amadey | 73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 01:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe
Size

1.2MB
MD5

29c546bc235957b141c49d1667390221
SHA1

211d8e351865241588bad7c48a746aa9d57e1d5e
SHA256

73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac
SHA512

6708426a995cad8ba27d39359daa091f1cae89f60e3632de970a6d3c627b304da35ba7c0b8235d2b238fd0f8d33532d3950c77df003577fc768896bbd525f5e8
SSDEEP

24576:Tyu4ZSa+8MF7WkgDz8SW7Y0TUJq50KrLGqujOWB742U/HHpw1x8d+Yr:mxI8+gX67Y0YcSxqujOgsZ/HJw1x

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr437925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr437925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr437925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr437925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr437925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr437925.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	qu371839.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	si866900.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
4724	un907731.exe
4740	un436452.exe
4608	pr437925.exe
3276	qu371839.exe
456	1.exe
2432	rk110609.exe
2124	si866900.exe
4240	oneetx.exe
4904	oneetx.exe
736	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4956	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr437925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr437925.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un907731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un907731.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un436452.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un436452.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 34 IoCs

pid	pid_target	Process	procid_target
2612	4608	WerFault.exe	85
1064	3276	WerFault.exe	91
4976	2124	WerFault.exe	99
4512	2124	WerFault.exe	99
3908	2124	WerFault.exe	99
2848	2124	WerFault.exe	99
1728	2124	WerFault.exe	99
3968	2124	WerFault.exe	99
2556	2124	WerFault.exe	99
4656	2124	WerFault.exe	99
5100	2124	WerFault.exe	99
4032	2124	WerFault.exe	99
4736	4240	WerFault.exe	121
4516	4240	WerFault.exe	121
4660	4240	WerFault.exe	121
4208	4240	WerFault.exe	121
3080	4240	WerFault.exe	121
3260	4240	WerFault.exe	121
372	4240	WerFault.exe	121
3276	4240	WerFault.exe	121
4684	4240	WerFault.exe	121
4940	4240	WerFault.exe	121
2520	4240	WerFault.exe	121
1400	4240	WerFault.exe	121
2344	4904	WerFault.exe	150
4688	4904	WerFault.exe	150
2608	4904	WerFault.exe	150
3088	4240	WerFault.exe	121
4428	4240	WerFault.exe	121
4088	4240	WerFault.exe	121
4128	736	WerFault.exe	164
4608	736	WerFault.exe	164
2620	736	WerFault.exe	164
4480	4240	WerFault.exe	121

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4608	pr437925.exe
4608	pr437925.exe
456	1.exe
2432	rk110609.exe
2432	rk110609.exe
456	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	pr437925.exe
Token: SeDebugPrivilege	3276	qu371839.exe
Token: SeDebugPrivilege	456	1.exe
Token: SeDebugPrivilege	2432	rk110609.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	si866900.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4724	2028	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe	83
PID 2028 wrote to memory of 4724	2028	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe	83
PID 2028 wrote to memory of 4724	2028	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe	83
PID 4724 wrote to memory of 4740	4724	un907731.exe	84
PID 4724 wrote to memory of 4740	4724	un907731.exe	84
PID 4724 wrote to memory of 4740	4724	un907731.exe	84
PID 4740 wrote to memory of 4608	4740	un436452.exe	85
PID 4740 wrote to memory of 4608	4740	un436452.exe	85
PID 4740 wrote to memory of 4608	4740	un436452.exe	85
PID 4740 wrote to memory of 3276	4740	un436452.exe	91
PID 4740 wrote to memory of 3276	4740	un436452.exe	91
PID 4740 wrote to memory of 3276	4740	un436452.exe	91
PID 3276 wrote to memory of 456	3276	qu371839.exe	93
PID 3276 wrote to memory of 456	3276	qu371839.exe	93
PID 3276 wrote to memory of 456	3276	qu371839.exe	93
PID 4724 wrote to memory of 2432	4724	un907731.exe	96
PID 4724 wrote to memory of 2432	4724	un907731.exe	96
PID 4724 wrote to memory of 2432	4724	un907731.exe	96
PID 2028 wrote to memory of 2124	2028	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe	99
PID 2028 wrote to memory of 2124	2028	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe	99
PID 2028 wrote to memory of 2124	2028	73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe	99
PID 2124 wrote to memory of 4240	2124	si866900.exe	121
PID 2124 wrote to memory of 4240	2124	si866900.exe	121
PID 2124 wrote to memory of 4240	2124	si866900.exe	121
PID 4240 wrote to memory of 2880	4240	oneetx.exe	138
PID 4240 wrote to memory of 2880	4240	oneetx.exe	138
PID 4240 wrote to memory of 2880	4240	oneetx.exe	138
PID 4240 wrote to memory of 4956	4240	oneetx.exe	161
PID 4240 wrote to memory of 4956	4240	oneetx.exe	161
PID 4240 wrote to memory of 4956	4240	oneetx.exe	161

