amadey | 51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256

Analysis

max time kernel
147s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe
Size

1.0MB
MD5

94fcc5f307e1f3996e195e7c683e88a5
SHA1

a68328c715d315b20f9f9955137466f29327b1b4
SHA256

51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256
SHA512

a6cddefa71851a734b4dd76938d945cd6d1aadc33a267184aff547f05f03800683dfeb02f88fe3eace8233d452eedcdc7ae3530a2a04dd34ff67e4eadc108b14
SSDEEP

24576:NyAI1yUElf250yfsVksLL4M4rO3y9T7+qzc8BIqyc:oAmFEhlH74FC3yVSqzc86qy

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it062465.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it062465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it062465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it062465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it062465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it062465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it062465.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jr386108.exelr724730.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jr386108.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr724730.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

ziXY1224.exezieE2565.exeit062465.exejr386108.exe1.exekp088784.exelr724730.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1932	ziXY1224.exe
4228	zieE2565.exe
4516	it062465.exe
264	jr386108.exe
4792	1.exe
980	kp088784.exe
1480	lr724730.exe
4468	oneetx.exe
560	oneetx.exe
2680	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3452 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it062465.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it062465.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3452	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it062465.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zieE2565.exe51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exeziXY1224.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zieE2565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zieE2565.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziXY1224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziXY1224.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2536	264	WerFault.exe	jr386108.exe
1696	1480	WerFault.exe	lr724730.exe
1512	1480	WerFault.exe	lr724730.exe
4608	1480	WerFault.exe	lr724730.exe
848	1480	WerFault.exe	lr724730.exe
948	1480	WerFault.exe	lr724730.exe
764	1480	WerFault.exe	lr724730.exe
5064	1480	WerFault.exe	lr724730.exe
4188	1480	WerFault.exe	lr724730.exe
3204	1480	WerFault.exe	lr724730.exe
3848	1480	WerFault.exe	lr724730.exe
4336	4468	WerFault.exe	oneetx.exe
4532	4468	WerFault.exe	oneetx.exe
1908	4468	WerFault.exe	oneetx.exe
4140	4468	WerFault.exe	oneetx.exe
2992	4468	WerFault.exe	oneetx.exe
4296	4468	WerFault.exe	oneetx.exe
3224	4468	WerFault.exe	oneetx.exe
5004	4468	WerFault.exe	oneetx.exe
4876	4468	WerFault.exe	oneetx.exe
3864	4468	WerFault.exe	oneetx.exe
4276	4468	WerFault.exe	oneetx.exe
1900	4468	WerFault.exe	oneetx.exe
4444	560	WerFault.exe	oneetx.exe
4936	560	WerFault.exe	oneetx.exe
4700	560	WerFault.exe	oneetx.exe
952	4468	WerFault.exe	oneetx.exe
764	4468	WerFault.exe	oneetx.exe
8	4468	WerFault.exe	oneetx.exe
3716	2680	WerFault.exe	oneetx.exe
2140	2680	WerFault.exe	oneetx.exe
852	2680	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5080 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it062465.exe1.exekp088784.exe

pid process

4516 it062465.exe
4516 it062465.exe
4792 1.exe
980 kp088784.exe
4792 1.exe
980 kp088784.exe

pid	process
5080	schtasks.exe

pid	process
4516	it062465.exe
4516	it062465.exe
4792	1.exe
980	kp088784.exe
4792	1.exe
980	kp088784.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it062465.exejr386108.exe1.exekp088784.exe

description	pid	process
Token: SeDebugPrivilege	4516	it062465.exe
Token: SeDebugPrivilege	264	jr386108.exe
Token: SeDebugPrivilege	4792	1.exe
Token: SeDebugPrivilege	980	kp088784.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr724730.exe

pid process

1480 lr724730.exe

pid	process
1480	lr724730.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exeziXY1224.exezieE2565.exejr386108.exelr724730.exeoneetx.exe

