amadey | 01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe
Size

1.2MB
MD5

1206dc2a278aca8135c93c9344059298
SHA1

b1938e3ca5ebfa1adbc5f157f99ffc8d907a388f
SHA256

01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd
SHA512

c41d11f4a15d00276405ed3f0b6b577488e299df4687d50a451484488b12a3962dfa0daa2fc45f88ab954ef7b19eaf3d4840fe642d92f1d75300bda137715276
SSDEEP

24576:byfI4WGcKXvjzN7XuVBn81u9Nd+CUBZltAED:OSOfjzhgn81CH/UblWE

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr895410.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr895410.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr895410.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr895410.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr895410.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr895410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr895410.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

si113865.exeoneetx.exequ891523.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si113865.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	qu891523.exe

Executes dropped EXE 10 IoCs

Processes:

un716010.exeun248508.exepr895410.exequ891523.exe1.exerk299014.exesi113865.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
4236	un716010.exe
4120	un248508.exe
1800	pr895410.exe
3916	qu891523.exe
3356	1.exe
1564	rk299014.exe
1800	si113865.exe
2168	oneetx.exe
2432	oneetx.exe
1100	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2704 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2704	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr895410.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr895410.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr895410.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exeun716010.exeun248508.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un716010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un716010.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un248508.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un248508.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2428	1800	WerFault.exe	si113865.exe
4528	1800	WerFault.exe	si113865.exe
4616	1800	WerFault.exe	si113865.exe
1632	1800	WerFault.exe	si113865.exe
2212	1800	WerFault.exe	si113865.exe
4944	1800	WerFault.exe	si113865.exe
3688	1800	WerFault.exe	si113865.exe
4140	1800	WerFault.exe	si113865.exe
4432	1800	WerFault.exe	si113865.exe
4228	1800	WerFault.exe	si113865.exe
1424	2168	WerFault.exe	oneetx.exe
3612	2168	WerFault.exe	oneetx.exe
792	2168	WerFault.exe	oneetx.exe
3792	2168	WerFault.exe	oneetx.exe
2976	2168	WerFault.exe	oneetx.exe
2848	2168	WerFault.exe	oneetx.exe
4120	2168	WerFault.exe	oneetx.exe
4100	2168	WerFault.exe	oneetx.exe
4072	2168	WerFault.exe	oneetx.exe
4708	2168	WerFault.exe	oneetx.exe
3808	2168	WerFault.exe	oneetx.exe
2916	2432	WerFault.exe	oneetx.exe
2420	2168	WerFault.exe	oneetx.exe
4520	2168	WerFault.exe	oneetx.exe
2684	2168	WerFault.exe	oneetx.exe
1492	2168	WerFault.exe	oneetx.exe
1460	1100	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr895410.exe1.exerk299014.exe

pid process

1800 pr895410.exe
1800 pr895410.exe
3356 1.exe
3356 1.exe
1564 rk299014.exe
1564 rk299014.exe

pid	process
4760	schtasks.exe

pid	process
1800	pr895410.exe
1800	pr895410.exe
3356	1.exe
3356	1.exe
1564	rk299014.exe
1564	rk299014.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pr895410.exequ891523.exe1.exerk299014.exe

description	pid	process
Token: SeDebugPrivilege	1800	pr895410.exe
Token: SeDebugPrivilege	3916	qu891523.exe
Token: SeDebugPrivilege	3356	1.exe
Token: SeDebugPrivilege	1564	rk299014.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si113865.exe

pid process

1800 si113865.exe

pid	process
1800	si113865.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exeun716010.exeun248508.exequ891523.exesi113865.exeoneetx.exe

