amadey | 06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f

Analysis

max time kernel
140s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2023 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe
Size

1.2MB
MD5

26a92993c40326058970ebc4b336c07d
SHA1

dd18b9d1e4cb351c32aa415373bb845dda2d36ae
SHA256

06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f
SHA512

65a4cf2e2b6f572a76038fe05e11de31e02ffe1482212053bac20d3d92007914b17f12c086f39d307bb6815d3c7f4623978276ab502df96744c589295815a224
SSDEEP

24576:CyeoIncXpWLDpCMEA/yUJfmeKrL0qdrod9hDrxWaFz7q:peooGWPhz/lNP/q8NrxFFz

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr114517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr114517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr114517.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr114517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr114517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr114517.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	qu185689.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	si400715.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
4140	un716746.exe
4736	un857917.exe
4852	pr114517.exe
2684	qu185689.exe
2852	1.exe
3572	rk756025.exe
4876	si400715.exe
2992	oneetx.exe
4120	oneetx.exe
4368	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr114517.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr114517.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un716746.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un857917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un857917.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un716746.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
5044	4852	WerFault.exe	84
4816	2684	WerFault.exe	89
3336	4876	WerFault.exe	95
4448	4876	WerFault.exe	95
3240	4876	WerFault.exe	95
4408	4876	WerFault.exe	95
8	4876	WerFault.exe	95
1240	4876	WerFault.exe	95
452	4876	WerFault.exe	95
2192	4876	WerFault.exe	95
3536	4876	WerFault.exe	95
4048	4876	WerFault.exe	95
4452	2992	WerFault.exe	114
5064	2992	WerFault.exe	114
1096	2992	WerFault.exe	114
4440	2992	WerFault.exe	114
4180	2992	WerFault.exe	114
2796	2992	WerFault.exe	114
2676	2992	WerFault.exe	114
404	2992	WerFault.exe	114
2824	2992	WerFault.exe	114
4776	2992	WerFault.exe	114
4696	2992	WerFault.exe	114
4056	4120	WerFault.exe	141
908	4120	WerFault.exe	141
4628	4120	WerFault.exe	141
4916	2992	WerFault.exe	114
4308	2992	WerFault.exe	114
1320	2992	WerFault.exe	114
5016	2992	WerFault.exe	114
1596	4368	WerFault.exe	155
4128	4368	WerFault.exe	155
452	4368	WerFault.exe	155

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4852	pr114517.exe
4852	pr114517.exe
2852	1.exe
2852	1.exe
3572	rk756025.exe
3572	rk756025.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	pr114517.exe
Token: SeDebugPrivilege	2684	qu185689.exe
Token: SeDebugPrivilege	2852	1.exe
Token: SeDebugPrivilege	3572	rk756025.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4876	si400715.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4140	4964	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe	82
PID 4964 wrote to memory of 4140	4964	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe	82
PID 4964 wrote to memory of 4140	4964	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe	82
PID 4140 wrote to memory of 4736	4140	un716746.exe	83
PID 4140 wrote to memory of 4736	4140	un716746.exe	83
PID 4140 wrote to memory of 4736	4140	un716746.exe	83
PID 4736 wrote to memory of 4852	4736	un857917.exe	84
PID 4736 wrote to memory of 4852	4736	un857917.exe	84
PID 4736 wrote to memory of 4852	4736	un857917.exe	84
PID 4736 wrote to memory of 2684	4736	un857917.exe	89
PID 4736 wrote to memory of 2684	4736	un857917.exe	89
PID 4736 wrote to memory of 2684	4736	un857917.exe	89
PID 2684 wrote to memory of 2852	2684	qu185689.exe	91
PID 2684 wrote to memory of 2852	2684	qu185689.exe	91
PID 2684 wrote to memory of 2852	2684	qu185689.exe	91
PID 4140 wrote to memory of 3572	4140	un716746.exe	94
PID 4140 wrote to memory of 3572	4140	un716746.exe	94
PID 4140 wrote to memory of 3572	4140	un716746.exe	94
PID 4964 wrote to memory of 4876	4964	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe	95
PID 4964 wrote to memory of 4876	4964	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe	95
PID 4964 wrote to memory of 4876	4964	06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe	95
PID 4876 wrote to memory of 2992	4876	si400715.exe	114
PID 4876 wrote to memory of 2992	4876	si400715.exe	114
PID 4876 wrote to memory of 2992	4876	si400715.exe	114
PID 2992 wrote to memory of 1932	2992	oneetx.exe	131
PID 2992 wrote to memory of 1932	2992	oneetx.exe	131
PID 2992 wrote to memory of 1932	2992	oneetx.exe	131
PID 2992 wrote to memory of 2336	2992	oneetx.exe	152
PID 2992 wrote to memory of 2336	2992	oneetx.exe	152
PID 2992 wrote to memory of 2336	2992	oneetx.exe	152

