca055d8d261f4214

SHA512
3ff6c1957757a1c5ab18febed6b6b36cd55aabad315d6a34a2febd0d64069643538662612c1412e71e9fff4bf65471e0302707fa7d7cc12a84a65d5719112c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr903737.exe

Filesize
404KB

MD5
1d95b9e4ccbe1c9e48a9703153753eff

SHA1
8b8bcf98225fcebbad92e5ca79fc2dedeca79cf8

SHA256
35b224441491aa2dbc0795db44ded1f463ba92a444c4c570ca055d8d261f4214

SHA512
3ff6c1957757a1c5ab18febed6b6b36cd55aabad315d6a34a2febd0d64069643538662612c1412e71e9fff4bf65471e0302707fa7d7cc12a84a65d5719112c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu721565.exe

Filesize
587KB

MD5
c7a29737264d25a45dd87e788a025a6e

SHA1
06f6b82cadc2493361748d93a34ba54c0e546a98

SHA256
5060c9cdb3460cf07b5f528ad40de0cbd03983ea349fdd276e61d52726c5c3d2

SHA512
c1273b1ff26d650a2874e280ffed8cdc6340a40c63d4a3db36493811fc03691f15425fa1f0c687be5074223454881e3387451b9548cb5c95597241f1ed87cd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu721565.exe

Filesize
587KB

MD5
c7a29737264d25a45dd87e788a025a6e

SHA1
06f6b82cadc2493361748d93a34ba54c0e546a98

SHA256
5060c9cdb3460cf07b5f528ad40de0cbd03983ea349fdd276e61d52726c5c3d2

SHA512
c1273b1ff26d650a2874e280ffed8cdc6340a40c63d4a3db36493811fc03691f15425fa1f0c687be5074223454881e3387451b9548cb5c95597241f1ed87cd89

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1016-2382-0x0000000002490000-0x00000000024CB000-memory.dmp

Filesize
236KB

Download
memory/1656-2375-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/1656-2366-0x00000000006A0000-0x00000000006D0000-memory.dmp

Filesize
192KB

Download
memory/1656-2367-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/1656-2369-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/1656-2373-0x0000000007890000-0x0000000007DBC000-memory.dmp

Filesize
5.2MB

Download
memory/1656-2371-0x0000000005F90000-0x0000000005FE0000-memory.dmp

Filesize
320KB

Download
memory/1656-2372-0x00000000064E0000-0x00000000066A2000-memory.dmp

Filesize
1.8MB

Download
memory/2000-184-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/2000-191-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/2000-155-0x0000000004E10000-0x00000000053B4000-memory.dmp

Filesize
5.6MB

Download
memory/2000-156-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-157-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-159-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-161-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-163-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-165-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-167-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-169-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-171-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-173-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-175-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-177-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-179-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-181-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-183-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2000-185-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/2000-186-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/2000-187-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2000-189-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/2000-190-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/2000-192-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3096-2358-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3096-2368-0x0000000005960000-0x00000000059D6000-memory.dmp

Filesize
472KB

Download
memory/3096-2374-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3096-2357-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/3096-2355-0x0000000000CA0000-0x0000000000CCE000-memory.dmp

Filesize
184KB

Download
memory/3096-2359-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/3096-2362-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3096-2361-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/3096-2370-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/4908-226-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-222-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4908-230-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-234-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-228-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-197-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-198-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-225-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4908-223-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-2356-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4908-221-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4908-232-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-219-0x00000000024D0000-0x000000000252B000-memory.dmp

Filesize
364KB

Download
memory/4908-218-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-216-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-214-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-212-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-210-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-208-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-206-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-204-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-202-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4908-200-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download