amadey | f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52

Analysis

max time kernel
143s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 13:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe
Size

1.2MB
MD5

e2ffca51ced789267b3bdd4f6560da7c
SHA1

ff983f970a742c28de17e8441b5f4b3b1546ea62
SHA256

f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52
SHA512

4039c47b9f9941b00781f83cdaf193b2db8d2537721019d7655ed874e7cdbc4597386bf0312a4d6cbb2e34e06465c860e08d3e79ab8c6bbe4c6ee95e68809835
SSDEEP

12288:6Mrky90uvP+REAh/EOc1sxmCFSp1Ty5HdWlcgrsdNty412am1t/SHrLb2TWXFRa/:SyHBAmhgBgqNtytKmMxVwh/fHOI582

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr658909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr658909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr658909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr658909.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr658909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr658909.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si676838.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	qu870353.exe

Executes dropped EXE 10 IoCs

pid	Process
4500	un454441.exe
4300	un080007.exe
1792	pr658909.exe
4664	qu870353.exe
1520	1.exe
1436	rk154531.exe
3988	si676838.exe
5052	oneetx.exe
3128	oneetx.exe
3940	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr658909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr658909.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un454441.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un454441.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un080007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un080007.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4892	1792	WerFault.exe	86
4128	4664	WerFault.exe	92
2596	3988	WerFault.exe	99
848	3988	WerFault.exe	99
3356	3988	WerFault.exe	99
2916	3988	WerFault.exe	99
2272	3988	WerFault.exe	99
2024	3988	WerFault.exe	99
3280	3988	WerFault.exe	99
2184	3988	WerFault.exe	99
3812	3988	WerFault.exe	99
4928	3988	WerFault.exe	99
5004	5052	WerFault.exe	121
628	5052	WerFault.exe	121
2120	5052	WerFault.exe	121
2772	5052	WerFault.exe	121
2164	5052	WerFault.exe	121
4040	5052	WerFault.exe	121
4852	5052	WerFault.exe	121
764	5052	WerFault.exe	121
5036	5052	WerFault.exe	121
2608	5052	WerFault.exe	121
4400	5052	WerFault.exe	121
1412	5052	WerFault.exe	121
3148	5052	WerFault.exe	121
2632	3128	WerFault.exe	153
3948	5052	WerFault.exe	121
4268	5052	WerFault.exe	121
1432	5052	WerFault.exe	121
4948	3940	WerFault.exe	163

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1792	pr658909.exe
1792	pr658909.exe
1520	1.exe
1520	1.exe
1436	rk154531.exe
1436	rk154531.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	pr658909.exe
Token: SeDebugPrivilege	4664	qu870353.exe
Token: SeDebugPrivilege	1520	1.exe
Token: SeDebugPrivilege	1436	rk154531.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3988	si676838.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 4500	2724	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe	84
PID 2724 wrote to memory of 4500	2724	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe	84
PID 2724 wrote to memory of 4500	2724	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe	84
PID 4500 wrote to memory of 4300	4500	un454441.exe	85
PID 4500 wrote to memory of 4300	4500	un454441.exe	85
PID 4500 wrote to memory of 4300	4500	un454441.exe	85
PID 4300 wrote to memory of 1792	4300	un080007.exe	86
PID 4300 wrote to memory of 1792	4300	un080007.exe	86
PID 4300 wrote to memory of 1792	4300	un080007.exe	86
PID 4300 wrote to memory of 4664	4300	un080007.exe	92
PID 4300 wrote to memory of 4664	4300	un080007.exe	92
PID 4300 wrote to memory of 4664	4300	un080007.exe	92
PID 4664 wrote to memory of 1520	4664	qu870353.exe	94
PID 4664 wrote to memory of 1520	4664	qu870353.exe	94
PID 4664 wrote to memory of 1520	4664	qu870353.exe	94
PID 4500 wrote to memory of 1436	4500	un454441.exe	97
PID 4500 wrote to memory of 1436	4500	un454441.exe	97
PID 4500 wrote to memory of 1436	4500	un454441.exe	97
PID 2724 wrote to memory of 3988	2724	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe	99
PID 2724 wrote to memory of 3988	2724	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe	99
PID 2724 wrote to memory of 3988	2724	f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe	99
PID 3988 wrote to memory of 5052	3988	si676838.exe	121
PID 3988 wrote to memory of 5052	3988	si676838.exe	121
PID 3988 wrote to memory of 5052	3988	si676838.exe	121
PID 5052 wrote to memory of 4232	5052	oneetx.exe	139
PID 5052 wrote to memory of 4232	5052	oneetx.exe	139
PID 5052 wrote to memory of 4232	5052	oneetx.exe	139
PID 5052 wrote to memory of 2820	5052	oneetx.exe	158
PID 5052 wrote to memory of 2820	5052	oneetx.exe	158
PID 5052 wrote to memory of 2820	5052	oneetx.exe	158