description	pid	process	target process
PID 4900 wrote to memory of 4236	4900	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe	un716010.exe
PID 4900 wrote to memory of 4236	4900	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe	un716010.exe
PID 4900 wrote to memory of 4236	4900	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe	un716010.exe
PID 4236 wrote to memory of 4120	4236	un716010.exe	un248508.exe
PID 4236 wrote to memory of 4120	4236	un716010.exe	un248508.exe
PID 4236 wrote to memory of 4120	4236	un716010.exe	un248508.exe
PID 4120 wrote to memory of 1800	4120	un248508.exe	pr895410.exe
PID 4120 wrote to memory of 1800	4120	un248508.exe	pr895410.exe
PID 4120 wrote to memory of 1800	4120	un248508.exe	pr895410.exe
PID 4120 wrote to memory of 3916	4120	un248508.exe	qu891523.exe
PID 4120 wrote to memory of 3916	4120	un248508.exe	qu891523.exe
PID 4120 wrote to memory of 3916	4120	un248508.exe	qu891523.exe
PID 3916 wrote to memory of 3356	3916	qu891523.exe	1.exe
PID 3916 wrote to memory of 3356	3916	qu891523.exe	1.exe
PID 3916 wrote to memory of 3356	3916	qu891523.exe	1.exe
PID 4236 wrote to memory of 1564	4236	un716010.exe	rk299014.exe
PID 4236 wrote to memory of 1564	4236	un716010.exe	rk299014.exe
PID 4236 wrote to memory of 1564	4236	un716010.exe	rk299014.exe
PID 4900 wrote to memory of 1800	4900	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe	si113865.exe
PID 4900 wrote to memory of 1800	4900	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe	si113865.exe
PID 4900 wrote to memory of 1800	4900	01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe	si113865.exe
PID 1800 wrote to memory of 2168	1800	si113865.exe	oneetx.exe
PID 1800 wrote to memory of 2168	1800	si113865.exe	oneetx.exe
PID 1800 wrote to memory of 2168	1800	si113865.exe	oneetx.exe
PID 2168 wrote to memory of 4760	2168	oneetx.exe	schtasks.exe
PID 2168 wrote to memory of 4760	2168	oneetx.exe	schtasks.exe
PID 2168 wrote to memory of 4760	2168	oneetx.exe	schtasks.exe
PID 2168 wrote to memory of 2704	2168	oneetx.exe	rundll32.exe
PID 2168 wrote to memory of 2704	2168	oneetx.exe	rundll32.exe
PID 2168 wrote to memory of 2704	2168	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe
"C:\Users\Admin\AppData\Local\Temp\01e6aca43ee7344ae2ded0aaf139977364e2c154b8f84b2be88d46ca2982f9cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716010.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716010.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un248508.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un248508.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr895410.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr895410.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu891523.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu891523.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk299014.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk299014.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si113865.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si113865.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 700
    3⤵
    - Program crash
    PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 784
    3⤵
    - Program crash
    PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 784
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 972
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 980
    3⤵
    - Program crash
    PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 984
    3⤵
    - Program crash
    PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1220
    3⤵
    - Program crash
    PID:3688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1240
    3⤵
    - Program crash
    PID:4140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1316
    3⤵
    - Program crash
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 696
      4⤵
      Program crash
      PID:1424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 860
      4⤵
      Program crash
      PID:3612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 936
      4⤵
      Program crash
      PID:792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1056
      4⤵
      Program crash
      PID:3792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1064
      4⤵
      Program crash
      PID:2976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1064
      4⤵
      Program crash
      PID:2848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1140
      4⤵
      Program crash
      PID:4120
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 680
      4⤵
      Program crash
      PID:4100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 772
      4⤵
      Program crash
      PID:4072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 896
      4⤵
      Program crash
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1308
      4⤵
      Program crash
      PID:3808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1164
      4⤵
      Program crash
      PID:2420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1612
      4⤵
      Program crash
      PID:4520
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1576
      4⤵
      Program crash
      PID:2684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1604
      4⤵
      Program crash
      PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1360
    3⤵
    - Program crash
    PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1800 -ip 1800
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1800 -ip 1800
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1800 -ip 1800
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1800 -ip 1800
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1800 -ip 1800
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1800 -ip 1800
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1800 -ip 1800
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1800 -ip 1800
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1800 -ip 1800
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1800 -ip 1800
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2168 -ip 2168
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 2168
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 2168
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2168 -ip 2168
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2168 -ip 2168
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2168 -ip 2168
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2168 -ip 2168
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2168 -ip 2168
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2168 -ip 2168
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2168 -ip 2168
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2168 -ip 2168
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 320
  2⤵
  - Program crash
  PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2432 -ip 2432
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2168 -ip 2168
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2168 -ip 2168
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2168 -ip 2168
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2168 -ip 2168
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 320
  2⤵
  - Program crash
  PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1100 -ip 1100
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si113865.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si113865.exe