C:\Users\Admin\AppData\Local\Temp\06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe
"C:\Users\Admin\AppData\Local\Temp\06d33f42d15c031e08a4ffaf5e2d3d3da025a907a6e504b58f51138d99c8846f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716746.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716746.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un857917.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un857917.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr114517.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr114517.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1084
        5⤵
        Program crash
        
        PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu185689.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu185689.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1360
        5⤵
        Program crash
        
        PID:4816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk756025.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk756025.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si400715.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si400715.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 700
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 784
    3⤵
    - Program crash
    PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 796
    3⤵
    - Program crash
    PID:3240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 976
    3⤵
    - Program crash
    PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 980
    3⤵
    - Program crash
    PID:8
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 956
    3⤵
    - Program crash
    PID:1240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1220
    3⤵
    - Program crash
    PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1276
    3⤵
    - Program crash
    PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1328
    3⤵
    - Program crash
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 696
      4⤵
      Program crash
      PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 840
      4⤵
      Program crash
      PID:5064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 908
      4⤵
      Program crash
      PID:1096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1056
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1056
      4⤵
      Program crash
      PID:4180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1088
      4⤵
      Program crash
      PID:2796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1112
      4⤵
      Program crash
      PID:2676
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1004
      4⤵
      Program crash
      PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1276
      4⤵
      Program crash
      PID:2824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1256
      4⤵
      Program crash
      PID:4776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 784
      4⤵
      Program crash
      PID:4696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1156
      4⤵
      Program crash
      PID:4916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1604
      4⤵
      Program crash
      PID:4308
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1156
      4⤵
      Program crash
      PID:1320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1620
      4⤵
      Program crash
      PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1372
    3⤵
    - Program crash
    PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4852 -ip 4852
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2684 -ip 2684
1⤵
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4876 -ip 4876
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4876 -ip 4876
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4876 -ip 4876
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4876 -ip 4876
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4876 -ip 4876
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4876 -ip 4876
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4876 -ip 4876
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4876 -ip 4876
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4876 -ip 4876
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2992 -ip 2992
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2992 -ip 2992
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2992 -ip 2992
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2992 -ip 2992
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2992 -ip 2992
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2992 -ip 2992
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2992 -ip 2992
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2992 -ip 2992
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2992 -ip 2992
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2992 -ip 2992
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2992 -ip 2992
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 396
  2⤵
  - Program crash
  PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 440
  2⤵
  - Program crash
  PID:908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 440
  2⤵
  - Program crash
  PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4120 -ip 4120
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4120 -ip 4120
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 4120
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2992 -ip 2992
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2992 -ip 2992
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2992 -ip 2992
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 396
  2⤵
  - Program crash
  PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 440
  2⤵
  - Program crash
  PID:4128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 440
  2⤵
  - Program crash
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2992 -ip 2992
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4368 -ip 4368
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4368 -ip 4368
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4368 -ip 4368
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si400715.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si400715.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716746.exe

Filesize
862KB

MD5
53ad536f9b468b6315abb0ed1558dc5e

SHA1
4e23e2dd8e237a7cc7466c7216de3002183e5aa5

SHA256
1f5c64b6bfcf6a0fe589e40d7af479fb541134bcebb24556c82e23829c1d03de

SHA512
cad498b7dabf05a23efabbab14936d00d035143f0973d46a87ae6601a333e1765921a2b9f7b50e6e681c25896f3dc349616a64a1025a9162427885af9181c041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un716746.exe

Filesize
862KB

MD5
53ad536f9b468b6315abb0ed1558dc5e

SHA1
4e23e2dd8e237a7cc7466c7216de3002183e5aa5

SHA256
1f5c64b6bfcf6a0fe589e40d7af479fb541134bcebb24556c82e23829c1d03de

SHA512
cad498b7dabf05a23efabbab14936d00d035143f0973d46a87ae6601a333e1765921a2b9f7b50e6e681c25896f3dc349616a64a1025a9162427885af9181c041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk756025.exe

Filesize
168KB

MD5
668163cc8d445d12d60eb19cbdd786df

SHA1
01b27c4e317035e1adfa08a27a708a41624899ef

SHA256
777e1734cdaa73d215d733e57ad872382bd4757c9360c8a8c7836c299e2217a3

SHA512
b33ae3442816cb685cac3bd63936a6c5cdb8417e781352e338b60af94ba4377c7c571eec2b7d610e6dd0e45b763d627cc1c6b3cc0e466b82f76b6e8773ad7eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk756025.exe

Filesize
168KB

MD5
668163cc8d445d12d60eb19cbdd786df

SHA1
01b27c4e317035e1adfa08a27a708a41624899ef

SHA256
777e1734cdaa73d215d733e57ad872382bd4757c9360c8a8c7836c299e2217a3

SHA512
b33ae3442816cb685cac3bd63936a6c5cdb8417e781352e338b60af94ba4377c7c571eec2b7d610e6dd0e45b763d627cc1c6b3cc0e466b82f76b6e8773ad7eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un857917.exe

