amadey | 5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7

Analysis

max time kernel
151s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2023 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe
Size

1.0MB
MD5

5ec483049c1197d58bb69cc654e49c9c
SHA1

21a59ac3209b9c2f78c15d250309ba1e4630a1c3
SHA256

5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7
SHA512

990b02a7e92c57ccb1d715f059bbf7242451a0bd1d6ec2f93a84c147c0e2009e19f0daed99c7e9bc2ae99e69561e7fe585aa59e03c2587e45a332073a1f6a1da
SSDEEP

12288:+Mriy90qGdCmRl6C2+GoSFm6Pe7rUJCBp7RJ8giJ3Krh6u6DsoGTKQil1X8egK0S:wyGVxTUA7RJ8gMKrh948lVjR5SJYiWY

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it991621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it991621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it991621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it991621.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it991621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it991621.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	jr387583.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	lr445080.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
220	zicE0643.exe
2988	ziyI8668.exe
2700	it991621.exe
4368	jr387583.exe
1360	1.exe
4216	kp453493.exe
4212	lr445080.exe
3748	oneetx.exe
3332	oneetx.exe
4392	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2480	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it991621.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zicE0643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zicE0643.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziyI8668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziyI8668.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
4968	4368	WerFault.exe	91
1940	4212	WerFault.exe	101
3980	4212	WerFault.exe	101
1548	4212	WerFault.exe	101
1476	4212	WerFault.exe	101
3228	4212	WerFault.exe	101
2188	4212	WerFault.exe	101
4768	4212	WerFault.exe	101
4620	4212	WerFault.exe	101
2148	4212	WerFault.exe	101
3780	4212	WerFault.exe	101
3860	4212	WerFault.exe	101
1180	3748	WerFault.exe	122
748	3748	WerFault.exe	122
5004	3748	WerFault.exe	122
3596	3748	WerFault.exe	122
3868	3748	WerFault.exe	122
3052	3748	WerFault.exe	122
5020	3748	WerFault.exe	122
2016	3748	WerFault.exe	122
2240	3748	WerFault.exe	122
1360	3748	WerFault.exe	122
4180	3748	WerFault.exe	122
3000	3332	WerFault.exe	149
4092	3332	WerFault.exe	149
1512	3332	WerFault.exe	149
3416	3748	WerFault.exe	122
2628	3748	WerFault.exe	122
1640	3748	WerFault.exe	122
3924	4392	WerFault.exe	163
2632	4392	WerFault.exe	163
2584	4392	WerFault.exe	163
2352	3748	WerFault.exe	122

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2700	it991621.exe
2700	it991621.exe
1360	1.exe
4216	kp453493.exe
4216	kp453493.exe
1360	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	it991621.exe
Token: SeDebugPrivilege	4368	jr387583.exe
Token: SeDebugPrivilege	1360	1.exe
Token: SeDebugPrivilege	4216	kp453493.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4212	lr445080.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 220	2468	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe	83
PID 2468 wrote to memory of 220	2468	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe	83
PID 2468 wrote to memory of 220	2468	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe	83
PID 220 wrote to memory of 2988	220	zicE0643.exe	84
PID 220 wrote to memory of 2988	220	zicE0643.exe	84
PID 220 wrote to memory of 2988	220	zicE0643.exe	84
PID 2988 wrote to memory of 2700	2988	ziyI8668.exe	85
PID 2988 wrote to memory of 2700	2988	ziyI8668.exe	85
PID 2988 wrote to memory of 4368	2988	ziyI8668.exe	91
PID 2988 wrote to memory of 4368	2988	ziyI8668.exe	91
PID 2988 wrote to memory of 4368	2988	ziyI8668.exe	91
PID 4368 wrote to memory of 1360	4368	jr387583.exe	95
PID 4368 wrote to memory of 1360	4368	jr387583.exe	95
PID 4368 wrote to memory of 1360	4368	jr387583.exe	95
PID 220 wrote to memory of 4216	220	zicE0643.exe	100
PID 220 wrote to memory of 4216	220	zicE0643.exe	100
PID 220 wrote to memory of 4216	220	zicE0643.exe	100
PID 2468 wrote to memory of 4212	2468	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe	101
PID 2468 wrote to memory of 4212	2468	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe	101
PID 2468 wrote to memory of 4212	2468	5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe	101
PID 4212 wrote to memory of 3748	4212	lr445080.exe	122
PID 4212 wrote to memory of 3748	4212	lr445080.exe	122
PID 4212 wrote to memory of 3748	4212	lr445080.exe	122
PID 3748 wrote to memory of 800	3748	oneetx.exe	139
PID 3748 wrote to memory of 800	3748	oneetx.exe	139
PID 3748 wrote to memory of 800	3748	oneetx.exe	139
PID 3748 wrote to memory of 2480	3748	oneetx.exe	160
PID 3748 wrote to memory of 2480	3748	oneetx.exe	160
PID 3748 wrote to memory of 2480	3748	oneetx.exe	160

