amadey | eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe
Size

1.0MB
MD5

5554c4e6358de8a2739332161703a87f
SHA1

0db572da8a119c22db6fee296947b3295f029b37
SHA256

eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d
SHA512

d87f76c23df53d1d5b25d37443984ab4b41e2f60c53a57e851374b12f3c3d85bd9c8a97e96f414f92dbea4fc8e57d622c2b3b429c86db0dfb97b3955f8ebf57b
SSDEEP

24576:yyYS0gjDNhs7eGHlDGukv7VBlqLP7u01LbV3o0OkiwRUjh765/VvneB3dfPog:ZY/gnNhsfN8YPSkbV3JOpjUGBtX

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it545773.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it545773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it545773.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it545773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it545773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it545773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it545773.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jr759587.exelr700191.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jr759587.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr700191.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zipb1372.exeziUx2302.exeit545773.exejr759587.exe1.exekp126788.exelr700191.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
4728	zipb1372.exe
2576	ziUx2302.exe
2636	it545773.exe
4448	jr759587.exe
3148	1.exe
3996	kp126788.exe
3332	lr700191.exe
3936	oneetx.exe
2832	oneetx.exe
2324	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4736 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it545773.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it545773.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4736	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it545773.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zipb1372.exeziUx2302.exeeea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zipb1372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zipb1372.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziUx2302.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziUx2302.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1536	4448	WerFault.exe	jr759587.exe
4220	3332	WerFault.exe	lr700191.exe
228	3332	WerFault.exe	lr700191.exe
2256	3332	WerFault.exe	lr700191.exe
2912	3332	WerFault.exe	lr700191.exe
1960	3332	WerFault.exe	lr700191.exe
2152	3332	WerFault.exe	lr700191.exe
728	3332	WerFault.exe	lr700191.exe
4552	3332	WerFault.exe	lr700191.exe
4840	3332	WerFault.exe	lr700191.exe
3144	3332	WerFault.exe	lr700191.exe
5108	3936	WerFault.exe	oneetx.exe
3816	3936	WerFault.exe	oneetx.exe
3632	3936	WerFault.exe	oneetx.exe
4224	3936	WerFault.exe	oneetx.exe
2416	3936	WerFault.exe	oneetx.exe
1656	3936	WerFault.exe	oneetx.exe
3380	3936	WerFault.exe	oneetx.exe
1628	3936	WerFault.exe	oneetx.exe
904	3936	WerFault.exe	oneetx.exe
1424	3936	WerFault.exe	oneetx.exe
3800	3936	WerFault.exe	oneetx.exe
3148	3936	WerFault.exe	oneetx.exe
1900	2832	WerFault.exe	oneetx.exe
408	2832	WerFault.exe	oneetx.exe
4696	2832	WerFault.exe	oneetx.exe
2696	3936	WerFault.exe	oneetx.exe
996	3936	WerFault.exe	oneetx.exe
4812	3936	WerFault.exe	oneetx.exe
4004	2324	WerFault.exe	oneetx.exe
3172	2324	WerFault.exe	oneetx.exe
3336	2324	WerFault.exe	oneetx.exe
5112	3936	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2192 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it545773.exe1.exekp126788.exe

pid process

2636 it545773.exe
2636 it545773.exe
3148 1.exe
3996 kp126788.exe
3996 kp126788.exe
3148 1.exe

pid	process
2192	schtasks.exe

pid	process
2636	it545773.exe
2636	it545773.exe
3148	1.exe
3996	kp126788.exe
3996	kp126788.exe
3148	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it545773.exejr759587.exe1.exekp126788.exe

description	pid	process
Token: SeDebugPrivilege	2636	it545773.exe
Token: SeDebugPrivilege	4448	jr759587.exe
Token: SeDebugPrivilege	3148	1.exe
Token: SeDebugPrivilege	3996	kp126788.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr700191.exe

pid process

3332 lr700191.exe

pid	process
3332	lr700191.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exezipb1372.exeziUx2302.exejr759587.exelr700191.exeoneetx.exe