description	pid	process	target process
PID 880 wrote to memory of 1932	880	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe	ziXY1224.exe
PID 880 wrote to memory of 1932	880	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe	ziXY1224.exe
PID 880 wrote to memory of 1932	880	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe	ziXY1224.exe
PID 1932 wrote to memory of 4228	1932	ziXY1224.exe	zieE2565.exe
PID 1932 wrote to memory of 4228	1932	ziXY1224.exe	zieE2565.exe
PID 1932 wrote to memory of 4228	1932	ziXY1224.exe	zieE2565.exe
PID 4228 wrote to memory of 4516	4228	zieE2565.exe	it062465.exe
PID 4228 wrote to memory of 4516	4228	zieE2565.exe	it062465.exe
PID 4228 wrote to memory of 264	4228	zieE2565.exe	jr386108.exe
PID 4228 wrote to memory of 264	4228	zieE2565.exe	jr386108.exe
PID 4228 wrote to memory of 264	4228	zieE2565.exe	jr386108.exe
PID 264 wrote to memory of 4792	264	jr386108.exe	1.exe
PID 264 wrote to memory of 4792	264	jr386108.exe	1.exe
PID 264 wrote to memory of 4792	264	jr386108.exe	1.exe
PID 1932 wrote to memory of 980	1932	ziXY1224.exe	kp088784.exe
PID 1932 wrote to memory of 980	1932	ziXY1224.exe	kp088784.exe
PID 1932 wrote to memory of 980	1932	ziXY1224.exe	kp088784.exe
PID 880 wrote to memory of 1480	880	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe	lr724730.exe
PID 880 wrote to memory of 1480	880	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe	lr724730.exe
PID 880 wrote to memory of 1480	880	51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe	lr724730.exe
PID 1480 wrote to memory of 4468	1480	lr724730.exe	oneetx.exe
PID 1480 wrote to memory of 4468	1480	lr724730.exe	oneetx.exe
PID 1480 wrote to memory of 4468	1480	lr724730.exe	oneetx.exe
PID 4468 wrote to memory of 5080	4468	oneetx.exe	schtasks.exe
PID 4468 wrote to memory of 5080	4468	oneetx.exe	schtasks.exe
PID 4468 wrote to memory of 5080	4468	oneetx.exe	schtasks.exe
PID 4468 wrote to memory of 3452	4468	oneetx.exe	rundll32.exe
PID 4468 wrote to memory of 3452	4468	oneetx.exe	rundll32.exe
PID 4468 wrote to memory of 3452	4468	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe
"C:\Users\Admin\AppData\Local\Temp\51e983b09268e8c718494fb153a2d3361303309bea6ab6a0c70e349c0f75a256.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXY1224.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXY1224.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieE2565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieE2565.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it062465.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it062465.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr386108.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr386108.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 1384
        5⤵
        Program crash
        
        PID:2536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp088784.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp088784.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr724730.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr724730.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 700
    3⤵
    - Program crash
    PID:1696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 784
    3⤵
    - Program crash
    PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 860
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 980
    3⤵
    - Program crash
    PID:848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1020
    3⤵
    - Program crash
    PID:948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 960
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1224
    3⤵
    - Program crash
    PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1212
    3⤵
    - Program crash
    PID:4188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1320
    3⤵
    - Program crash
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 696
      4⤵
      Program crash
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 820
      4⤵
      Program crash
      PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 896
      4⤵
      Program crash
      PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1056
      4⤵
      Program crash
      PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1076
      4⤵
      Program crash
      PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1056
      4⤵
      Program crash
      PID:4296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1116
      4⤵
      Program crash
      PID:3224
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 996
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 680
      4⤵
      Program crash
      PID:4876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1264
      4⤵
      Program crash
      PID:3864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1276
      4⤵
      Program crash
      PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1140
      4⤵
      Program crash
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1628
      4⤵
      Program crash
      PID:952
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1100
      4⤵
      Program crash
      PID:764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1636
      4⤵
      Program crash
      PID:8
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1368
    3⤵
    - Program crash
    PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 264 -ip 264
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1480 -ip 1480
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1480 -ip 1480
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1480 -ip 1480
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1480 -ip 1480
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1480 -ip 1480
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1480 -ip 1480
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1480 -ip 1480
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1480 -ip 1480
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1480 -ip 1480
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1480 -ip 1480
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4468 -ip 4468
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4468 -ip 4468
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4468 -ip 4468
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4468 -ip 4468
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4468 -ip 4468
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4468 -ip 4468
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4468 -ip 4468
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4468 -ip 4468
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4468 -ip 4468
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4468 -ip 4468
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4468 -ip 4468
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4468 -ip 4468
1⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 396
  2⤵
  - Program crash
  PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 452
  2⤵
  - Program crash
  PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 452
  2⤵
  - Program crash
  PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 560 -ip 560
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 560 -ip 560
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 560 -ip 560
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4468 -ip 4468
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4468 -ip 4468
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4468 -ip 4468
1⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 396
  2⤵
  - Program crash
  PID:3716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 440
  2⤵
  - Program crash
  PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 440
  2⤵
  - Program crash
  PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2680 -ip 2680
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2680 -ip 2680
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2680 -ip 2680
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr724730.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr724730.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXY1224.exe