C:\Users\Admin\AppData\Local\Temp\f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe
"C:\Users\Admin\AppData\Local\Temp\f55f9f96391ad7fbd403e500433c57a1d675b997920e9bde3e4edb7364a6ec52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un454441.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un454441.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un080007.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un080007.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr658909.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr658909.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1088
        5⤵
        Program crash
        
        PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870353.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870353.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1408
        5⤵
        Program crash
        
        PID:4128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk154531.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk154531.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si676838.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si676838.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 700
    3⤵
    - Program crash
    PID:2596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 776
    3⤵
    - Program crash
    PID:848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 800
    3⤵
    - Program crash
    PID:3356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 984
    3⤵
    - Program crash
    PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 988
    3⤵
    - Program crash
    PID:2272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 988
    3⤵
    - Program crash
    PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1228
    3⤵
    - Program crash
    PID:3280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1216
    3⤵
    - Program crash
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1324
    3⤵
    - Program crash
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 696
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 864
      4⤵
      Program crash
      PID:628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 900
      4⤵
      Program crash
      PID:2120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1064
      4⤵
      Program crash
      PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1056
      4⤵
      Program crash
      PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1136
      4⤵
      Program crash
      PID:4040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1156
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 996
      4⤵
      Program crash
      PID:764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 760
      4⤵
      Program crash
      PID:5036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 696
      4⤵
      Program crash
      PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 680
      4⤵
      Program crash
      PID:4400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1472
      4⤵
      Program crash
      PID:1412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1172
      4⤵
      Program crash
      PID:3148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1472
      4⤵
      Program crash
      PID:3948
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1064
      4⤵
      Program crash
      PID:4268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1372
      4⤵
      Program crash
      PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1400
    3⤵
    - Program crash
    PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1792 -ip 1792
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4664 -ip 4664
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3988 -ip 3988
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3988 -ip 3988
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3988 -ip 3988
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3988 -ip 3988
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3988 -ip 3988
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3988 -ip 3988
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3988 -ip 3988
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3988 -ip 3988
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3988 -ip 3988
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3988 -ip 3988
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5052 -ip 5052
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5052 -ip 5052
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5052 -ip 5052
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5052 -ip 5052
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5052 -ip 5052
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5052 -ip 5052
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5052 -ip 5052
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5052 -ip 5052
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 5052 -ip 5052
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 5052 -ip 5052
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5052 -ip 5052
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5052 -ip 5052
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5052 -ip 5052
1⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 320
  2⤵
  - Program crash
  PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3128 -ip 3128
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5052 -ip 5052
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5052 -ip 5052
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5052 -ip 5052
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 324
  2⤵
  - Program crash
  PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3940 -ip 3940
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si676838.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si676838.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un454441.exe

Filesize
863KB

MD5
0ff1e2849326b6e76557b445dbbaf192

SHA1
a2a400db874fc7f9a4ad39aa891bc8b92548a13b

SHA256
17f5ed0c62d747399066c25c1012ac8b67203448635baa61a3fd26f1c79a852c

SHA512
e1890debfd8c5f66411492dffb8fa61ab8176830f58129b78b871c0ac5ee3ceb3607a791bf7f4ea72969ff9277bdf74af6f99e522f2a144b1842f5df0d7b43da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un454441.exe

Filesize
863KB

MD5
0ff1e2849326b6e76557b445dbbaf192

SHA1
a2a400db874fc7f9a4ad39aa891bc8b92548a13b

SHA256
17f5ed0c62d747399066c25c1012ac8b67203448635baa61a3fd26f1c79a852c

SHA512
e1890debfd8c5f66411492dffb8fa61ab8176830f58129b78b871c0ac5ee3ceb3607a791bf7f4ea72969ff9277bdf74af6f99e522f2a144b1842f5df0d7b43da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk154531.exe

Filesize
168KB

MD5
73b30408f01e26d6ea23e2c61c100dd2

SHA1
89cd2b9c43ca5827243c45db47f0666c79f23747

SHA256
e915619f70319baf48eaef692155be93714f24e1beef1dc819f9d0cb94f41ccf

SHA512
97807c4a238857551ad04fa1cee58f32ddfa33cebcf8958cd7e6300e2349f48ef565a1b674c42becc48e1cdfe8872b4b87ac4689004dbd2496da57c219f828e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk154531.exe

Filesize
168KB

MD5
73b30408f01e26d6ea23e2c61c100dd2

SHA1
89cd2b9c43ca5827243c45db47f0666c79f23747

SHA256
e915619f70319baf48eaef692155be93714f24e1beef1dc819f9d0cb94f41ccf

SHA512
97807c4a238857551ad04fa1cee58f32ddfa33cebcf8958cd7e6300e2349f48ef565a1b674c42becc48e1cdfe8872b4b87ac4689004dbd2496da57c219f828e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un080007.exe

