amadey | a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe
Size

1.2MB
MD5

c63290b9319d9759eaa5ff76f09c54d9
SHA1

8db200682f6f67526124c742fd17e5fed6e4dc12
SHA256

a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228
SHA512

6a3bb4c5e88298f34c4be2dd7ca6c1e7029ea7a5e85d947cff2791c39e20d8f64a9347ff13b11a9f306e20df7755fb36df74a3ac72cbff337090a3a9b6cf0eb5
SSDEEP

24576:6yYLHHuKLjWF7gcn6gV/vYLa84m8iGr/Pt97vvouFQKKy8vcl:ByHHbLjm/nLuahwG/DvvoDl

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr135864.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr135864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr135864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr135864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr135864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr135864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr135864.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qu404843.exesi966398.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	qu404843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si966398.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

un874281.exeun125873.exepr135864.exequ404843.exe1.exerk147042.exesi966398.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
5080	un874281.exe
1252	un125873.exe
2400	pr135864.exe
3488	qu404843.exe
4536	1.exe
2948	rk147042.exe
4496	si966398.exe
1776	oneetx.exe
4660	oneetx.exe
5008	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4844 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4844	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr135864.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr135864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr135864.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un874281.exeun125873.exea11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un874281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un874281.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un125873.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un125873.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1168	2400	WerFault.exe	pr135864.exe
748	3488	WerFault.exe	qu404843.exe
1708	4496	WerFault.exe	si966398.exe
3852	4496	WerFault.exe	si966398.exe
2068	4496	WerFault.exe	si966398.exe
4336	4496	WerFault.exe	si966398.exe
4720	4496	WerFault.exe	si966398.exe
1808	4496	WerFault.exe	si966398.exe
5040	4496	WerFault.exe	si966398.exe
1764	4496	WerFault.exe	si966398.exe
3816	4496	WerFault.exe	si966398.exe
336	4496	WerFault.exe	si966398.exe
2740	4496	WerFault.exe	si966398.exe
5024	1776	WerFault.exe	oneetx.exe
3920	1776	WerFault.exe	oneetx.exe
4964	1776	WerFault.exe	oneetx.exe
4648	1776	WerFault.exe	oneetx.exe
3972	1776	WerFault.exe	oneetx.exe
900	1776	WerFault.exe	oneetx.exe
2372	1776	WerFault.exe	oneetx.exe
4524	1776	WerFault.exe	oneetx.exe
5068	1776	WerFault.exe	oneetx.exe
4172	1776	WerFault.exe	oneetx.exe
3420	1776	WerFault.exe	oneetx.exe
3740	1776	WerFault.exe	oneetx.exe
3956	4660	WerFault.exe	oneetx.exe
3852	4660	WerFault.exe	oneetx.exe
4796	4660	WerFault.exe	oneetx.exe
1820	1776	WerFault.exe	oneetx.exe
1736	1776	WerFault.exe	oneetx.exe
264	1776	WerFault.exe	oneetx.exe
2388	5008	WerFault.exe	oneetx.exe
4896	5008	WerFault.exe	oneetx.exe
4832	5008	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1068 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr135864.exe1.exerk147042.exe

pid process

2400 pr135864.exe
2400 pr135864.exe
4536 1.exe
2948 rk147042.exe
2948 rk147042.exe
4536 1.exe

pid	process
1068	schtasks.exe

pid	process
2400	pr135864.exe
2400	pr135864.exe
4536	1.exe
2948	rk147042.exe
2948	rk147042.exe
4536	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pr135864.exequ404843.exe1.exerk147042.exe

description	pid	process
Token: SeDebugPrivilege	2400	pr135864.exe
Token: SeDebugPrivilege	3488	qu404843.exe
Token: SeDebugPrivilege	4536	1.exe
Token: SeDebugPrivilege	2948	rk147042.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si966398.exe

pid process

4496 si966398.exe

pid	process
4496	si966398.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exeun874281.exeun125873.exequ404843.exesi966398.exeoneetx.exe