Filesize
723KB

MD5
f679c464e79ea9dcf9b29cb3f2a686e8

SHA1
c17142c965a9a5ce59f23fa9302390fd5bd7214e

SHA256
5d748a196aae414455e510d691d8e68c7665a5fc72eeb30ac108dff26a171c8b

SHA512
21be0ca9b8f3dcec2d11dc0b68e4fb70b1088f85a5690b1137d30a194a91e620f0dddc711b6fbc98a4232fc095e17292f90ea75b9e1a39b7d8a2e09798607f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXY1224.exe

Filesize
723KB

MD5
f679c464e79ea9dcf9b29cb3f2a686e8

SHA1
c17142c965a9a5ce59f23fa9302390fd5bd7214e

SHA256
5d748a196aae414455e510d691d8e68c7665a5fc72eeb30ac108dff26a171c8b

SHA512
21be0ca9b8f3dcec2d11dc0b68e4fb70b1088f85a5690b1137d30a194a91e620f0dddc711b6fbc98a4232fc095e17292f90ea75b9e1a39b7d8a2e09798607f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp088784.exe

Filesize
169KB

MD5
dda083c9b564b5928e6051b9c067b917

SHA1
40b8e1ac48213be0305c1a47aaf24fa40adaee3c

SHA256
a9f715b1290d972460d3d78e98f6dfba598cf80e7df9c6e4b24a167a368a72a6

SHA512
e8f31b441ac27d4be4b51bb0dac68f0daca39614ccb7386e0810c7ff381c94189af6b659e41066dbdffc7c17f2b55ecfa84060059dd281896e2c612b4943c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp088784.exe

Filesize
169KB

MD5
dda083c9b564b5928e6051b9c067b917

SHA1
40b8e1ac48213be0305c1a47aaf24fa40adaee3c

SHA256
a9f715b1290d972460d3d78e98f6dfba598cf80e7df9c6e4b24a167a368a72a6

SHA512
e8f31b441ac27d4be4b51bb0dac68f0daca39614ccb7386e0810c7ff381c94189af6b659e41066dbdffc7c17f2b55ecfa84060059dd281896e2c612b4943c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieE2565.exe

Filesize
569KB

MD5
00fddf3ed0e96b59a6433f422ce3afd8

SHA1
3d818affd1bdc96a412ad171bea21fe73bedd246

SHA256
0786e559010e91d4cb1383b52d0ddaa91b45874b3ed1552234271763d07f96a4

SHA512
7ca79526ce227d1ef7d267379c598e797453d5d1cda90821108b7ba5811e8d458361584954550e8b242089dc3219f4351413c2e19ca9f2278e1d3f147fb4927d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieE2565.exe

Filesize
569KB

MD5
00fddf3ed0e96b59a6433f422ce3afd8

SHA1
3d818affd1bdc96a412ad171bea21fe73bedd246

SHA256
0786e559010e91d4cb1383b52d0ddaa91b45874b3ed1552234271763d07f96a4

SHA512
7ca79526ce227d1ef7d267379c598e797453d5d1cda90821108b7ba5811e8d458361584954550e8b242089dc3219f4351413c2e19ca9f2278e1d3f147fb4927d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it062465.exe

