amadey | 8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe
Size

1.0MB
MD5

ff4b424f7fb776d88f6f3d83aec2a0ef
SHA1

dbb4be7f4bd80028f7b3b1c5ee36341365f9eb44
SHA256

8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d
SHA512

15988ba052f16779a4bab59676be23c88e10888b175302503f70ec876f5a14d06594317269af8c63e92cf69650a47350f35dac4d9836f3abf1f08b1c9c52d0bd
SSDEEP

24576:ey3v5DLF/O6gCwUuMQJsdJ8XWKrFyqY3QJ66roQ4L4Fm9m:t3xl/OwJmJA6mzqSQ3l4N

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it418105.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it418105.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it418105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it418105.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it418105.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it418105.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	jr504423.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	lr241230.exe

Executes dropped EXE 10 IoCs

pid	Process
1484	ziBS6580.exe
4168	zilb2596.exe
3552	it418105.exe
4660	jr504423.exe
4392	1.exe
2488	kp006254.exe
4552	lr241230.exe
4680	oneetx.exe
2020	oneetx.exe
4040	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3340	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it418105.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziBS6580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziBS6580.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zilb2596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zilb2596.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
2788	4660	WerFault.exe	87
3964	4552	WerFault.exe	96
2576	4552	WerFault.exe	96
2260	4552	WerFault.exe	96
1752	4552	WerFault.exe	96
4616	4552	WerFault.exe	96
4684	4552	WerFault.exe	96
2124	4552	WerFault.exe	96
3792	4552	WerFault.exe	96
3908	4552	WerFault.exe	96
3972	4552	WerFault.exe	96
3196	4680	WerFault.exe	118
1440	4680	WerFault.exe	118
1908	4680	WerFault.exe	118
3452	4680	WerFault.exe	118
4600	4680	WerFault.exe	118
2896	4680	WerFault.exe	118
4528	4680	WerFault.exe	118
3192	4680	WerFault.exe	118
4752	4680	WerFault.exe	118
4628	4680	WerFault.exe	118
4776	4680	WerFault.exe	118
2696	4680	WerFault.exe	118
3620	2020	WerFault.exe	147
4392	2020	WerFault.exe	147
1260	2020	WerFault.exe	147
5024	4680	WerFault.exe	118
1752	4680	WerFault.exe	118
3560	4680	WerFault.exe	118
3060	4040	WerFault.exe	161
2996	4040	WerFault.exe	161
1116	4040	WerFault.exe	161
1276	4680	WerFault.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3552	it418105.exe
3552	it418105.exe
4392	1.exe
2488	kp006254.exe
2488	kp006254.exe
4392	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	it418105.exe
Token: SeDebugPrivilege	4660	jr504423.exe
Token: SeDebugPrivilege	4392	1.exe
Token: SeDebugPrivilege	2488	kp006254.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4552	lr241230.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 1484	3848	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe	79
PID 3848 wrote to memory of 1484	3848	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe	79
PID 3848 wrote to memory of 1484	3848	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe	79
PID 1484 wrote to memory of 4168	1484	ziBS6580.exe	80
PID 1484 wrote to memory of 4168	1484	ziBS6580.exe	80
PID 1484 wrote to memory of 4168	1484	ziBS6580.exe	80
PID 4168 wrote to memory of 3552	4168	zilb2596.exe	81
PID 4168 wrote to memory of 3552	4168	zilb2596.exe	81
PID 4168 wrote to memory of 4660	4168	zilb2596.exe	87
PID 4168 wrote to memory of 4660	4168	zilb2596.exe	87
PID 4168 wrote to memory of 4660	4168	zilb2596.exe	87
PID 4660 wrote to memory of 4392	4660	jr504423.exe	89
PID 4660 wrote to memory of 4392	4660	jr504423.exe	89
PID 4660 wrote to memory of 4392	4660	jr504423.exe	89
PID 1484 wrote to memory of 2488	1484	ziBS6580.exe	93
PID 1484 wrote to memory of 2488	1484	ziBS6580.exe	93
PID 1484 wrote to memory of 2488	1484	ziBS6580.exe	93
PID 3848 wrote to memory of 4552	3848	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe	96
PID 3848 wrote to memory of 4552	3848	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe	96
PID 3848 wrote to memory of 4552	3848	8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe	96
PID 4552 wrote to memory of 4680	4552	lr241230.exe	118
PID 4552 wrote to memory of 4680	4552	lr241230.exe	118
PID 4552 wrote to memory of 4680	4552	lr241230.exe	118
PID 4680 wrote to memory of 5116	4680	oneetx.exe	135
PID 4680 wrote to memory of 5116	4680	oneetx.exe	135
PID 4680 wrote to memory of 5116	4680	oneetx.exe	135
PID 4680 wrote to memory of 3340	4680	oneetx.exe	158
PID 4680 wrote to memory of 3340	4680	oneetx.exe	158
PID 4680 wrote to memory of 3340	4680	oneetx.exe	158

