amadey | c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1

Resubmissions

24-10-2024 12:35

241024-pssa5swdma 10

14-04-2023 13:17

230414-qjqavsbd9s 10

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe
Size

1.2MB
MD5

f50317c48f53767776f84e6b1d1f965e
SHA1

8b3eddf9d8ef16d946f3d44dbcc6f26f8d81db39
SHA256

c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1
SHA512

3a57a654d7c5fe7bf61ade9622ec1a5f5e86b93f842a9194128d5d886a0c1a2612b5911fb17141cb013ed20fc0435c590b2cc53e7a67dd0cfc8f49ee31b381d7
SSDEEP

24576:BywKU/yOHbtGNBHRtH+yfB8ziKQlAscXCZUh+:0wKU/H7yRRtHdGzAK

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr050884.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr050884.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	qu117750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si493299.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
3724	un084722.exe
5064	un073498.exe
3632	pr050884.exe
3420	qu117750.exe
3212	1.exe
1568	rk301836.exe
4832	si493299.exe
4716	oneetx.exe
1900	oneetx.exe
2696	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr050884.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un084722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un084722.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un073498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un073498.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4080	3632	WerFault.exe	88
4368	3420	WerFault.exe	94
1348	4832	WerFault.exe	102
2064	4832	WerFault.exe	102
5048	4832	WerFault.exe	102
1880	4832	WerFault.exe	102
4888	4832	WerFault.exe	102
2340	4832	WerFault.exe	102
2564	4832	WerFault.exe	102
1336	4832	WerFault.exe	102
4464	4832	WerFault.exe	102
2296	4832	WerFault.exe	102
4504	4716	WerFault.exe	123
3076	4716	WerFault.exe	123
2364	4716	WerFault.exe	123
1548	4716	WerFault.exe	123
2352	4716	WerFault.exe	123
3956	4716	WerFault.exe	123
968	4716	WerFault.exe	123
2796	4716	WerFault.exe	123
4440	4716	WerFault.exe	123
2632	4716	WerFault.exe	123
3768	4716	WerFault.exe	123
4060	1900	WerFault.exe	151
1800	4716	WerFault.exe	123
4988	4716	WerFault.exe	123
4420	4716	WerFault.exe	123
2024	4716	WerFault.exe	123
1904	2696	WerFault.exe	163

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3632	pr050884.exe
3632	pr050884.exe
3212	1.exe
1568	rk301836.exe
1568	rk301836.exe
3212	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	pr050884.exe
Token: SeDebugPrivilege	3420	qu117750.exe
Token: SeDebugPrivilege	3212	1.exe
Token: SeDebugPrivilege	1568	rk301836.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4832	si493299.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3724	2896	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	86
PID 2896 wrote to memory of 3724	2896	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	86
PID 2896 wrote to memory of 3724	2896	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	86
PID 3724 wrote to memory of 5064	3724	un084722.exe	87
PID 3724 wrote to memory of 5064	3724	un084722.exe	87
PID 3724 wrote to memory of 5064	3724	un084722.exe	87
PID 5064 wrote to memory of 3632	5064	un073498.exe	88
PID 5064 wrote to memory of 3632	5064	un073498.exe	88
PID 5064 wrote to memory of 3632	5064	un073498.exe	88
PID 5064 wrote to memory of 3420	5064	un073498.exe	94
PID 5064 wrote to memory of 3420	5064	un073498.exe	94
PID 5064 wrote to memory of 3420	5064	un073498.exe	94
PID 3420 wrote to memory of 3212	3420	qu117750.exe	96
PID 3420 wrote to memory of 3212	3420	qu117750.exe	96
PID 3420 wrote to memory of 3212	3420	qu117750.exe	96
PID 3724 wrote to memory of 1568	3724	un084722.exe	99
PID 3724 wrote to memory of 1568	3724	un084722.exe	99
PID 3724 wrote to memory of 1568	3724	un084722.exe	99
PID 2896 wrote to memory of 4832	2896	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	102
PID 2896 wrote to memory of 4832	2896	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	102
PID 2896 wrote to memory of 4832	2896	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	102
PID 4832 wrote to memory of 4716	4832	si493299.exe	123
PID 4832 wrote to memory of 4716	4832	si493299.exe	123
PID 4832 wrote to memory of 4716	4832	si493299.exe	123
PID 4716 wrote to memory of 2216	4716	oneetx.exe	141
PID 4716 wrote to memory of 2216	4716	oneetx.exe	141
PID 4716 wrote to memory of 2216	4716	oneetx.exe	141
PID 4716 wrote to memory of 3004	4716	oneetx.exe	158
PID 4716 wrote to memory of 3004	4716	oneetx.exe	158
PID 4716 wrote to memory of 3004	4716	oneetx.exe	158