Filesize
11KB

MD5
ec79ce9f927cf61d4610ae4cc520e578

SHA1
b5e068fa33f5a92038c1208f507ff7bba2bdd75c

SHA256
062961affa282282b0178a277342fb669c099e22e89f585c221e8cebfdc08df6

SHA512
54351113b29a706d7f6f80ffba43c93ea2bd2abfd2ef295f4d267101cce374b3090567780da856c5b46c66accf5dbadb937bece0866d335f1e3ec84e69b1d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it062465.exe

Filesize
11KB

MD5
ec79ce9f927cf61d4610ae4cc520e578

SHA1
b5e068fa33f5a92038c1208f507ff7bba2bdd75c

SHA256
062961affa282282b0178a277342fb669c099e22e89f585c221e8cebfdc08df6

SHA512
54351113b29a706d7f6f80ffba43c93ea2bd2abfd2ef295f4d267101cce374b3090567780da856c5b46c66accf5dbadb937bece0866d335f1e3ec84e69b1d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr386108.exe

Filesize
587KB

MD5
c7923944bb5e2c0c3fd770d90200101f

SHA1
3f1e53c52f34dc91673557b89e50be779300b613

SHA256
f018e2125c2f098d8b1b1ccf8caa7377a8192d4fa439647d14e2734353dd0ed4

SHA512
658113534164fb750c362c09d3d114dea27a59f27c4394c3f0a909fe09872ee3e2771120d42a8d04fd2d3fa61c514652e7344ffeb89132fef1d885db6c7cc949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr386108.exe

Filesize
587KB

MD5
c7923944bb5e2c0c3fd770d90200101f

SHA1
3f1e53c52f34dc91673557b89e50be779300b613

SHA256
f018e2125c2f098d8b1b1ccf8caa7377a8192d4fa439647d14e2734353dd0ed4

SHA512
658113534164fb750c362c09d3d114dea27a59f27c4394c3f0a909fe09872ee3e2771120d42a8d04fd2d3fa61c514652e7344ffeb89132fef1d885db6c7cc949

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/264-216-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-176-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-186-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-188-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-190-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-192-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-194-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-196-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-198-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-200-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-202-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-204-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-206-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-208-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-210-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-212-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-182-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-214-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-218-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-220-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-222-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-224-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-226-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-228-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-2310-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/264-180-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-178-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-184-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-162-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/264-163-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-164-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-168-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/264-170-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/264-174-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-172-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/264-171-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-167-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/264-166-0x00000000024B0000-0x000000000250B000-memory.dmp

Filesize
364KB

Download
memory/980-2331-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download
memory/980-2337-0x00000000064A0000-0x00000000064F0000-memory.dmp

Filesize
320KB

Download
memory/980-2333-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1480-2346-0x00000000008A0000-0x00000000008DB000-memory.dmp

Filesize
236KB

Download
memory/4516-154-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download
memory/4516-155-0x000000001BA30000-0x000000001BB7E000-memory.dmp

Filesize
1.3MB

Download
memory/4516-157-0x000000001BA30000-0x000000001BB7E000-memory.dmp

Filesize
1.3MB

Download
memory/4792-2338-0x0000000007220000-0x00000000073E2000-memory.dmp

Filesize
1.8MB

Download
memory/4792-2339-0x0000000008E40000-0x000000000936C000-memory.dmp

Filesize
5.2MB

Download
memory/4792-2332-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/4792-2326-0x0000000005540000-0x000000000557C000-memory.dmp

Filesize
240KB

Download
memory/4792-2325-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/4792-2324-0x00000000056A0000-0x00000000057AA000-memory.dmp

Filesize
1.0MB

Download
memory/4792-2323-0x0000000005BB0000-0x00000000061C8000-memory.dmp

Filesize
6.1MB

Download
memory/4792-2322-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

Filesize
184KB

Download
memory/4792-2334-0x0000000005890000-0x0000000005906000-memory.dmp

Filesize
472KB

Download
memory/4792-2336-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4792-2335-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download