C:\Users\Admin\AppData\Local\Temp\5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe
"C:\Users\Admin\AppData\Local\Temp\5a341d18d79f62e3916471a5077693d555b7a35c10e9d64addf72f04d5616ea7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicE0643.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicE0643.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziyI8668.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziyI8668.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it991621.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it991621.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr387583.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr387583.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1404
        5⤵
        Program crash
        
        PID:4968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453493.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453493.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr445080.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr445080.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 700
    3⤵
    - Program crash
    PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 784
    3⤵
    - Program crash
    PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 860
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 868
    3⤵
    - Program crash
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 972
    3⤵
    - Program crash
    PID:3228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1008
    3⤵
    - Program crash
    PID:2188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1328
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1364
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1328
    3⤵
    - Program crash
    PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1356
    3⤵
    - Program crash
    PID:3780
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 696
      4⤵
      Program crash
      PID:1180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 876
      4⤵
      Program crash
      PID:748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 928
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1056
      4⤵
      Program crash
      PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1076
      4⤵
      Program crash
      PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1112
      4⤵
      Program crash
      PID:3052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1120
      4⤵
      Program crash
      PID:5020
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1008
      4⤵
      Program crash
      PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 688
      4⤵
      Program crash
      PID:2240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 776
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 776
      4⤵
      Program crash
      PID:4180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1140
      4⤵
      Program crash
      PID:3416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1612
      4⤵
      Program crash
      PID:2628
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1496
      4⤵
      Program crash
      PID:1640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1628
      4⤵
      Program crash
      PID:2352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1416
    3⤵
    - Program crash
    PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4368 -ip 4368
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4212 -ip 4212
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4212 -ip 4212
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4212 -ip 4212
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4212 -ip 4212
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4212 -ip 4212
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4212 -ip 4212
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4212 -ip 4212
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4212 -ip 4212
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4212 -ip 4212
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4212 -ip 4212
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4212 -ip 4212
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3748 -ip 3748
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3748 -ip 3748
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3748 -ip 3748
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3748 -ip 3748
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3748 -ip 3748
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3748 -ip 3748
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3748 -ip 3748
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3748 -ip 3748
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3748 -ip 3748
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3748 -ip 3748
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3748 -ip 3748
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 400
  2⤵
  - Program crash
  PID:3000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 440
  2⤵
  - Program crash
  PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 440
  2⤵
  - Program crash
  PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3332 -ip 3332
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3332 -ip 3332
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3332 -ip 3332
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3748 -ip 3748
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3748 -ip 3748
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3748 -ip 3748
1⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 396
  2⤵
  - Program crash
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 440
  2⤵
  - Program crash
  PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 508
  2⤵
  - Program crash
  PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4392 -ip 4392
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4392 -ip 4392
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4392 -ip 4392
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3748 -ip 3748
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr445080.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr445080.exe

Filesize
395KB

MD5
d0f6446729649ac0ed8a001b2935db90

SHA1
acb4e10b42c73a85f16fc337305e40d3b1622b28

SHA256
74a7e002e7bc3aa7cf8bdf70189ee41215d85faa43070c837129dcb0e0d55ca9

SHA512
8e3de4ad2164f8eb3cc00007f7ff54f9fd8ff8ef2a42ba67b40eb0347747d11ddadb51e7530d637bc107c9513b1df65e895ef7eaf6622d09554b27d6c05d5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicE0643.exe

Filesize
724KB

MD5
7f52cd7e54768ebbff01e7ae43a70ddd

SHA1
d8506003586abecc7081b909a565a2a0a976357a

SHA256
f4cbab859484d4f5432608e31ebe2cff13e20f8ac9f636c1780c872ad36248f6

SHA512
b658127f1155265a2895f4acc4f960c536a35809e799c51b129fb66344695e81fb78443e54e565a75d347a7a8be572ba45d53d7f9add9f3c6fcc42bbca1f40e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicE0643.exe

Filesize
724KB

MD5
7f52cd7e54768ebbff01e7ae43a70ddd

SHA1
d8506003586abecc7081b909a565a2a0a976357a

SHA256
f4cbab859484d4f5432608e31ebe2cff13e20f8ac9f636c1780c872ad36248f6

SHA512
b658127f1155265a2895f4acc4f960c536a35809e799c51b129fb66344695e81fb78443e54e565a75d347a7a8be572ba45d53d7f9add9f3c6fcc42bbca1f40e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453493.exe

Filesize
169KB

MD5
19fb99fb029623abd8f43cd58326e995

SHA1
d32d63617f7a0065dcd3a38a18ea500e282bc889

SHA256
0111ce05fde9cf4338ed192127a81185d0b15751de78cfcec64f8675e8e4d205

SHA512
c91ee1f534682b39953b25c01b409144606cfc8739b067a1ac4a1c09d2688296794f223994af4038f5840d2b12c1a1f7adc65f9a41adebbc0c17ec63a9738568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453493.exe

Filesize
169KB

MD5
19fb99fb029623abd8f43cd58326e995

SHA1
d32d63617f7a0065dcd3a38a18ea500e282bc889

SHA256
0111ce05fde9cf4338ed192127a81185d0b15751de78cfcec64f8675e8e4d205

SHA512
c91ee1f534682b39953b25c01b409144606cfc8739b067a1ac4a1c09d2688296794f223994af4038f5840d2b12c1a1f7adc65f9a41adebbc0c17ec63a9738568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziyI8668.exe