C:\Users\Admin\AppData\Local\Temp\c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe
"C:\Users\Admin\AppData\Local\Temp\c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1008
        5⤵
        Program crash
        
        PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1512
        5⤵
        Program crash
        
        PID:4368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si493299.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si493299.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 700
    3⤵
    - Program crash
    PID:1348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 784
    3⤵
    - Program crash
    PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 796
    3⤵
    - Program crash
    PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 868
    3⤵
    - Program crash
    PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 980
    3⤵
    - Program crash
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 980
    3⤵
    - Program crash
    PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1220
    3⤵
    - Program crash
    PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1272
    3⤵
    - Program crash
    PID:1336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1316
    3⤵
    - Program crash
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 696
      4⤵
      Program crash
      PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 848
      4⤵
      Program crash
      PID:3076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 932
      4⤵
      Program crash
      PID:2364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1056
      4⤵
      Program crash
      PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1076
      4⤵
      Program crash
      PID:2352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1096
      4⤵
      Program crash
      PID:3956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1120
      4⤵
      Program crash
      PID:968
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 996
      4⤵
      Program crash
      PID:2796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 756
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 696
      4⤵
      Program crash
      PID:2632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1292
      4⤵
      Program crash
      PID:3768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1140
      4⤵
      Program crash
      PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1644
      4⤵
      Program crash
      PID:4988
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1580
      4⤵
      Program crash
      PID:4420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1140
      4⤵
      Program crash
      PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 752
    3⤵
    - Program crash
    PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3632 -ip 3632
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3420 -ip 3420
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4832 -ip 4832
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4832 -ip 4832
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4832 -ip 4832
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4832 -ip 4832
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4832 -ip 4832
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4832 -ip 4832
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4832 -ip 4832
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4832 -ip 4832
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4832 -ip 4832
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4832 -ip 4832
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4716 -ip 4716
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4716 -ip 4716
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4716 -ip 4716
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4716 -ip 4716
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4716 -ip 4716
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4716 -ip 4716
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4716 -ip 4716
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4716 -ip 4716
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4716 -ip 4716
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4716 -ip 4716
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4716 -ip 4716
1⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 320
  2⤵
  - Program crash
  PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1900 -ip 1900
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4716 -ip 4716
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4716 -ip 4716
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4716 -ip 4716
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4716 -ip 4716
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 316
  2⤵
  - Program crash
  PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2696 -ip 2696
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si493299.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si493299.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe

Filesize
863KB

MD5
579fd4538fc766d796f6be0fbb9f211d

SHA1
d8b9c5192310e8f9f8cec6f2119130a3ea4cbc23

SHA256
c7797acc248faa03db95bf14c315969a0f2f4a18a63f67071303319cf7660888

SHA512
d7ba0728f9656f55bdfb27e16e3aaefc97fea662e75b61ea6bdf6883b5d553254c745e0b31e4b7848b1b7bf9964ff7e5f6a67bc7d9341aad641c2c650c5cae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe

Filesize
863KB

MD5
579fd4538fc766d796f6be0fbb9f211d

SHA1
d8b9c5192310e8f9f8cec6f2119130a3ea4cbc23

SHA256
c7797acc248faa03db95bf14c315969a0f2f4a18a63f67071303319cf7660888

SHA512
d7ba0728f9656f55bdfb27e16e3aaefc97fea662e75b61ea6bdf6883b5d553254c745e0b31e4b7848b1b7bf9964ff7e5f6a67bc7d9341aad641c2c650c5cae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe

Filesize
168KB

MD5
ba8c17a6a3824c09180ea2fd84bbc365

SHA1
186d9bf51d66bb02e9edf30c345e5a0a793668a5

SHA256
818f4d1b9229ea05c481a7492240a72a248cfc631d5dfaad9aba8952c1885651

SHA512
9ddc4c37d2a4e10efdf68a7f47343e3fdca3c34d3587c7e14c2383744d1912382115f8b80e1b6c1ae7f76e6b4040667bff264736413e92bbe973dcec7651606f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe

Filesize
168KB

MD5
ba8c17a6a3824c09180ea2fd84bbc365

SHA1
186d9bf51d66bb02e9edf30c345e5a0a793668a5

SHA256
818f4d1b9229ea05c481a7492240a72a248cfc631d5dfaad9aba8952c1885651

SHA512
9ddc4c37d2a4e10efdf68a7f47343e3fdca3c34d3587c7e14c2383744d1912382115f8b80e1b6c1ae7f76e6b4040667bff264736413e92bbe973dcec7651606f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe

Filesize
710KB

MD5
51c31284296e7c02517f8a1cba189339

SHA1
18103ef35d0315e0f4400421a6bd0b8764a96982

SHA256
d9205e56d7c5a53d4736874876b32fd6d456a75975956d8b7822ae5673bc25ac

SHA512
69981adc7157820660be84bd43b0c51e8c0fc3d74d7648e5e3b12c60d5e271d56a897cfadf9a5807a8eb017d28b2105e7fc33e8cda3c2a5ba1aec289729fb41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe

Filesize
710KB

MD5
51c31284296e7c02517f8a1cba189339

SHA1
18103ef35d0315e0f4400421a6bd0b8764a96982

SHA256
d9205e56d7c5a53d4736874876b32fd6d456a75975956d8b7822ae5673bc25ac

SHA512
69981adc7157820660be84bd43b0c51e8c0fc3d74d7648e5e3b12c60d5e271d56a897cfadf9a5807a8eb017d28b2105e7fc33e8cda3c2a5ba1aec289729fb41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe

Filesize
403KB

MD5
b9c4a44e1a8586648f08620be266a8ae

SHA1
7bd3f41279d131b38ccb6cd9503e8c7663ee1265

SHA256
c6ee8b9c4e3a590596803001338e738da884532e6e19a216a3dec4c2d9bcfe93

SHA512
525c1a91dde78bd6c127265d7647a40df1b8d4a83387dc880a2acf967e4753b4e4946bac545197943147bbfec3a8416e511ffa712074d1c64360e3ef523e2314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe

Filesize
403KB

MD5
b9c4a44e1a8586648f08620be266a8ae

SHA1
7bd3f41279d131b38ccb6cd9503e8c7663ee1265

SHA256
c6ee8b9c4e3a590596803001338e738da884532e6e19a216a3dec4c2d9bcfe93

SHA512
525c1a91dde78bd6c127265d7647a40df1b8d4a83387dc880a2acf967e4753b4e4946bac545197943147bbfec3a8416e511ffa712074d1c64360e3ef523e2314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe

Filesize
588KB

MD5
10a407a5fe393739001dcf7e4f24a5b1

SHA1
a6d2a4c6aa55cfddbeeb605550a7f1fe5937746e

SHA256
97bace2fbafe4af536fa145e1dfc17cb109504eee17bf4ca99a4ec1e903963ad

SHA512
7bd95a691d0f43cadbfbbdfc07608bf03a500f0b6413507f27f9dd9ef8dbd09324af7b72b01f1333c87bb694bda738bd38665f9863ffbf83d0562b56d4a7bc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe

Filesize
588KB

MD5
10a407a5fe393739001dcf7e4f24a5b1

SHA1
a6d2a4c6aa55cfddbeeb605550a7f1fe5937746e

SHA256
97bace2fbafe4af536fa145e1dfc17cb109504eee17bf4ca99a4ec1e903963ad

SHA512
7bd95a691d0f43cadbfbbdfc07608bf03a500f0b6413507f27f9dd9ef8dbd09324af7b72b01f1333c87bb694bda738bd38665f9863ffbf83d0562b56d4a7bc9d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1568-2359-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/1568-2351-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/1568-2350-0x0000000000780000-0x00000000007B0000-memory.dmp

Filesize
192KB

Download
memory/1568-2356-0x0000000006650000-0x0000000006812000-memory.dmp

Filesize
1.8MB

Download
memory/1568-2357-0x0000000007A00000-0x0000000007F2C000-memory.dmp

Filesize
5.2MB

Download
memory/1568-2355-0x00000000060B0000-0x0000000006100000-memory.dmp

Filesize
320KB

Download
memory/3212-2358-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/3212-2345-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/3212-2344-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/3212-2343-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/3212-2342-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/3212-2341-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/3212-2340-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3212-2352-0x00000000051D0000-0x0000000005246000-memory.dmp

Filesize
472KB

Download
memory/3212-2353-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/3212-2354-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/3420-217-0x00000000009D0000-0x0000000000A2B000-memory.dmp

Filesize
364KB

Download
memory/3420-214-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-216-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-220-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3420-222-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3420-223-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-224-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3420-226-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-219-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-228-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-230-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-232-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-2328-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3420-212-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-210-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-208-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-206-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-204-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-202-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-200-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-198-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-196-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3420-195-0x0000000005570000-0x00000000055D0000-memory.dmp

Filesize
384KB

Download
memory/3632-190-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3632-171-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-187-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/3632-186-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3632-185-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-183-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-181-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-179-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-177-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-175-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-173-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-188-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/3632-169-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-155-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/3632-167-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-165-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-163-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-161-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-159-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-158-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/3632-157-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/3632-156-0x0000000002450000-0x000000000247D000-memory.dmp

Filesize
180KB

Download
memory/4832-2366-0x0000000002440000-0x000000000247B000-memory.dmp

Filesize
236KB

Download