Filesize
397KB

MD5
dadc0d126524e7b28aab58226127e8a6

SHA1
a383b6f22bbb8056ad743543ad54ef1707b1493a

SHA256
af557e2b8545e0ae5ffb362c04a48e338b99c5e0d6227a35054581fe2075f5d8

SHA512
dbafe7ad76989eb410064ac380ee2fb8494421cbd0e780663cab9eaed3f758325ce224dfd9bf16561081705c41bf903fd3d84db56148d6a5451c5a850ca59117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716010.exe

Filesize
862KB

MD5
b7730f3c14f405a18fa765f44157bfb2

SHA1
072f9493a1516934fba0da65c66406a4ec582837

SHA256
bd0738c4f3b81436406489f5871d48161eb2cbd21a1831d15a21320d3a9a8d95

SHA512
8f5765f749253b1358d72e0ab5a5118b12b5df29e1b760ea3485549fab51ddf03b85c60bfa996257566227541edd4d7ab02e6eb94b2cb4302189ba8d0da8e601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716010.exe

Filesize
862KB

MD5
b7730f3c14f405a18fa765f44157bfb2

SHA1
072f9493a1516934fba0da65c66406a4ec582837

SHA256
bd0738c4f3b81436406489f5871d48161eb2cbd21a1831d15a21320d3a9a8d95

SHA512
8f5765f749253b1358d72e0ab5a5118b12b5df29e1b760ea3485549fab51ddf03b85c60bfa996257566227541edd4d7ab02e6eb94b2cb4302189ba8d0da8e601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk299014.exe

Filesize
169KB

MD5
f2efe76c4fb4099460439e2c5809b59b

SHA1
df031b6e5c099049794233568a45fcdcb9582185

SHA256
13bf7704bd355d49b96ac644547c188712c3df9a9344f83e8ca7cfe9ce2675e4

SHA512
24d90cd8d01afee9c930b94b15bb569d1180efe292f522cc569378c41eec71965ce1b28e4ce496269e93facc1ea881ff8d7530d9e16f56916c133140f9548309

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk299014.exe

Filesize
169KB

MD5
f2efe76c4fb4099460439e2c5809b59b

SHA1
df031b6e5c099049794233568a45fcdcb9582185

SHA256
13bf7704bd355d49b96ac644547c188712c3df9a9344f83e8ca7cfe9ce2675e4

SHA512
24d90cd8d01afee9c930b94b15bb569d1180efe292f522cc569378c41eec71965ce1b28e4ce496269e93facc1ea881ff8d7530d9e16f56916c133140f9548309

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un248508.exe

Filesize
709KB

MD5
9d28c055f37c01aa8bd63c863e47bb7a

SHA1
71c977ee0375c9203f9fc421bc6c7b1ecd7c6c7c

SHA256
aa0af7acccd3bc70ba09f81229a7831d6a3ebf5ff71378fdadde36cc114f0707

SHA512
a645c45ba5ed624497984f0527a00277c8793c4b6a08a086ac36b551f70e3d1ad4068945cf55cd93aa8ca9c253a356cfa46c6da986376f2f2df99f2252adff74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un248508.exe

Filesize
709KB

MD5
9d28c055f37c01aa8bd63c863e47bb7a

SHA1
71c977ee0375c9203f9fc421bc6c7b1ecd7c6c7c

SHA256
aa0af7acccd3bc70ba09f81229a7831d6a3ebf5ff71378fdadde36cc114f0707

SHA512
a645c45ba5ed624497984f0527a00277c8793c4b6a08a086ac36b551f70e3d1ad4068945cf55cd93aa8ca9c253a356cfa46c6da986376f2f2df99f2252adff74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr895410.exe

