amadey | ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe
Size

1.2MB
MD5

c48172d489bf8d6f69b4f4d9ac5a89ec
SHA1

9e84c892f6f84489e4356db4a9160aff7e4606f6
SHA256

ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31
SHA512

a11831927c2ea54c352908c19e81cf4dfbc7f4419547599f7fb68ba3f1949e690717d0afafb4e817b111b917674fa59fd4ada5cca2aca4322999b340ccaf0f04
SSDEEP

24576:byJQ6xQRLa97Pw3PwSeydpbUJqzQKrL9kHvtmRYf/wHphT:OJQ6mZaYIYpgQEyVRUwHb

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr926385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr926385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr926385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr926385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr926385.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr926385.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	qu178644.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si886789.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
232	un263347.exe
5036	un151478.exe
1856	pr926385.exe
2952	qu178644.exe
4968	1.exe
4028	rk979149.exe
4784	si886789.exe
2088	oneetx.exe
2272	oneetx.exe
4832	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4196	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr926385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr926385.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un263347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un263347.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un151478.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un151478.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 34 IoCs

pid	pid_target	Process	procid_target
1724	1856	WerFault.exe	85
2584	2952	WerFault.exe	91
4940	4784	WerFault.exe	98
2236	4784	WerFault.exe	98
392	4784	WerFault.exe	98
1268	4784	WerFault.exe	98
3536	4784	WerFault.exe	98
4476	4784	WerFault.exe	98
1524	4784	WerFault.exe	98
1048	4784	WerFault.exe	98
540	4784	WerFault.exe	98
2948	4784	WerFault.exe	98
3356	2088	WerFault.exe	120
2992	2088	WerFault.exe	120
1276	2088	WerFault.exe	120
1492	2088	WerFault.exe	120
4140	2088	WerFault.exe	120
4592	2088	WerFault.exe	120
4144	2088	WerFault.exe	120
2996	2088	WerFault.exe	120
4028	2088	WerFault.exe	120
3680	2088	WerFault.exe	120
2752	2088	WerFault.exe	120
3992	2088	WerFault.exe	120
3712	2272	WerFault.exe	150
1288	2272	WerFault.exe	150
1608	2272	WerFault.exe	150
4712	2088	WerFault.exe	120
3476	2088	WerFault.exe	120
4448	2088	WerFault.exe	120
2772	4832	WerFault.exe	164
3184	4832	WerFault.exe	164
1140	4832	WerFault.exe	164
1052	2088	WerFault.exe	120

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1856	pr926385.exe
1856	pr926385.exe
4028	rk979149.exe
4968	1.exe
4968	1.exe
4028	rk979149.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	pr926385.exe
Token: SeDebugPrivilege	2952	qu178644.exe
Token: SeDebugPrivilege	4028	rk979149.exe
Token: SeDebugPrivilege	4968	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4784	si886789.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 232	1840	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe	83
PID 1840 wrote to memory of 232	1840	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe	83
PID 1840 wrote to memory of 232	1840	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe	83
PID 232 wrote to memory of 5036	232	un263347.exe	84
PID 232 wrote to memory of 5036	232	un263347.exe	84
PID 232 wrote to memory of 5036	232	un263347.exe	84
PID 5036 wrote to memory of 1856	5036	un151478.exe	85
PID 5036 wrote to memory of 1856	5036	un151478.exe	85
PID 5036 wrote to memory of 1856	5036	un151478.exe	85
PID 5036 wrote to memory of 2952	5036	un151478.exe	91
PID 5036 wrote to memory of 2952	5036	un151478.exe	91
PID 5036 wrote to memory of 2952	5036	un151478.exe	91
PID 2952 wrote to memory of 4968	2952	qu178644.exe	93
PID 2952 wrote to memory of 4968	2952	qu178644.exe	93
PID 2952 wrote to memory of 4968	2952	qu178644.exe	93
PID 232 wrote to memory of 4028	232	un263347.exe	96
PID 232 wrote to memory of 4028	232	un263347.exe	96
PID 232 wrote to memory of 4028	232	un263347.exe	96
PID 1840 wrote to memory of 4784	1840	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe	98
PID 1840 wrote to memory of 4784	1840	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe	98
PID 1840 wrote to memory of 4784	1840	ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe	98
PID 4784 wrote to memory of 2088	4784	si886789.exe	120
PID 4784 wrote to memory of 2088	4784	si886789.exe	120
PID 4784 wrote to memory of 2088	4784	si886789.exe	120
PID 2088 wrote to memory of 5016	2088	oneetx.exe	138
PID 2088 wrote to memory of 5016	2088	oneetx.exe	138
PID 2088 wrote to memory of 5016	2088	oneetx.exe	138
PID 2088 wrote to memory of 4196	2088	oneetx.exe	161
PID 2088 wrote to memory of 4196	2088	oneetx.exe	161
PID 2088 wrote to memory of 4196	2088	oneetx.exe	161

