amadey | 615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c

Analysis

max time kernel
147s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 13:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe
Size

1.2MB
MD5

d8f06c74f0af9ce2cddc623984e597e4
SHA1

de0fd81835ebbbf718bc7590d2e608eb4e168fd9
SHA256

615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c
SHA512

f62fd9bbf8a3b4532a0c810cd42b2a3c6989f7d2e24b2f34048fb2b14ed2f0673e82751422334389867333757b3d3abcc70b64c7944170a60d8e0e8e438a49fb
SSDEEP

24576:lygWr9NS28XHsz/KjCYV3pIieqtricgEa+RNyN3jCVopG+rDBj1:Ap9Nx71YV3pIjqtrRTNW2VopfXB

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr316792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr316792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr316792.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr316792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr316792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr316792.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	qu376084.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si234518.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
2332	un066415.exe
2356	un410626.exe
4288	pr316792.exe
3908	qu376084.exe
4852	1.exe
1844	rk859537.exe
2712	si234518.exe
1848	oneetx.exe
4380	oneetx.exe
2700	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr316792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr316792.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un410626.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un066415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un066415.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un410626.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
608	4288	WerFault.exe	85
4516	3908	WerFault.exe	91
1956	2712	WerFault.exe	99
1076	2712	WerFault.exe	99
1028	2712	WerFault.exe	99
2140	2712	WerFault.exe	99
4884	2712	WerFault.exe	99
2384	2712	WerFault.exe	99
3396	2712	WerFault.exe	99
3488	2712	WerFault.exe	99
928	2712	WerFault.exe	99
1104	2712	WerFault.exe	99
4940	1848	WerFault.exe	121
408	1848	WerFault.exe	121
3636	1848	WerFault.exe	121
112	1848	WerFault.exe	121
5052	1848	WerFault.exe	121
2372	1848	WerFault.exe	121
608	1848	WerFault.exe	121
4516	1848	WerFault.exe	121
4184	1848	WerFault.exe	121
1496	1848	WerFault.exe	121
1924	1848	WerFault.exe	121
2112	1848	WerFault.exe	121
3308	4380	WerFault.exe	150
692	1848	WerFault.exe	121
1644	1848	WerFault.exe	121
1652	1848	WerFault.exe	121
4876	1848	WerFault.exe	121
1316	2700	WerFault.exe	162

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4288	pr316792.exe
4288	pr316792.exe
1844	rk859537.exe
4852	1.exe
1844	rk859537.exe
4852	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	pr316792.exe
Token: SeDebugPrivilege	3908	qu376084.exe
Token: SeDebugPrivilege	1844	rk859537.exe
Token: SeDebugPrivilege	4852	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	si234518.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2332	2604	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe	83
PID 2604 wrote to memory of 2332	2604	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe	83
PID 2604 wrote to memory of 2332	2604	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe	83
PID 2332 wrote to memory of 2356	2332	un066415.exe	84
PID 2332 wrote to memory of 2356	2332	un066415.exe	84
PID 2332 wrote to memory of 2356	2332	un066415.exe	84
PID 2356 wrote to memory of 4288	2356	un410626.exe	85
PID 2356 wrote to memory of 4288	2356	un410626.exe	85
PID 2356 wrote to memory of 4288	2356	un410626.exe	85
PID 2356 wrote to memory of 3908	2356	un410626.exe	91
PID 2356 wrote to memory of 3908	2356	un410626.exe	91
PID 2356 wrote to memory of 3908	2356	un410626.exe	91
PID 3908 wrote to memory of 4852	3908	qu376084.exe	93
PID 3908 wrote to memory of 4852	3908	qu376084.exe	93
PID 3908 wrote to memory of 4852	3908	qu376084.exe	93
PID 2332 wrote to memory of 1844	2332	un066415.exe	96
PID 2332 wrote to memory of 1844	2332	un066415.exe	96
PID 2332 wrote to memory of 1844	2332	un066415.exe	96
PID 2604 wrote to memory of 2712	2604	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe	99
PID 2604 wrote to memory of 2712	2604	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe	99
PID 2604 wrote to memory of 2712	2604	615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe	99
PID 2712 wrote to memory of 1848	2712	si234518.exe	121
PID 2712 wrote to memory of 1848	2712	si234518.exe	121
PID 2712 wrote to memory of 1848	2712	si234518.exe	121
PID 1848 wrote to memory of 3064	1848	oneetx.exe	138
PID 1848 wrote to memory of 3064	1848	oneetx.exe	138
PID 1848 wrote to memory of 3064	1848	oneetx.exe	138
PID 1848 wrote to memory of 2880	1848	oneetx.exe	157
PID 1848 wrote to memory of 2880	1848	oneetx.exe	157
PID 1848 wrote to memory of 2880	1848	oneetx.exe	157