Filesize
570KB

MD5
c5b7ce45f7c41f990761179a5cda7f10

SHA1
c16da2d9c07497f6301768acf4105987f381b29c

SHA256
8ecf810ba49a4574efa6983dfbd5248637778a8bf98868896f80c2a89d7c3fe3

SHA512
8b5a6147be9f829ea26c75b882bbc67f6e7df3cba75d0deeba917d639dda5792e2057d9ae8d103e43d8ac8f92a02a33803063487887d684029b94df8e3fca765

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziyI8668.exe

Filesize
570KB

MD5
c5b7ce45f7c41f990761179a5cda7f10

SHA1
c16da2d9c07497f6301768acf4105987f381b29c

SHA256
8ecf810ba49a4574efa6983dfbd5248637778a8bf98868896f80c2a89d7c3fe3

SHA512
8b5a6147be9f829ea26c75b882bbc67f6e7df3cba75d0deeba917d639dda5792e2057d9ae8d103e43d8ac8f92a02a33803063487887d684029b94df8e3fca765

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it991621.exe

Filesize
11KB

MD5
0de18ee87c87082c289684a12eaddca3

SHA1
7f3bbb0dd3dbc308d5bfac029b07b036d1323eea

SHA256
06066dce25f4229e5bbe144341e3630431fc00083ffe1b76360072777607a888

SHA512
d27b48e1561221aa55be4c03ca08bcb2ea8f8c7c1cc27d290cae76b5286d79d16808bbab288e5e113cd4a808f1cdf251a58d42245c20c90d4bc1cdf23ea27df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it991621.exe

Filesize
11KB

MD5
0de18ee87c87082c289684a12eaddca3

SHA1
7f3bbb0dd3dbc308d5bfac029b07b036d1323eea

SHA256
06066dce25f4229e5bbe144341e3630431fc00083ffe1b76360072777607a888

SHA512
d27b48e1561221aa55be4c03ca08bcb2ea8f8c7c1cc27d290cae76b5286d79d16808bbab288e5e113cd4a808f1cdf251a58d42245c20c90d4bc1cdf23ea27df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr387583.exe

Filesize
588KB

MD5
1ffc8425787aa8d877cd423cd8794082

SHA1
a331d7d69a4733bfcf31045c841352fa3a625441

SHA256
f7403bfb3380991132dac24b1ad347b61f8d03f66596fa2e06155257d10000e2

SHA512
77f51e78c2332681bb005001759fff0581113523f84c825bf20fef2311adca999fc42c4e08ea6294620526b0dbc1bfe0a449c04827a3d6532d863a44e679f332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr387583.exe

Filesize
588KB

MD5
1ffc8425787aa8d877cd423cd8794082

SHA1
a331d7d69a4733bfcf31045c841352fa3a625441

SHA256
f7403bfb3380991132dac24b1ad347b61f8d03f66596fa2e06155257d10000e2

SHA512
77f51e78c2332681bb005001759fff0581113523f84c825bf20fef2311adca999fc42c4e08ea6294620526b0dbc1bfe0a449c04827a3d6532d863a44e679f332

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1360-2314-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/1360-2312-0x0000000004B90000-0x0000000004C9A000-memory.dmp

Filesize
1.0MB

Download
memory/1360-2325-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/1360-2324-0x0000000004FE0000-0x0000000005046000-memory.dmp

Filesize
408KB

Download
memory/1360-2323-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/1360-2322-0x0000000004E20000-0x0000000004E96000-memory.dmp

Filesize
472KB

Download
memory/1360-2307-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/1360-2311-0x00000000050A0000-0x00000000056B8000-memory.dmp

Filesize
6.1MB

Download
memory/1360-2327-0x0000000008330000-0x000000000885C000-memory.dmp

Filesize
5.2MB

Download
memory/1360-2326-0x0000000005F80000-0x0000000006142000-memory.dmp

Filesize
1.8MB

Download
memory/1360-2315-0x0000000004B10000-0x0000000004B4C000-memory.dmp

Filesize
240KB

Download
memory/1360-2313-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/2700-154-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/4212-2336-0x0000000000960000-0x000000000099B000-memory.dmp

Filesize
236KB

Download
memory/4216-2320-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/4216-2321-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4216-2328-0x0000000006A80000-0x0000000006AD0000-memory.dmp

Filesize
320KB

Download
memory/4216-2329-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4368-178-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-222-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-224-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-226-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-228-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-2294-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-220-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-218-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-2303-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-216-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-214-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-2310-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-2309-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-212-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-210-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-208-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-206-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-204-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-202-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-200-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-198-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-196-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-194-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-192-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-190-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-188-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-186-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-184-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-182-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-180-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-176-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-175-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-173-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-172-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-170-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-168-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-166-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-164-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-163-0x0000000005580000-0x00000000055E0000-memory.dmp

Filesize
384KB

Download
memory/4368-162-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/4368-161-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4368-160-0x0000000002540000-0x000000000259B000-memory.dmp

Filesize
364KB

Download