description	pid	process	target process
PID 3340 wrote to memory of 4728	3340	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe	zipb1372.exe
PID 3340 wrote to memory of 4728	3340	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe	zipb1372.exe
PID 3340 wrote to memory of 4728	3340	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe	zipb1372.exe
PID 4728 wrote to memory of 2576	4728	zipb1372.exe	ziUx2302.exe
PID 4728 wrote to memory of 2576	4728	zipb1372.exe	ziUx2302.exe
PID 4728 wrote to memory of 2576	4728	zipb1372.exe	ziUx2302.exe
PID 2576 wrote to memory of 2636	2576	ziUx2302.exe	it545773.exe
PID 2576 wrote to memory of 2636	2576	ziUx2302.exe	it545773.exe
PID 2576 wrote to memory of 4448	2576	ziUx2302.exe	jr759587.exe
PID 2576 wrote to memory of 4448	2576	ziUx2302.exe	jr759587.exe
PID 2576 wrote to memory of 4448	2576	ziUx2302.exe	jr759587.exe
PID 4448 wrote to memory of 3148	4448	jr759587.exe	1.exe
PID 4448 wrote to memory of 3148	4448	jr759587.exe	1.exe
PID 4448 wrote to memory of 3148	4448	jr759587.exe	1.exe
PID 4728 wrote to memory of 3996	4728	zipb1372.exe	kp126788.exe
PID 4728 wrote to memory of 3996	4728	zipb1372.exe	kp126788.exe
PID 4728 wrote to memory of 3996	4728	zipb1372.exe	kp126788.exe
PID 3340 wrote to memory of 3332	3340	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe	lr700191.exe
PID 3340 wrote to memory of 3332	3340	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe	lr700191.exe
PID 3340 wrote to memory of 3332	3340	eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe	lr700191.exe
PID 3332 wrote to memory of 3936	3332	lr700191.exe	oneetx.exe
PID 3332 wrote to memory of 3936	3332	lr700191.exe	oneetx.exe
PID 3332 wrote to memory of 3936	3332	lr700191.exe	oneetx.exe
PID 3936 wrote to memory of 2192	3936	oneetx.exe	schtasks.exe
PID 3936 wrote to memory of 2192	3936	oneetx.exe	schtasks.exe
PID 3936 wrote to memory of 2192	3936	oneetx.exe	schtasks.exe
PID 3936 wrote to memory of 4736	3936	oneetx.exe	rundll32.exe
PID 3936 wrote to memory of 4736	3936	oneetx.exe	rundll32.exe
PID 3936 wrote to memory of 4736	3936	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe
"C:\Users\Admin\AppData\Local\Temp\eea96aa3cdf2c451e3ecf9efd9714ef91e56b62cb4c17abc34db7eed1a35492d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1372.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1372.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziUx2302.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziUx2302.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it545773.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it545773.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr759587.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr759587.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1380
        5⤵
        Program crash
        