C:\Users\Admin\AppData\Local\Temp\615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe
"C:\Users\Admin\AppData\Local\Temp\615e18b8ca5f2250ba91bc5bd97732031b0970c21a08cae5078570f9305f189c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un066415.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un066415.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un410626.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un410626.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316792.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316792.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1084
        5⤵
        Program crash
        
        PID:608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu376084.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu376084.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1400
        5⤵
        Program crash
        
        PID:4516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859537.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859537.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si234518.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si234518.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 700
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 784
    3⤵
    - Program crash
    PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 864
    3⤵
    - Program crash
    PID:1028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 956
    3⤵
    - Program crash
    PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 960
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 976
    3⤵
    - Program crash
    PID:2384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1220
    3⤵
    - Program crash
    PID:3396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1232
    3⤵
    - Program crash
    PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1320
    3⤵
    - Program crash
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 696
      4⤵
      Program crash
      PID:4940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 888
      4⤵
      Program crash
      PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 932
      4⤵
      Program crash
      PID:3636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1064
      4⤵
      Program crash
      PID:112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1076
      4⤵
      Program crash
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1076
      4⤵
      Program crash
      PID:2372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1084
      4⤵
      Program crash
      PID:608
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 884
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 688
      4⤵
      Program crash
      PID:4184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 696
      4⤵
      Program crash
      PID:1496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1256
      4⤵
      Program crash
      PID:1924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1432
      4⤵
      Program crash
      PID:2112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1116
      4⤵
      Program crash
      PID:692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1368
      4⤵
      Program crash
      PID:1644
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1436
      4⤵
      Program crash
      PID:1652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1492
      4⤵
      Program crash
      PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1368
    3⤵
    - Program crash
    PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4288 -ip 4288
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3908 -ip 3908
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2712 -ip 2712
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2712 -ip 2712
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2712 -ip 2712
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2712 -ip 2712
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2712 -ip 2712
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2712 -ip 2712
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2712 -ip 2712
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2712 -ip 2712
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2712 -ip 2712
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2712 -ip 2712
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1848 -ip 1848
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1848 -ip 1848
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1848 -ip 1848
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1848 -ip 1848
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1848 -ip 1848
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 1848
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1848 -ip 1848
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 1848
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1848 -ip 1848
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 1848
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1848 -ip 1848
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1848 -ip 1848
1⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 316
  2⤵
  - Program crash
  PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4380 -ip 4380
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1848 -ip 1848
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1848 -ip 1848
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1848 -ip 1848
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1848 -ip 1848
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 316
  2⤵
  - Program crash
  PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2700 -ip 2700
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si234518.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si234518.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un066415.exe

Filesize
863KB

MD5
66ed59d82950a0d287002b95d09b3d11

SHA1
d272146cfcb7316a63df20a327244c9bd56bce32

SHA256
63a821b9d1025558a39c334c0067f13319ea355f9f29fa03398bec45c1adbd96

SHA512
c42773d783f2c71665462a827422e9b014b064680555b6da66c58d5974aeb560d603aeba8635adf0a2ee7f0ba86622e3784e19f76da2b20450d91039120bd181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un066415.exe

Filesize
863KB

MD5
66ed59d82950a0d287002b95d09b3d11

SHA1
d272146cfcb7316a63df20a327244c9bd56bce32

SHA256
63a821b9d1025558a39c334c0067f13319ea355f9f29fa03398bec45c1adbd96

SHA512
c42773d783f2c71665462a827422e9b014b064680555b6da66c58d5974aeb560d603aeba8635adf0a2ee7f0ba86622e3784e19f76da2b20450d91039120bd181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859537.exe

Filesize
168KB

MD5
15123c140ff2d766c8f175dbc02a0cc8

SHA1
3ebe73a02806916019d0ab106745158c11716e7d

SHA256
f82fefd7e9d2b6b3ddc7e64266064c1d650af1d50547f512785aae2674b7067d

SHA512
2e2c0ea4baaabe81c903519d4ef513f33d9005ba11d81b8a14dd2390831f577ebdc1604e8db236b3ce7947f55f353269cffc7b9e742049e249e6e06875d0c883

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859537.exe

Filesize
168KB

MD5
15123c140ff2d766c8f175dbc02a0cc8

SHA1
3ebe73a02806916019d0ab106745158c11716e7d

SHA256
f82fefd7e9d2b6b3ddc7e64266064c1d650af1d50547f512785aae2674b7067d

SHA512
2e2c0ea4baaabe81c903519d4ef513f33d9005ba11d81b8a14dd2390831f577ebdc1604e8db236b3ce7947f55f353269cffc7b9e742049e249e6e06875d0c883

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un410626.exe

Filesize
710KB

MD5
64a65d139b3868ed730d8592b659082e

SHA1
e541a564df027a5eae202bb99e5151f94880c960

SHA256
e8450bfb1791fbb4919cd2ad410b84c31b4b8077379e95dc6d149b0617dd38b3

SHA512
a27840eeefa82a6981e778d1a71209698e5a410c13b55e150a0819b442ee57abe1eb24ce8d80a33c381d6159648cd0330248be7ac0e6377de64f3fcfe90ced9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un410626.exe