C:\Users\Admin\AppData\Local\Temp\73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe
"C:\Users\Admin\AppData\Local\Temp\73a586bfcda64bc269043dac835c167030ee8e122cc248956ba8eeac83cd41ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907731.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907731.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un436452.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un436452.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr437925.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr437925.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1088
        5⤵
        Program crash
        
        PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu371839.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu371839.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1400
        5⤵
        Program crash
        
        PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110609.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110609.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si866900.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si866900.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 700
    3⤵
    - Program crash
    PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 784
    3⤵
    - Program crash
    PID:4512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 860
    3⤵
    - Program crash
    PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 956
    3⤵
    - Program crash
    PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1004
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1004
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1224
    3⤵
    - Program crash
    PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1272
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1348
    3⤵
    - Program crash
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 696
      4⤵
      Program crash
      PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 700
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 908
      4⤵
      Program crash
      PID:4660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1056
      4⤵
      Program crash
      PID:4208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1064
      4⤵
      Program crash
      PID:3080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1076
      4⤵
      Program crash
      PID:3260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1112
      4⤵
      Program crash
      PID:372
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 996
      4⤵
      Program crash
      PID:3276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 800
      4⤵
      Program crash
      PID:4684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 992
      4⤵
      Program crash
      PID:4940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 796
      4⤵
      Program crash
      PID:2520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1476
      4⤵
      Program crash
      PID:1400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1080
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1632
      4⤵
      Program crash
      PID:4428
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1472
      4⤵
      Program crash
      PID:4088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1648
      4⤵
      Program crash
      PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 728
    3⤵
    - Program crash
    PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4608 -ip 4608
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3276 -ip 3276
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2124 -ip 2124
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2124 -ip 2124
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2124 -ip 2124
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2124 -ip 2124
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2124 -ip 2124
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2124 -ip 2124
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2124 -ip 2124
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2124 -ip 2124
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2124 -ip 2124
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2124 -ip 2124
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4240 -ip 4240
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4240 -ip 4240
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4240 -ip 4240
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4240 -ip 4240
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4240 -ip 4240
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4240 -ip 4240
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4240 -ip 4240
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4240 -ip 4240
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4240 -ip 4240
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4240 -ip 4240
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4240 -ip 4240
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4240 -ip 4240
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 396
  2⤵
  - Program crash
  PID:2344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 440
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 440
  2⤵
  - Program crash
  PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4904 -ip 4904
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4904 -ip 4904
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4904 -ip 4904
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4240 -ip 4240
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4240 -ip 4240
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4240 -ip 4240
1⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 396
  2⤵
  - Program crash
  PID:4128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 440
  2⤵
  - Program crash
  PID:4608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 440
  2⤵
  - Program crash
  PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 736 -ip 736
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 736 -ip 736
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 736 -ip 736
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4240 -ip 4240
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si866900.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si866900.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907731.exe

Filesize
862KB

MD5
1ce0d864bf7be69853c60b5c44a81c47

SHA1
80c6bf69ad4256cd60acdc3f9a73d19458b85414

SHA256
695aa97dfff403f29033a8459b1dab6ce0910dffa7fd727af2ad8eefa18dcd2d

SHA512
31f157e2ccbf080d8cb796e3749390758e282c90ee63520174313c39bef4e4f749358abb4fa9b8070d12679fac6618facddeca65a352a6a456cf5a00658d2256

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un907731.exe

Filesize
862KB

MD5
1ce0d864bf7be69853c60b5c44a81c47

SHA1
80c6bf69ad4256cd60acdc3f9a73d19458b85414

SHA256
695aa97dfff403f29033a8459b1dab6ce0910dffa7fd727af2ad8eefa18dcd2d

SHA512
31f157e2ccbf080d8cb796e3749390758e282c90ee63520174313c39bef4e4f749358abb4fa9b8070d12679fac6618facddeca65a352a6a456cf5a00658d2256

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110609.exe

Filesize
168KB

MD5
5e60bdef5814b2498876d9c3655fd148

SHA1
3b45c977579de3d48d881eb2daa0c32d233b4153

SHA256
3b1737247ae87ad53d4bd306135472ed3f1965a1b644e430aef9e4003f5be761

SHA512
659d4c5108692a22de18d666862f99c38afd3b97c281cd9b36b73154bec0167a8b7ab0c0bd862fbfeec9e5192ddeecef68db185347d807a80db7b2ae8c42f7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110609.exe

Filesize
168KB

MD5
5e60bdef5814b2498876d9c3655fd148

SHA1
3b45c977579de3d48d881eb2daa0c32d233b4153

SHA256
3b1737247ae87ad53d4bd306135472ed3f1965a1b644e430aef9e4003f5be761

SHA512
659d4c5108692a22de18d666862f99c38afd3b97c281cd9b36b73154bec0167a8b7ab0c0bd862fbfeec9e5192ddeecef68db185347d807a80db7b2ae8c42f7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un436452.exe