description	pid	process	target process
PID 3904 wrote to memory of 5080	3904	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe	un874281.exe
PID 3904 wrote to memory of 5080	3904	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe	un874281.exe
PID 3904 wrote to memory of 5080	3904	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe	un874281.exe
PID 5080 wrote to memory of 1252	5080	un874281.exe	un125873.exe
PID 5080 wrote to memory of 1252	5080	un874281.exe	un125873.exe
PID 5080 wrote to memory of 1252	5080	un874281.exe	un125873.exe
PID 1252 wrote to memory of 2400	1252	un125873.exe	pr135864.exe
PID 1252 wrote to memory of 2400	1252	un125873.exe	pr135864.exe
PID 1252 wrote to memory of 2400	1252	un125873.exe	pr135864.exe
PID 1252 wrote to memory of 3488	1252	un125873.exe	qu404843.exe
PID 1252 wrote to memory of 3488	1252	un125873.exe	qu404843.exe
PID 1252 wrote to memory of 3488	1252	un125873.exe	qu404843.exe
PID 3488 wrote to memory of 4536	3488	qu404843.exe	1.exe
PID 3488 wrote to memory of 4536	3488	qu404843.exe	1.exe
PID 3488 wrote to memory of 4536	3488	qu404843.exe	1.exe
PID 5080 wrote to memory of 2948	5080	un874281.exe	rk147042.exe
PID 5080 wrote to memory of 2948	5080	un874281.exe	rk147042.exe
PID 5080 wrote to memory of 2948	5080	un874281.exe	rk147042.exe
PID 3904 wrote to memory of 4496	3904	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe	si966398.exe
PID 3904 wrote to memory of 4496	3904	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe	si966398.exe
PID 3904 wrote to memory of 4496	3904	a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe	si966398.exe
PID 4496 wrote to memory of 1776	4496	si966398.exe	oneetx.exe
PID 4496 wrote to memory of 1776	4496	si966398.exe	oneetx.exe
PID 4496 wrote to memory of 1776	4496	si966398.exe	oneetx.exe
PID 1776 wrote to memory of 1068	1776	oneetx.exe	schtasks.exe
PID 1776 wrote to memory of 1068	1776	oneetx.exe	schtasks.exe
PID 1776 wrote to memory of 1068	1776	oneetx.exe	schtasks.exe
PID 1776 wrote to memory of 4844	1776	oneetx.exe	rundll32.exe
PID 1776 wrote to memory of 4844	1776	oneetx.exe	rundll32.exe
PID 1776 wrote to memory of 4844	1776	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe
"C:\Users\Admin\AppData\Local\Temp\a11117c07956feba2fce23af4b95766d556fba617f4d3ccf88931862bb870228.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un874281.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un874281.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un125873.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un125873.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr135864.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr135864.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1084
        5⤵
        Program crash
        
        PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404843.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404843.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1384
        5⤵
        Program crash
        
        PID:748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk147042.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk147042.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966398.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966398.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 700
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 776
    3⤵
    - Program crash
    PID:3852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 860
    3⤵
    - Program crash
    PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 864
    3⤵
    - Program crash
    PID:4336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 972
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 952
    3⤵
    - Program crash
    PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1236
    3⤵
    - Program crash
    PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1228
    3⤵
    - Program crash
    PID:1764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1248
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1388
    3⤵
    - Program crash
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 632
      4⤵
      Program crash
      PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 840
      4⤵
      Program crash
      PID:3920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 896
      4⤵
      Program crash
      PID:4964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1056
      4⤵
      Program crash
      PID:4648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1064
      4⤵
      Program crash
      PID:3972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1100
      4⤵
      Program crash
      PID:900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1108
      4⤵
      Program crash
      PID:2372
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 996
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 780
      4⤵
      Program crash
      PID:5068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 760
      4⤵
      Program crash
      PID:4172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 916
      4⤵
      Program crash
      PID:3420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1068
      4⤵
      Program crash
      PID:3740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1612
      4⤵
      Program crash
      PID:1820
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1544
      4⤵
      Program crash
      PID:1736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1628
      4⤵
      Program crash
      PID:264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1236
    3⤵
    - Program crash
    PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2400 -ip 2400
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3488 -ip 3488
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4496 -ip 4496
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4496 -ip 4496
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4496 -ip 4496
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4496 -ip 4496
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4496 -ip 4496
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4496 -ip 4496
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4496 -ip 4496
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4496 -ip 4496
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4496 -ip 4496
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4496 -ip 4496
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4496 -ip 4496
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1776 -ip 1776
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1776 -ip 1776
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1776 -ip 1776
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1776 -ip 1776
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1776 -ip 1776
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1776 -ip 1776
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1776 -ip 1776
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1776 -ip 1776
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1776 -ip 1776
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1776 -ip 1776
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1776 -ip 1776
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1776 -ip 1776
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 396
  2⤵
  - Program crash
  PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 440
  2⤵
  - Program crash
  PID:3852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 440
  2⤵
  - Program crash
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4660 -ip 4660
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4660 -ip 4660
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4660 -ip 4660
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1776 -ip 1776
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1776 -ip 1776
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1776 -ip 1776
1⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 396
  2⤵
  - Program crash
  PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 440
  2⤵
  - Program crash
  PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 440
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5008 -ip 5008
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5008 -ip 5008
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5008 -ip 5008
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966398.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si966398.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un874281.exe