Filesize
404KB

MD5
3782bd3981e186e5bb677c56343d147c

SHA1
029ac3ca3a83d6259839a9f60313dfe4e91aecf2

SHA256
4daac26a7a69c955cad1373ce227b30d4d2af8e0e47ba85287915a2a992aa802

SHA512
6e21b68f53b85f261374aa4d8730ad40fc96ed54bf4e22990a413bfb6c3f9d7b429f04edf12bcf9a299915b144419f1154af1d277be3aeb44185e5f445f67f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr895410.exe

Filesize
404KB

MD5
3782bd3981e186e5bb677c56343d147c

SHA1
029ac3ca3a83d6259839a9f60313dfe4e91aecf2

SHA256
4daac26a7a69c955cad1373ce227b30d4d2af8e0e47ba85287915a2a992aa802

SHA512
6e21b68f53b85f261374aa4d8730ad40fc96ed54bf4e22990a413bfb6c3f9d7b429f04edf12bcf9a299915b144419f1154af1d277be3aeb44185e5f445f67f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu891523.exe

Filesize
588KB

MD5
7b916f0b0bd2166485f7e0a8c12e0118

SHA1
f3054264070f6213afbac656fbef49ff03143010

SHA256
3b6ffcc2710cac34899799f0dafee980bab645060895d493793f7d197efb2947

SHA512
99395cc26dba5ec7d3e3d3bc650e386dad5317aca67d064d58d9c7cd5bafd0b5378c3ca49903c910cef4dd72296f584433108914e3016f3f41c019ce33abc730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu891523.exe

Filesize
588KB

MD5
7b916f0b0bd2166485f7e0a8c12e0118

SHA1
f3054264070f6213afbac656fbef49ff03143010

SHA256
3b6ffcc2710cac34899799f0dafee980bab645060895d493793f7d197efb2947

SHA512
99395cc26dba5ec7d3e3d3bc650e386dad5317aca67d064d58d9c7cd5bafd0b5378c3ca49903c910cef4dd72296f584433108914e3016f3f41c019ce33abc730

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1564-2361-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/1564-2373-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/1564-2368-0x0000000006330000-0x00000000063C2000-memory.dmp

Filesize
584KB

Download
memory/1564-2367-0x0000000005BA0000-0x0000000005C16000-memory.dmp

Filesize
472KB

Download
memory/1564-2365-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/1564-2363-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/1564-2360-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/1800-165-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-192-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1800-190-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1800-189-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1800-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1800-187-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-185-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-183-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-181-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-179-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-2381-0x0000000000B90000-0x0000000000BCB000-memory.dmp

Filesize
236KB

Download
memory/1800-177-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-175-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-173-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-171-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-169-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-167-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-163-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-161-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-160-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1800-159-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1800-157-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1800-158-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1800-156-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/1800-155-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/3356-2362-0x0000000004BA0000-0x0000000004CAA000-memory.dmp

Filesize
1.0MB

Download
memory/3356-2371-0x0000000006090000-0x0000000006252000-memory.dmp

Filesize
1.8MB

Download
memory/3356-2374-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3356-2372-0x0000000008340000-0x000000000886C000-memory.dmp

Filesize
5.2MB

Download
memory/3356-2356-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/3356-2370-0x0000000005CC0000-0x0000000005D10000-memory.dmp

Filesize
320KB

Download
memory/3356-2369-0x0000000004E90000-0x0000000004EF6000-memory.dmp

Filesize
408KB

Download
memory/3356-2366-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3356-2364-0x0000000004B10000-0x0000000004B4C000-memory.dmp

Filesize
240KB

Download
memory/3916-226-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-228-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-224-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-222-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-230-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-234-0x00000000024A0000-0x00000000024FB000-memory.dmp

Filesize
364KB

Download
memory/3916-235-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3916-237-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3916-220-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-2350-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3916-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-216-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-214-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-212-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-210-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-208-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-206-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-204-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-202-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-200-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-198-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3916-197-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download