Filesize
708KB

MD5
bd0b27b16d0f7d4496b4df13fc6522db

SHA1
725d2343c81c9d46132fe49486fc79ab17707f48

SHA256
03d10c5e9c7250fc49f01adb16b2342aaa3314d635729187a460a192300129d8

SHA512
1f61766ca7778714a6c9f40248560905be8432fe0eabb09a1837f710429699837e286c24a4ed9947e858ce3a180325cc448972f6432acfeff8d9dc96b5d9399b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un436452.exe

Filesize
708KB

MD5
bd0b27b16d0f7d4496b4df13fc6522db

SHA1
725d2343c81c9d46132fe49486fc79ab17707f48

SHA256
03d10c5e9c7250fc49f01adb16b2342aaa3314d635729187a460a192300129d8

SHA512
1f61766ca7778714a6c9f40248560905be8432fe0eabb09a1837f710429699837e286c24a4ed9947e858ce3a180325cc448972f6432acfeff8d9dc96b5d9399b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr437925.exe

Filesize
403KB

MD5
c3d5a748a6471eb2b19b6278c98e0c32

SHA1
7789db53bd43eed74be2a477bfd4d84a5699e75a

SHA256
c068ae8c7dc7c8f6941d0fd9aa98d433a91339c74983f9b730160dba68a53930

SHA512
0e43c387b0b582ee3faceb096e6af3de4aacde26e8e38f732e748ddb3dec4245ed6c44003a220e67c2461fda25116777f41219d739198556693b9e218542e684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr437925.exe

Filesize
403KB

MD5
c3d5a748a6471eb2b19b6278c98e0c32

SHA1
7789db53bd43eed74be2a477bfd4d84a5699e75a

SHA256
c068ae8c7dc7c8f6941d0fd9aa98d433a91339c74983f9b730160dba68a53930

SHA512
0e43c387b0b582ee3faceb096e6af3de4aacde26e8e38f732e748ddb3dec4245ed6c44003a220e67c2461fda25116777f41219d739198556693b9e218542e684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu371839.exe

Filesize
588KB

MD5
2dd9abdda7151e02885d510739d32be3

SHA1
ab3a05aa88b804d6dcf54539af8d8e4b16403fd6

SHA256
33fbab3a51969da7fb203a972f8bdfcb46f481764e11487b5b00b6c8ea477899

SHA512
8e77535c6c2ade0fd311ef69e28c4f336b2d4e75a5359d69927e7ac70ccc337e1ae0fb15587df0f7c4c52aa39f8d3e589c53dda2c179e44e505d8d5e6a44e7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu371839.exe

Filesize
588KB

MD5
2dd9abdda7151e02885d510739d32be3

SHA1
ab3a05aa88b804d6dcf54539af8d8e4b16403fd6

SHA256
33fbab3a51969da7fb203a972f8bdfcb46f481764e11487b5b00b6c8ea477899

SHA512
8e77535c6c2ade0fd311ef69e28c4f336b2d4e75a5359d69927e7ac70ccc337e1ae0fb15587df0f7c4c52aa39f8d3e589c53dda2c179e44e505d8d5e6a44e7cd

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/456-2344-0x0000000005840000-0x0000000005E58000-memory.dmp

Filesize
6.1MB

Download
memory/456-2355-0x0000000005510000-0x0000000005586000-memory.dmp

Filesize
472KB

Download
memory/456-2354-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/456-2343-0x0000000000850000-0x000000000087E000-memory.dmp

Filesize
184KB

Download
memory/456-2352-0x0000000005220000-0x000000000525C000-memory.dmp

Filesize
240KB

Download
memory/456-2359-0x0000000008AD0000-0x0000000008FFC000-memory.dmp

Filesize
5.2MB

Download
memory/456-2346-0x0000000005330000-0x000000000543A000-memory.dmp

Filesize
1.0MB

Download
memory/456-2347-0x0000000005090000-0x00000000050A2000-memory.dmp

Filesize
72KB

Download
memory/456-2362-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2124-2369-0x0000000002430000-0x000000000246B000-memory.dmp

Filesize
236KB

Download
memory/2432-2361-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2432-2360-0x00000000060C0000-0x0000000006110000-memory.dmp

Filesize
320KB

Download
memory/2432-2351-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/2432-2353-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2432-2356-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/2432-2357-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/2432-2358-0x0000000006170000-0x0000000006332000-memory.dmp

Filesize
1.8MB

Download
memory/3276-220-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-216-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-217-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3276-213-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-223-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-222-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3276-225-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-219-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3276-215-0x00000000009A0000-0x00000000009FB000-memory.dmp

Filesize
364KB

Download
memory/3276-227-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-229-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-231-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-233-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-235-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-2331-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3276-211-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-209-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-207-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-205-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-203-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-198-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-201-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/3276-199-0x0000000004F90000-0x0000000004FF0000-memory.dmp

Filesize
384KB

Download
memory/4608-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4608-192-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4608-190-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4608-189-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4608-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4608-187-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4608-186-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-184-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-182-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-180-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-178-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-176-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-174-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-172-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-170-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-168-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-166-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-164-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-162-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-160-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-159-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4608-158-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download
memory/4608-157-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4608-156-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4608-155-0x0000000000A90000-0x0000000000ABD000-memory.dmp

Filesize
180KB

Download