Filesize
710KB

MD5
64a65d139b3868ed730d8592b659082e

SHA1
e541a564df027a5eae202bb99e5151f94880c960

SHA256
e8450bfb1791fbb4919cd2ad410b84c31b4b8077379e95dc6d149b0617dd38b3

SHA512
a27840eeefa82a6981e778d1a71209698e5a410c13b55e150a0819b442ee57abe1eb24ce8d80a33c381d6159648cd0330248be7ac0e6377de64f3fcfe90ced9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316792.exe

Filesize
403KB

MD5
0b2e32fac79a7ed04c7cba5d2913d694

SHA1
76ac4f10f3142af34a88039f88337febff5f110e

SHA256
7e5035f1d39d066a0f21bbeebad47d4ef36ce8e347052f8cd4bab8c3c389c4bc

SHA512
821ae1132d1741be748d29210c9345e5b532f867cd613ad91c3929ee574e40953873d4e380110bbd0513e90000f19100338c098664b7b7a55e10d8b5076d404b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316792.exe

Filesize
403KB

MD5
0b2e32fac79a7ed04c7cba5d2913d694

SHA1
76ac4f10f3142af34a88039f88337febff5f110e

SHA256
7e5035f1d39d066a0f21bbeebad47d4ef36ce8e347052f8cd4bab8c3c389c4bc

SHA512
821ae1132d1741be748d29210c9345e5b532f867cd613ad91c3929ee574e40953873d4e380110bbd0513e90000f19100338c098664b7b7a55e10d8b5076d404b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu376084.exe

Filesize
588KB

MD5
e3ac70c3705e7dabe24bee4e36febf83

SHA1
ca47bf7f339ccf3e8a249015aaa91ef07f91355e

SHA256
9913c0bd07860596fc88620abda68974ca1c218b2848aa07f58d6e0c38540fc9

SHA512
7bc7d9d02822ab607a9795d3e4b912ca4a0d459d61d45a7653fa64ff5fce2e8f08215d04de05444e86f18ca3aebe0cf8b8d51521f96a71e0387dd2cc57c9ea54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu376084.exe

Filesize
588KB

MD5
e3ac70c3705e7dabe24bee4e36febf83

SHA1
ca47bf7f339ccf3e8a249015aaa91ef07f91355e

SHA256
9913c0bd07860596fc88620abda68974ca1c218b2848aa07f58d6e0c38540fc9

SHA512
7bc7d9d02822ab607a9795d3e4b912ca4a0d459d61d45a7653fa64ff5fce2e8f08215d04de05444e86f18ca3aebe0cf8b8d51521f96a71e0387dd2cc57c9ea54

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1844-2357-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/1844-2362-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1844-2353-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/1844-2354-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1844-2361-0x0000000006D30000-0x0000000006D80000-memory.dmp

Filesize
320KB

Download
memory/1844-2359-0x0000000006B60000-0x0000000006D22000-memory.dmp

Filesize
1.8MB

Download
memory/1844-2360-0x0000000007FC0000-0x00000000084EC000-memory.dmp

Filesize
5.2MB

Download
memory/2712-2369-0x0000000000AD0000-0x0000000000B0B000-memory.dmp

Filesize
236KB

Download
memory/3908-219-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-2343-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3908-199-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-201-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-203-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-205-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-207-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-209-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-211-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-213-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-215-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-217-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-198-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-221-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-224-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/3908-223-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-227-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3908-228-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-226-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3908-231-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-233-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/3908-229-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3908-235-0x0000000005590000-0x00000000055F0000-memory.dmp

Filesize
384KB

Download
memory/4288-178-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-185-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4288-190-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4288-155-0x0000000000A70000-0x0000000000A9D000-memory.dmp

Filesize
180KB

Download
memory/4288-192-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4288-156-0x0000000004D20000-0x00000000052C4000-memory.dmp

Filesize
5.6MB

Download
memory/4288-157-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-158-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-160-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-191-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4288-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4288-187-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4288-186-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4288-168-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-162-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-164-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-184-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-166-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-182-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-180-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4288-176-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-174-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-172-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4288-170-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4852-2348-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4852-2358-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4852-2356-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/4852-2355-0x0000000005BF0000-0x0000000005C66000-memory.dmp

Filesize
472KB

Download
memory/4852-2347-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/4852-2346-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/4852-2345-0x0000000005990000-0x0000000005A9A000-memory.dmp

Filesize
1.0MB

Download
memory/4852-2344-0x0000000005EA0000-0x00000000064B8000-memory.dmp

Filesize
6.1MB

Download
memory/4852-2342-0x0000000000F30000-0x0000000000F5E000-memory.dmp

Filesize
184KB

Download