Filesize
862KB

MD5
9383853066a85affdf3b12757962e903

SHA1
76594cb33d50b1cd8609206cdadb1b56bb90bcb1

SHA256
f3bcf9efe840b811f18e9eb2e7740e45bc07d4fb24a2ec960841c30e460b2709

SHA512
2f9d40ad7e04e0712d33c5792db3fe6c2276e478295957624810a2ba3876edcbfcf4877653cfa444985bdd493aea7a541933ae1f12d16e83681047efa989f8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un874281.exe

Filesize
862KB

MD5
9383853066a85affdf3b12757962e903

SHA1
76594cb33d50b1cd8609206cdadb1b56bb90bcb1

SHA256
f3bcf9efe840b811f18e9eb2e7740e45bc07d4fb24a2ec960841c30e460b2709

SHA512
2f9d40ad7e04e0712d33c5792db3fe6c2276e478295957624810a2ba3876edcbfcf4877653cfa444985bdd493aea7a541933ae1f12d16e83681047efa989f8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk147042.exe

Filesize
169KB

MD5
e86542ff84f74b5f4f76a24a634b334b

SHA1
490db5ed7d09918012240ce25dd5cb6e4cabbefd

SHA256
ef0b8980e7c0aab08692186b7cb581d9c05c354ea9d4e6b9020ba9b2e7bbb9ea

SHA512
db28dda3493099c0385bfe15bd9b972ed008ef82d0f0b66449014e6b80a3d217ce1d0b3a9d5ed5dea41bfbb074a241dd920e772094216545571e7921c2a9f1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk147042.exe

Filesize
169KB

MD5
e86542ff84f74b5f4f76a24a634b334b

SHA1
490db5ed7d09918012240ce25dd5cb6e4cabbefd

SHA256
ef0b8980e7c0aab08692186b7cb581d9c05c354ea9d4e6b9020ba9b2e7bbb9ea

SHA512
db28dda3493099c0385bfe15bd9b972ed008ef82d0f0b66449014e6b80a3d217ce1d0b3a9d5ed5dea41bfbb074a241dd920e772094216545571e7921c2a9f1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un125873.exe

Filesize
708KB

MD5
8c89b003c9f6c15364c44492bcf0a507

SHA1
cab9c855dc776dff532843f4b97bfe30ea66d89c

SHA256
d09134f065620fa555fab8f22c5e051b59bd957b1587f181252f74a16b93c291

SHA512
e56984633645a72b25f4e9a4f37e1f531e60dba436997c24610d4efe0943142870a794b9b2c201de20cb16119a5b74be95f2b6f4fb3c56b8cb86a1ee8ce9f56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un125873.exe