C:\Users\Admin\AppData\Local\Temp\ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe
"C:\Users\Admin\AppData\Local\Temp\ab859bbe22723c474ed3c4d566f0a0ee70aa1118ffd9af37289864215f9f0b31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un263347.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un263347.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un151478.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un151478.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr926385.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr926385.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1084
        5⤵
        Program crash
        
        PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu178644.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu178644.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1392
        5⤵
        Program crash
        
        PID:2584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk979149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk979149.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si886789.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si886789.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 700
    3⤵
    - Program crash
    PID:4940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 784
    3⤵
    - Program crash
    PID:2236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 796
    3⤵
    - Program crash
    PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 956
    3⤵
    - Program crash
    PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 872
    3⤵
    - Program crash
    PID:3536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 988
    3⤵
    - Program crash
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1220
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1268
    3⤵
    - Program crash
    PID:1048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1320
    3⤵
    - Program crash
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 696
      4⤵
      Program crash
      PID:3356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 884
      4⤵
      Program crash
      PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1016
      4⤵
      Program crash
      PID:1276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1104
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1112
      4⤵
      Program crash
      PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1112
      4⤵
      Program crash
      PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1012
      4⤵
      Program crash
      PID:4144
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1004
      4⤵
      Program crash
      PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1292
      4⤵
      Program crash
      PID:4028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1300
      4⤵
      Program crash
      PID:3680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 780
      4⤵
      Program crash
      PID:2752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1528
      4⤵
      Program crash
      PID:3992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1168
      4⤵
      Program crash
      PID:4712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1628
      4⤵
      Program crash
      PID:3476
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1132
      4⤵
      Program crash
      PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1644
      4⤵
      Program crash
      PID:1052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1744
    3⤵
    - Program crash
    PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1856 -ip 1856
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2952 -ip 2952
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4784 -ip 4784
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4784 -ip 4784
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4784 -ip 4784
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4784 -ip 4784
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4784 -ip 4784
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4784 -ip 4784
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4784 -ip 4784
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4784 -ip 4784
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4784 -ip 4784
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4784 -ip 4784
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2088 -ip 2088
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2088 -ip 2088
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2088 -ip 2088
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2088 -ip 2088
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2088 -ip 2088
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2088 -ip 2088
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2088 -ip 2088
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2088 -ip 2088
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2088 -ip 2088
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2088 -ip 2088
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2088 -ip 2088
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2088 -ip 2088
1⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 396
  2⤵
  - Program crash
  PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 440
  2⤵
  - Program crash
  PID:1288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 440
  2⤵
  - Program crash
  PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2272 -ip 2272
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2272 -ip 2272
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2272 -ip 2272
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2088 -ip 2088
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2088 -ip 2088
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2088 -ip 2088
1⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 396
  2⤵
  - Program crash
  PID:2772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 440
  2⤵
  - Program crash
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 460
  2⤵
  - Program crash
  PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4832 -ip 4832
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4832 -ip 4832
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4832 -ip 4832
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2088 -ip 2088
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si886789.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si886789.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un263347.exe

Filesize
864KB

MD5
64529c97e25b74baa61a728101e11446

SHA1
178666acd5fad2db99e13a141f25873f528dd071

SHA256
b949ad31250ba41a149beb13e0db2eb0dd5f069cffe16121847c7b59a2b13d8e

SHA512
cab576c7b5b29dc5f1d6cccaf37b234dd77a0d55128957040dcca9af868d8203a49daad22b13f18029d41995e5ada1c32744cb46a12512e59a9a5c9fd3b78318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un263347.exe

Filesize
864KB

MD5
64529c97e25b74baa61a728101e11446

SHA1
178666acd5fad2db99e13a141f25873f528dd071

SHA256
b949ad31250ba41a149beb13e0db2eb0dd5f069cffe16121847c7b59a2b13d8e

SHA512
cab576c7b5b29dc5f1d6cccaf37b234dd77a0d55128957040dcca9af868d8203a49daad22b13f18029d41995e5ada1c32744cb46a12512e59a9a5c9fd3b78318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk979149.exe

Filesize
169KB

MD5
cca22c47dfbb5e002c07bbb6e358bddc

SHA1
0506430dcd360760773551decf59f3776fb9b8d5

SHA256
772fc3aab6314332a6e2300af103adf27b0ed2cf4ec9484c01d28dae6ad85c7d

SHA512
1347fd5c86436854c07aac73e3790aa4d95477bbb0b4157f038816aa6bb43e16e4a89ba53cfa342d2e012d3f6f9e5b258c5625ca3931b12fcd21044e368b3081

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk979149.exe

Filesize
169KB

MD5
cca22c47dfbb5e002c07bbb6e358bddc

SHA1
0506430dcd360760773551decf59f3776fb9b8d5

SHA256
772fc3aab6314332a6e2300af103adf27b0ed2cf4ec9484c01d28dae6ad85c7d

SHA512
1347fd5c86436854c07aac73e3790aa4d95477bbb0b4157f038816aa6bb43e16e4a89ba53cfa342d2e012d3f6f9e5b258c5625ca3931b12fcd21044e368b3081