Filesize
709KB

MD5
67449365f615e88149681cd7c284aa54

SHA1
9fcc602a244c260e90882fb489fcd66d612411cf

SHA256
c9ec7edfd4e3839e38ea5e3c39f3ac60aeb92cbd2df0d643f8d0a0c146223f04

SHA512
8e03609bd7bd288247377a6cb95c16b8139bdfe1e9ff4b7eb70b17340207e28bdd6b3e0b8c62ba1bdd6badaeeae5f4157b6d35be720459fd47a9e6757aad9315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un080007.exe

Filesize
709KB

MD5
67449365f615e88149681cd7c284aa54

SHA1
9fcc602a244c260e90882fb489fcd66d612411cf

SHA256
c9ec7edfd4e3839e38ea5e3c39f3ac60aeb92cbd2df0d643f8d0a0c146223f04

SHA512
8e03609bd7bd288247377a6cb95c16b8139bdfe1e9ff4b7eb70b17340207e28bdd6b3e0b8c62ba1bdd6badaeeae5f4157b6d35be720459fd47a9e6757aad9315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr658909.exe

Filesize
403KB

MD5
d29e9bdc8ec14576d7be527aed1aae1a

SHA1
0e498a60990ea2ed97431550ac204ce6f768a7df

SHA256
7d27fadd06e3fe72db53a427744fe5ae50ab9ed8de4f5c7f14d554da386aac9a

SHA512
be24447111b7d72debec13d14a1fb7f67a6fd255d6f9c8e72794305e151fa2833cc052b697ea9aa7a6848ecf9fcd900f2a089eb68bcef078a1d254b7f6911250

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr658909.exe

Filesize
403KB

MD5
d29e9bdc8ec14576d7be527aed1aae1a

SHA1
0e498a60990ea2ed97431550ac204ce6f768a7df

SHA256
7d27fadd06e3fe72db53a427744fe5ae50ab9ed8de4f5c7f14d554da386aac9a

SHA512
be24447111b7d72debec13d14a1fb7f67a6fd255d6f9c8e72794305e151fa2833cc052b697ea9aa7a6848ecf9fcd900f2a089eb68bcef078a1d254b7f6911250

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870353.exe

Filesize
588KB

MD5
820b9458496ac3f9ffc5331b3f18c10a

SHA1
b63f75a6f77a057fa84175d5f0ad94fa11c45234

SHA256
ccd68c702948fb8bca180bad3f91c55a5b0eb2b5b62c75b36442093ef4e2ac06

SHA512
576909a3fa945cfd4542339f25aee80852dddb0d27278f0000574707f90b9c32a3249d3327d4405c9e1b329e7090828150782cd59b3e1e81018a9fbfc3e47154

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870353.exe

Filesize
588KB

MD5
820b9458496ac3f9ffc5331b3f18c10a

SHA1
b63f75a6f77a057fa84175d5f0ad94fa11c45234

SHA256
ccd68c702948fb8bca180bad3f91c55a5b0eb2b5b62c75b36442093ef4e2ac06

SHA512
576909a3fa945cfd4542339f25aee80852dddb0d27278f0000574707f90b9c32a3249d3327d4405c9e1b329e7090828150782cd59b3e1e81018a9fbfc3e47154

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1436-2359-0x00000000060F0000-0x0000000006140000-memory.dmp

Filesize
320KB

Download
memory/1436-2360-0x0000000006310000-0x00000000064D2000-memory.dmp

Filesize
1.8MB

Download
memory/1436-2354-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1436-2362-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1436-2353-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/1436-2361-0x00000000076B0000-0x0000000007BDC000-memory.dmp

Filesize
5.2MB

Download
memory/1520-2358-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1520-2355-0x0000000005560000-0x00000000055D6000-memory.dmp

Filesize
472KB

Download
memory/1520-2349-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/1520-2347-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1520-2346-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/1520-2345-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/1520-2344-0x00000000057D0000-0x0000000005DE8000-memory.dmp

Filesize
6.1MB

Download
memory/1520-2343-0x00000000008B0000-0x00000000008DE000-memory.dmp

Filesize
184KB

Download
memory/1520-2357-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/1520-2356-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/1792-181-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-169-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-155-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/1792-156-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/1792-157-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1792-158-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1792-159-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1792-160-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-161-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-163-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-165-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-167-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-171-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-173-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-175-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-177-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-179-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-183-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-185-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-187-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1792-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1792-189-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1792-190-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1792-191-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1792-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3988-2369-0x0000000000AB0000-0x0000000000AEB000-memory.dmp

Filesize
236KB

Download
memory/4664-213-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-235-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-203-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-205-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-209-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-207-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-211-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-229-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-198-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-231-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-199-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-233-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-2332-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4664-201-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-227-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-225-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-217-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-222-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4664-223-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4664-221-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4664-220-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4664-218-0x0000000000AB0000-0x0000000000B0B000-memory.dmp

Filesize
364KB

Download
memory/4664-215-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download