Filesize
709KB

MD5
44e52a8830db32b85ceb94b4b08a6736

SHA1
df5d2976737bf2bba3f23732014ad02b7ed5da36

SHA256
dd9f1e1fd36050bbc3db4683525426ac808a1f831346f30df4aca1a8719cfd2f

SHA512
bec713b5ddb69809e8ef5264301096017654143ff6b5bd95a83880303b0c12eb4445b96e57df84e5830dd19a549d6124d7709a09d6661cf163ba55031766c5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un857917.exe

Filesize
709KB

MD5
44e52a8830db32b85ceb94b4b08a6736

SHA1
df5d2976737bf2bba3f23732014ad02b7ed5da36

SHA256
dd9f1e1fd36050bbc3db4683525426ac808a1f831346f30df4aca1a8719cfd2f

SHA512
bec713b5ddb69809e8ef5264301096017654143ff6b5bd95a83880303b0c12eb4445b96e57df84e5830dd19a549d6124d7709a09d6661cf163ba55031766c5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr114517.exe

Filesize
403KB

MD5
b164bd1be3d3fbe03db614cec23a675b

SHA1
b32917d846c954fd4f6cf2decbf4bbefd1899193

SHA256
273b65efd6ebfcb27a86ef2c4b6ff0faf98defdc8c15e9dd5ab83fa25f922f88

SHA512
b3da683560e59d7b9bcad5f612214af157f6f4efba8106c66fad8c416f9c54dbe7f5885ce22e4e71b7de5ec826049cfdee7a070356e0779a1a5f140175be8420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr114517.exe

Filesize
403KB

MD5
b164bd1be3d3fbe03db614cec23a675b

SHA1
b32917d846c954fd4f6cf2decbf4bbefd1899193

SHA256
273b65efd6ebfcb27a86ef2c4b6ff0faf98defdc8c15e9dd5ab83fa25f922f88

SHA512
b3da683560e59d7b9bcad5f612214af157f6f4efba8106c66fad8c416f9c54dbe7f5885ce22e4e71b7de5ec826049cfdee7a070356e0779a1a5f140175be8420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu185689.exe

Filesize
588KB

MD5
9492bd79581cdfd981e30d7f82f285c9

SHA1
4d7882621b83af6bd3f0238ee7825da3478cceec

SHA256
c4e0e21d868874c4339b460363eef5a27205aa70ef0b40efe595ed8a0fb6b410

SHA512
c0d0783bacff9aba16c8f7714b12c9e150413e5a00e2ca93239a55f7a1268bcdccb48b20ad19e82b1e46716ad2c4a860deb954b7ffb1cffc36564401ecdcc4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu185689.exe

Filesize
588KB

MD5
9492bd79581cdfd981e30d7f82f285c9

SHA1
4d7882621b83af6bd3f0238ee7825da3478cceec

SHA256
c4e0e21d868874c4339b460363eef5a27205aa70ef0b40efe595ed8a0fb6b410

SHA512
c0d0783bacff9aba16c8f7714b12c9e150413e5a00e2ca93239a55f7a1268bcdccb48b20ad19e82b1e46716ad2c4a860deb954b7ffb1cffc36564401ecdcc4c5

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/2684-215-0x00000000024D0000-0x000000000252B000-memory.dmp

Filesize
364KB

Download
memory/2684-213-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-2331-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2684-235-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-233-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-227-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-231-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-229-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-225-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-198-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-199-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-201-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-203-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-205-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-207-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-209-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-211-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-223-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-219-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2684-217-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2684-216-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-220-0x00000000028A0000-0x0000000002900000-memory.dmp

Filesize
384KB

Download
memory/2684-221-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2852-2359-0x0000000007D10000-0x000000000823C000-memory.dmp

Filesize
5.2MB

Download
memory/2852-2348-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/2852-2357-0x0000000006710000-0x0000000006760000-memory.dmp

Filesize
320KB

Download
memory/2852-2356-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/2852-2355-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2852-2343-0x0000000000AB0000-0x0000000000ADE000-memory.dmp

Filesize
184KB

Download
memory/2852-2344-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/2852-2345-0x0000000005570000-0x000000000567A000-memory.dmp

Filesize
1.0MB

Download
memory/2852-2347-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/2852-2361-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/3572-2352-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/3572-2353-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3572-2360-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3572-2358-0x0000000007210000-0x00000000073D2000-memory.dmp

Filesize
1.8MB

Download
memory/3572-2354-0x0000000005900000-0x0000000005976000-memory.dmp

Filesize
472KB

Download
memory/4852-183-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-191-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-185-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4852-181-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4852-189-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-179-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-177-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-175-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-190-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-173-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-171-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-187-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-169-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-167-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-155-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/4852-165-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-163-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-161-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-160-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4852-159-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-158-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-157-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-156-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/4876-2368-0x0000000000AB0000-0x0000000000AEB000-memory.dmp

Filesize
236KB

Download