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un151478.exe

Filesize
709KB

MD5
2af59f0502678618d896a1179248417e

SHA1
0e9287850798ef13096fce4a17c73eaf385f8504

SHA256
87300ac2a23c1254a43889ca360654fc4301751a12e66cbfb90b27ee361bb97c

SHA512
98a7aec46ee472059965f7a929d100e67870dfed4df9c20bd57ac2005ad0af50292d917221185bcb1ae47cb4508f534ed9704e86254966a3e1c26854755e2758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un151478.exe

Filesize
709KB

MD5
2af59f0502678618d896a1179248417e

SHA1
0e9287850798ef13096fce4a17c73eaf385f8504

SHA256
87300ac2a23c1254a43889ca360654fc4301751a12e66cbfb90b27ee361bb97c

SHA512
98a7aec46ee472059965f7a929d100e67870dfed4df9c20bd57ac2005ad0af50292d917221185bcb1ae47cb4508f534ed9704e86254966a3e1c26854755e2758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr926385.exe

Filesize
403KB

MD5
8d11412da6bb0f93b0a0265e6a648745

SHA1
d17e03b000ec9175fa955df8bf02de47bd4d22a1

SHA256
0808104b33defc659f4a760df174dfc1e391bdc6f286eaf9814f62a80219ac8e

SHA512
f39fbe3a1202c8929a29098f49aa1f65cb555e62fc63bac476f8fd2f1626d939f0f5f19daa99b7a0a5f6a289e44958b551515f143e0872593132a44dc4c450aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr926385.exe

Filesize
403KB

MD5
8d11412da6bb0f93b0a0265e6a648745

SHA1
d17e03b000ec9175fa955df8bf02de47bd4d22a1

SHA256
0808104b33defc659f4a760df174dfc1e391bdc6f286eaf9814f62a80219ac8e

SHA512
f39fbe3a1202c8929a29098f49aa1f65cb555e62fc63bac476f8fd2f1626d939f0f5f19daa99b7a0a5f6a289e44958b551515f143e0872593132a44dc4c450aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu178644.exe

Filesize
588KB

MD5
cb7466871b8c5556a35f88691a83c049

SHA1
0ecb8aa227945cfcf7dbc4ebbbdf009efb6cc6e0

SHA256
75b0d6a07ce4bfbd9a90a6976aa93f9ea6d19e285d71d73e46a16bf9d501ca6a

SHA512
71287a0c116f17e9bb52626846678e2d4bdf85469741bea11c4ea5576b1938e2b05a6759c7e8bc6bc1930f58db1b57b07e49c0da814a856a24084a96cc0c526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu178644.exe

Filesize
588KB

MD5
cb7466871b8c5556a35f88691a83c049

SHA1
0ecb8aa227945cfcf7dbc4ebbbdf009efb6cc6e0

SHA256
75b0d6a07ce4bfbd9a90a6976aa93f9ea6d19e285d71d73e46a16bf9d501ca6a

SHA512
71287a0c116f17e9bb52626846678e2d4bdf85469741bea11c4ea5576b1938e2b05a6759c7e8bc6bc1930f58db1b57b07e49c0da814a856a24084a96cc0c526b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1856-181-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-187-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1856-189-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1856-190-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1856-191-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1856-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1856-185-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-183-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-155-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/1856-156-0x0000000000A70000-0x0000000000A9D000-memory.dmp

Filesize
180KB

Download
memory/1856-157-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1856-158-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1856-159-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1856-160-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-161-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-163-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-165-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-167-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-169-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-171-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-173-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-175-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-177-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1856-179-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/2952-234-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-199-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-231-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-232-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2952-235-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2952-229-0x0000000002450000-0x00000000024AB000-memory.dmp

Filesize
364KB

Download
memory/2952-2332-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2952-227-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-225-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-223-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-198-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-217-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-201-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-203-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-209-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-207-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-221-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-219-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-205-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-230-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2952-211-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-213-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/2952-215-0x0000000004E40000-0x0000000004EA0000-memory.dmp

Filesize
384KB

Download
memory/4028-2354-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4028-2360-0x00000000082B0000-0x00000000087DC000-memory.dmp

Filesize
5.2MB

Download
memory/4028-2353-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/4028-2359-0x0000000005E00000-0x0000000005FC2000-memory.dmp

Filesize
1.8MB

Download
memory/4028-2356-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/4784-2368-0x0000000002360000-0x000000000239B000-memory.dmp

Filesize
236KB

Download
memory/4968-2358-0x0000000006550000-0x00000000065A0000-memory.dmp

Filesize
320KB

Download
memory/4968-2357-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/4968-2355-0x0000000005820000-0x0000000005896000-memory.dmp

Filesize
472KB

Download
memory/4968-2361-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4968-2349-0x00000000053E0000-0x000000000541C000-memory.dmp

Filesize
240KB

Download
memory/4968-2348-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4968-2347-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/4968-2346-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/4968-2344-0x00000000059E0000-0x0000000005FF8000-memory.dmp

Filesize
6.1MB

Download
memory/4968-2343-0x0000000000A60000-0x0000000000A8E000-memory.dmp

Filesize
184KB

Download