C:\Users\Admin\AppData\Local\Temp\8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe
"C:\Users\Admin\AppData\Local\Temp\8402542d89ae9070226f3a9a86a6afa63d4f9d52fdc94bf8f785705f99bab44d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBS6580.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBS6580.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zilb2596.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zilb2596.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it418105.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it418105.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr504423.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr504423.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1396
        5⤵
        Program crash
        
        PID:2788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006254.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006254.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr241230.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr241230.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 700
    3⤵
    - Program crash
    PID:3964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 700
    3⤵
    - Program crash
    PID:2576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 800
    3⤵
    - Program crash
    PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 976
    3⤵
    - Program crash
    PID:1752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 804
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 996
    3⤵
    - Program crash
    PID:4684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1212
    3⤵
    - Program crash
    PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1236
    3⤵
    - Program crash
    PID:3792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1288
    3⤵
    - Program crash
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 696
      4⤵
      Program crash
      PID:3196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 796
      4⤵
      Program crash
      PID:1440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 904
      4⤵
      Program crash
      PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1056
      4⤵
      Program crash
      PID:3452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1076
      4⤵
      Program crash
      PID:4600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1056
      4⤵
      Program crash
      PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1076
      4⤵
      Program crash
      PID:4528
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 996
      4⤵
      Program crash
      PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1300
      4⤵
      Program crash
      PID:4752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1308
      4⤵
      Program crash
      PID:4628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1348
      4⤵
      Program crash
      PID:4776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1532
      4⤵
      Program crash
      PID:2696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1116
      4⤵
      Program crash
      PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1628
      4⤵
      Program crash
      PID:1752
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1592
      4⤵
      Program crash
      PID:3560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1644
      4⤵
      Program crash
      PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1368
    3⤵
    - Program crash
    PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4660 -ip 4660
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4552 -ip 4552
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4552 -ip 4552
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4552 -ip 4552
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4552 -ip 4552
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4552 -ip 4552
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4552 -ip 4552
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4552 -ip 4552
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4552 -ip 4552
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4552 -ip 4552
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4552 -ip 4552
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4680 -ip 4680
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4680 -ip 4680
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4680 -ip 4680
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4680 -ip 4680
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4680 -ip 4680
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4680 -ip 4680
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4680 -ip 4680
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4680 -ip 4680
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4680 -ip 4680
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4680 -ip 4680
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4680 -ip 4680
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4680 -ip 4680
1⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 396
  2⤵
  - Program crash
  PID:3620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 440
  2⤵
  - Program crash
  PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 440
  2⤵
  - Program crash
  PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2020 -ip 2020
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2020 -ip 2020
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2020 -ip 2020
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4680 -ip 4680
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4680 -ip 4680
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4680 -ip 4680
1⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 408
  2⤵
  - Program crash
  PID:3060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 444
  2⤵
  - Program crash
  PID:2996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 460
  2⤵
  - Program crash
  PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4040 -ip 4040
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4040 -ip 4040
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4040 -ip 4040
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4680 -ip 4680
1⤵
PID:4736

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr241230.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr241230.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBS6580.exe

Filesize
723KB

MD5
914ec5d6eb7297a1f2af66502d1ac411

SHA1
cc6b82b9bf011f199cbf56903902c01fecb80190

SHA256
7d6afb5e395958e36a106c14596f7a079cff3ddbe7e509197d4138caf9ffb87f

SHA512
6d8a486e3c46549c8f68eca794da5e902618944886a20d4cb98d1ecd8f53199a3edb948b7ff9ac4b23ba4cfcc6519716e6d499854934cc9d712488803d5d3cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBS6580.exe

Filesize
723KB

MD5
914ec5d6eb7297a1f2af66502d1ac411

SHA1
cc6b82b9bf011f199cbf56903902c01fecb80190

SHA256
7d6afb5e395958e36a106c14596f7a079cff3ddbe7e509197d4138caf9ffb87f

SHA512
6d8a486e3c46549c8f68eca794da5e902618944886a20d4cb98d1ecd8f53199a3edb948b7ff9ac4b23ba4cfcc6519716e6d499854934cc9d712488803d5d3cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006254.exe

Filesize
169KB

MD5
6461ea6501f436ed63004afb3e5a02d0

SHA1
3b25e7f963e825d421ceedc2c62cc3777ef7aafc

SHA256
5f82314291db1dce5bc51865f81c96b763be8a8be7fcb86012261e1bb5e15ed8

SHA512
118905bd2a3cf5f352dd5251900a2fc6737c1fd8255fb1dc319aa648ac8bc7336953270dd93612ac9269949ffdf18a33e9e410d5709d3f9cc3b45c1628e354e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006254.exe

Filesize
169KB

MD5
6461ea6501f436ed63004afb3e5a02d0

SHA1
3b25e7f963e825d421ceedc2c62cc3777ef7aafc

SHA256
5f82314291db1dce5bc51865f81c96b763be8a8be7fcb86012261e1bb5e15ed8

SHA512
118905bd2a3cf5f352dd5251900a2fc6737c1fd8255fb1dc319aa648ac8bc7336953270dd93612ac9269949ffdf18a33e9e410d5709d3f9cc3b45c1628e354e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zilb2596.exe