        PID:1536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp126788.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp126788.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr700191.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr700191.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 700
    3⤵
    - Program crash
    PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 784
    3⤵
    - Program crash
    PID:228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 800
    3⤵
    - Program crash
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 972
    3⤵
    - Program crash
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 988
    3⤵
    - Program crash
    PID:1960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1016
    3⤵
    - Program crash
    PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1220
    3⤵
    - Program crash
    PID:728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1212
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1316
    3⤵
    - Program crash
    PID:4840
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 696
      4⤵
      Program crash
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 936
      4⤵
      Program crash
      PID:3816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1076
      4⤵
      Program crash
      PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1100
      4⤵
      Program crash
      PID:4224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 948
      4⤵
      Program crash
      PID:2416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1128
      4⤵
      Program crash
      PID:1656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1156
      4⤵
      Program crash
      PID:3380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1164
      4⤵
      Program crash
      PID:1628
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1016
      4⤵
      Program crash
      PID:904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 780
      4⤵
      Program crash
      PID:1424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 888
      4⤵
      Program crash
      PID:3800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1284
      4⤵
      Program crash
      PID:3148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1188
      4⤵
      Program crash
      PID:2696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1580
      4⤵
      Program crash
      PID:996
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1596
      4⤵
      Program crash
      PID:4812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1588
      4⤵
      Program crash
      PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1328
    3⤵
    - Program crash
    PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4448 -ip 4448
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3332 -ip 3332
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3332 -ip 3332
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3332 -ip 3332
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3332 -ip 3332
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3332 -ip 3332
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3332 -ip 3332
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3332 -ip 3332
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3332 -ip 3332
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3332 -ip 3332
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3332 -ip 3332
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3936 -ip 3936
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3936 -ip 3936
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3936 -ip 3936
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3936 -ip 3936
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3936 -ip 3936
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3936 -ip 3936
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3936 -ip 3936
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3936 -ip 3936
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3936 -ip 3936
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3936 -ip 3936
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3936 -ip 3936
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3936 -ip 3936
1⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 396
  2⤵
  - Program crash
  PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 440
  2⤵
  - Program crash
  PID:408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 440
  2⤵
  - Program crash
  PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2832 -ip 2832
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2832 -ip 2832
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2832 -ip 2832
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3936 -ip 3936
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3936 -ip 3936
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3936 -ip 3936
1⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 396
  2⤵
  - Program crash
  PID:4004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 464
  2⤵
  - Program crash
  PID:3172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 416
  2⤵
  - Program crash
  PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2324 -ip 2324
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2324 -ip 2324
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2324 -ip 2324
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3936 -ip 3936
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr700191.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr700191.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1372.exe

Filesize
723KB

MD5
32241d08cf35577c81fcc3b53a1f4cfc

SHA1
1e30849d84a2ba8c720454513e61c32cd1f10ef6

SHA256
d9e528c48e8b2293550842b73679ff189805a5522089df2ac1f17bb193cb8a94

SHA512
f7d804991a732dd7250c42f4ff88caade3669039f1a5c47067e0360b99d3785f32013a46c233da3d801de3ba2594d89eb55b86237aec79a0a1989b37adbad349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1372.exe

Filesize
723KB

MD5
32241d08cf35577c81fcc3b53a1f4cfc

SHA1
1e30849d84a2ba8c720454513e61c32cd1f10ef6

SHA256
d9e528c48e8b2293550842b73679ff189805a5522089df2ac1f17bb193cb8a94

SHA512
f7d804991a732dd7250c42f4ff88caade3669039f1a5c47067e0360b99d3785f32013a46c233da3d801de3ba2594d89eb55b86237aec79a0a1989b37adbad349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp126788.exe

Filesize
169KB

MD5
83519d76eca35c875f21aedf071b79f8

SHA1
0990a9376a3c49df2af85e8261fabd8fee17348e

SHA256
20dd8c0cb3a37c336836a4cd9c1395af83132919d8e188fff385eadf6778c489

SHA512
387efdf66fccb38f6b6dfbbc97e2259dcb6108480ac00c6118ba51729d6ecf86b30ecea9b9910ce9a9497c687faac9fed00bd56eeaa78e2b9c113a90b2689ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp126788.exe

Filesize
169KB

MD5
83519d76eca35c875f21aedf071b79f8

SHA1
0990a9376a3c49df2af85e8261fabd8fee17348e

SHA256
20dd8c0cb3a37c336836a4cd9c1395af83132919d8e188fff385eadf6778c489

SHA512
387efdf66fccb38f6b6dfbbc97e2259dcb6108480ac00c6118ba51729d6ecf86b30ecea9b9910ce9a9497c687faac9fed00bd56eeaa78e2b9c113a90b2689ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziUx2302.exe

Filesize
569KB

MD5
076fbf1baee40f5aaa8a14e5c7c2ef33

SHA1
9333059d8cfa8f5f8b0a4a1ed70feb22225aca72

SHA256
f1e2f1afab2808d9ca61d176004c7c29516be671b4e783775d0d0fc82def8b42

SHA512
8bbbcfd5b95fb7abb2e964283fbaf20e6f786a277ce2130c3153e0f7ae39e124f6b65ad1c0289ad46daa2e752b778b336957881ac74936a213477ff7d1162859