Filesize
708KB

MD5
8c89b003c9f6c15364c44492bcf0a507

SHA1
cab9c855dc776dff532843f4b97bfe30ea66d89c

SHA256
d09134f065620fa555fab8f22c5e051b59bd957b1587f181252f74a16b93c291

SHA512
e56984633645a72b25f4e9a4f37e1f531e60dba436997c24610d4efe0943142870a794b9b2c201de20cb16119a5b74be95f2b6f4fb3c56b8cb86a1ee8ce9f56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr135864.exe

Filesize
404KB

MD5
1760320511fbfb21b2f0df13e0bd17d8

SHA1
35048f0724e49c6a6e8e315c8a29d002cd716ecf

SHA256
e2490ed3c46b1731021b034c8ec161819ce63d605f485fb34469f54dfac4e66b

SHA512
fcf8d1faa91dcc44cd52ca9ed75b361b00a5f3d1a9aaad22d2cca64f94816fe35694d9ac9d5898c391a3416082b7b85107afc7e18ff3ab38ca8116b7ceb25e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr135864.exe

Filesize
404KB

MD5
1760320511fbfb21b2f0df13e0bd17d8

SHA1
35048f0724e49c6a6e8e315c8a29d002cd716ecf

SHA256
e2490ed3c46b1731021b034c8ec161819ce63d605f485fb34469f54dfac4e66b

SHA512
fcf8d1faa91dcc44cd52ca9ed75b361b00a5f3d1a9aaad22d2cca64f94816fe35694d9ac9d5898c391a3416082b7b85107afc7e18ff3ab38ca8116b7ceb25e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404843.exe

Filesize
587KB

MD5
d22d9e7ed874488fad5cd26bae0c963f

SHA1
0d28ff9cf6104b20ca264d1db15c2ccc6d941fe1

SHA256
97ce03a779f1546a9f7d79203cc872492efa9dee1e40956b883ae8a8c0c08352

SHA512
d9f559f376a952935b2f750e97bf8919ad9c96eded2434b9d99f5ad5e038397280c753098ad339b4e2324973fc3e0c9fea7c33f0db982c7713f6e8554c126210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404843.exe

Filesize
587KB

MD5
d22d9e7ed874488fad5cd26bae0c963f

SHA1
0d28ff9cf6104b20ca264d1db15c2ccc6d941fe1

SHA256
97ce03a779f1546a9f7d79203cc872492efa9dee1e40956b883ae8a8c0c08352

SHA512
d9f559f376a952935b2f750e97bf8919ad9c96eded2434b9d99f5ad5e038397280c753098ad339b4e2324973fc3e0c9fea7c33f0db982c7713f6e8554c126210

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2400-180-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-182-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-188-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2400-189-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2400-191-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2400-186-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-184-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-155-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2400-156-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/2400-157-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2400-158-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2400-159-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-160-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-162-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-164-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-166-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-168-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-170-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-187-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2400-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-174-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-176-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2400-178-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2948-2370-0x0000000006B50000-0x0000000006BA0000-memory.dmp

Filesize
320KB

Download
memory/2948-2364-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/2948-2373-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/2948-2369-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/2948-2365-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/3488-224-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-219-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/3488-220-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-213-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-223-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3488-226-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3488-196-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-197-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-199-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-201-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-221-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3488-2343-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3488-233-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-231-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-203-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-205-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-207-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-229-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-217-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-209-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-211-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-227-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/3488-215-0x0000000005640000-0x00000000056A0000-memory.dmp

Filesize
384KB

Download
memory/4496-2381-0x0000000002370000-0x00000000023AB000-memory.dmp

Filesize
236KB

Download
memory/4536-2355-0x00000000008A0000-0x00000000008CE000-memory.dmp

Filesize
184KB

Download
memory/4536-2374-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4536-2372-0x0000000008A80000-0x0000000008FAC000-memory.dmp

Filesize
5.2MB

Download
memory/4536-2371-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/4536-2368-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/4536-2367-0x0000000005560000-0x00000000055D6000-memory.dmp

Filesize
472KB

Download
memory/4536-2366-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4536-2360-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/4536-2359-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/4536-2357-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/4536-2356-0x00000000057F0000-0x0000000005E08000-memory.dmp

Filesize
6.1MB

Download