Filesize
569KB

MD5
0c2e47330d374c982cd0842589627555

SHA1
85db0d4c97a2517d3ee1ae1a57c2e49fc39ac3b1

SHA256
7fc0df576a197f3521986cbd9067717c69dc217f2084a91a834fa674084fce94

SHA512
bdd231922ac025532ed0f5c9c41b04c63e4e8c0d905db2b082b1bb2c2d653681020c85e7dba5e9788c6d8e1baab252e5a413a13d7bb2072d54dee607c21501e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zilb2596.exe

Filesize
569KB

MD5
0c2e47330d374c982cd0842589627555

SHA1
85db0d4c97a2517d3ee1ae1a57c2e49fc39ac3b1

SHA256
7fc0df576a197f3521986cbd9067717c69dc217f2084a91a834fa674084fce94

SHA512
bdd231922ac025532ed0f5c9c41b04c63e4e8c0d905db2b082b1bb2c2d653681020c85e7dba5e9788c6d8e1baab252e5a413a13d7bb2072d54dee607c21501e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it418105.exe

Filesize
11KB

MD5
56437247eac756c77d8358b886d51dd3

SHA1
697718c23e3e4725f7327d69128bd3fff4d6c2f6

SHA256
30f08dc44e1d8dfc1d1c568415abaa51805e07d8abe233fac97fe89724a4426e

SHA512
c7be7a9450262fa574941c2e212a6f69d7a9ed1b4faf04ef912313ca75e82e8bfc9932c569ce357f3c3c8dd2b95a57eb12aaaf49a0c378bf888986d262b5f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it418105.exe

Filesize
11KB

MD5
56437247eac756c77d8358b886d51dd3

SHA1
697718c23e3e4725f7327d69128bd3fff4d6c2f6

SHA256
30f08dc44e1d8dfc1d1c568415abaa51805e07d8abe233fac97fe89724a4426e

SHA512
c7be7a9450262fa574941c2e212a6f69d7a9ed1b4faf04ef912313ca75e82e8bfc9932c569ce357f3c3c8dd2b95a57eb12aaaf49a0c378bf888986d262b5f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr504423.exe

Filesize
588KB

MD5
d0943e7178cda82bbb2bc904590f9af1

SHA1
753ceeaf59d48b6eac101aebddff56cf8c9d6b1b

SHA256
8b9b074ef882f0f8d15291f6cfd876cec1c487700117124c0c70f2d94b6bb238

SHA512
b4d883fc7ba762956e7f9960087b586adc81b929ea2a6beb31a71170ac9977ba5e33a2d5c0dce6a7c40bc850dd658b40cab723d086e345d8180287c730a27bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr504423.exe

Filesize
588KB

MD5
d0943e7178cda82bbb2bc904590f9af1

SHA1
753ceeaf59d48b6eac101aebddff56cf8c9d6b1b

SHA256
8b9b074ef882f0f8d15291f6cfd876cec1c487700117124c0c70f2d94b6bb238

SHA512
b4d883fc7ba762956e7f9960087b586adc81b929ea2a6beb31a71170ac9977ba5e33a2d5c0dce6a7c40bc850dd658b40cab723d086e345d8180287c730a27bb0

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/2488-2320-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/2488-2326-0x00000000081D0000-0x00000000086FC000-memory.dmp

Filesize
5.2MB

Download
memory/2488-2328-0x0000000005CB0000-0x0000000005D00000-memory.dmp

Filesize
320KB

Download
memory/2488-2325-0x0000000005D10000-0x0000000005ED2000-memory.dmp

Filesize
1.8MB

Download
memory/2488-2321-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/3552-154-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/4392-2315-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4392-2322-0x0000000004F60000-0x0000000004FD6000-memory.dmp

Filesize
472KB

Download
memory/4392-2323-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/4392-2311-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/4392-2310-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/4392-2309-0x0000000004D00000-0x0000000004E0A000-memory.dmp

Filesize
1.0MB

Download
memory/4392-2308-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/4392-2307-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/4392-2327-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4392-2324-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/4552-2335-0x0000000000960000-0x000000000099B000-memory.dmp

Filesize
236KB

Download
memory/4660-173-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-200-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-218-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-214-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-212-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-208-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-2295-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-224-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-226-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-228-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-220-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-216-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-210-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-206-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-204-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-2312-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-2313-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-2314-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-202-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-192-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-194-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-222-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-196-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-198-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-190-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-188-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-184-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-186-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-167-0x0000000000C70000-0x0000000000CCB000-memory.dmp

Filesize
364KB

Download
memory/4660-182-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-180-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-178-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-176-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-172-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-174-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-170-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4660-169-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-166-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-164-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-162-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-161-0x0000000005500000-0x0000000005560000-memory.dmp

Filesize
384KB

Download
memory/4660-160-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download