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziUx2302.exe

Filesize
569KB

MD5
076fbf1baee40f5aaa8a14e5c7c2ef33

SHA1
9333059d8cfa8f5f8b0a4a1ed70feb22225aca72

SHA256
f1e2f1afab2808d9ca61d176004c7c29516be671b4e783775d0d0fc82def8b42

SHA512
8bbbcfd5b95fb7abb2e964283fbaf20e6f786a277ce2130c3153e0f7ae39e124f6b65ad1c0289ad46daa2e752b778b336957881ac74936a213477ff7d1162859

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it545773.exe

Filesize
11KB

MD5
b4fad69b4c4ea06898ff4ebe62a47774

SHA1
1e9ff57670b3c273f4f9ea5724069f45d9076466

SHA256
79e1e0f95060ab0ee3afb8d7b3b52a2ec7d4852e19f24aa4b62f136a612e8a00

SHA512
5c20ad4f9ea3cea367f1028075f6479e048ea245e5641934187df9815b40dab677ed8d27d15d263aeb0cbd4350d9210f54857f7934fa504f312aef26ce671530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it545773.exe

Filesize
11KB

MD5
b4fad69b4c4ea06898ff4ebe62a47774

SHA1
1e9ff57670b3c273f4f9ea5724069f45d9076466

SHA256
79e1e0f95060ab0ee3afb8d7b3b52a2ec7d4852e19f24aa4b62f136a612e8a00

SHA512
5c20ad4f9ea3cea367f1028075f6479e048ea245e5641934187df9815b40dab677ed8d27d15d263aeb0cbd4350d9210f54857f7934fa504f312aef26ce671530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr759587.exe

Filesize
587KB

MD5
97e9a25d3b1f5919115e531c66cc0149

SHA1
74884bb88293e05436b426bbcbcd99a0284b4637

SHA256
140f63fd48649303d5bcb9ab374a465f9e7fd446eb9d96bc724cb8b75271ea56

SHA512
2705706b25036de6fbb513da4666aa6ae2b790a207f014920364747899f2637b84db0686a66c0ce5537404555d402439e812628069b38b58c623619ad6fb5a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr759587.exe

Filesize
587KB

MD5
97e9a25d3b1f5919115e531c66cc0149

SHA1
74884bb88293e05436b426bbcbcd99a0284b4637

SHA256
140f63fd48649303d5bcb9ab374a465f9e7fd446eb9d96bc724cb8b75271ea56

SHA512
2705706b25036de6fbb513da4666aa6ae2b790a207f014920364747899f2637b84db0686a66c0ce5537404555d402439e812628069b38b58c623619ad6fb5a37

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2636-154-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/3148-2335-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/3148-2322-0x0000000004F50000-0x000000000505A000-memory.dmp

Filesize
1.0MB

Download
memory/3148-2334-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/3148-2333-0x0000000005120000-0x0000000005196000-memory.dmp

Filesize
472KB

Download
memory/3148-2320-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/3148-2321-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/3148-2339-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3148-2326-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3148-2324-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/3148-2323-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3332-2346-0x0000000000970000-0x00000000009AB000-memory.dmp

Filesize
236KB

Download
memory/3996-2337-0x0000000007C30000-0x000000000815C000-memory.dmp

Filesize
5.2MB

Download
memory/3996-2331-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/3996-2332-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3996-2336-0x0000000006780000-0x0000000006942000-memory.dmp

Filesize
1.8MB

Download
memory/3996-2338-0x00000000069A0000-0x00000000069F0000-memory.dmp

Filesize
320KB

Download
memory/4448-176-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-220-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-222-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-224-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-226-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-228-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-2307-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4448-218-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-216-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-214-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-212-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-210-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-208-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-206-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-204-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-202-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-200-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-198-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-196-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-194-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-192-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-190-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-188-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-186-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-184-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-182-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-180-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-178-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-174-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-172-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-170-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-168-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-166-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-165-0x0000000004FB0000-0x0000000005010000-memory.dmp

Filesize
384KB

Download
memory/4448-164-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4448-163-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4448-162-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4448-161-0x00000000009E0000-0x0000000000A3B000-memory.dmp

Filesize
364KB

Download
memory/4448-160-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download