amadey | 86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe
Size

936KB
MD5

6cd802ee715041d2eb0449c7556dae12
SHA1

90d0e32a252a2839f47cf9d404b978de078dfc43
SHA256

86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b
SHA512

0461c7e564a5dd948e43b99695c37506ec77e40bdc06e26c25c0e6d96612961577d7101ec1a66e2a836d5e9bf452eb1e007232154f9663fc244b5a2d1c260afc
SSDEEP

12288:RMrBy90sfxCCv9hHUgMJAZhAWucX3RaEzOidQIuu8u6xbsJp2vygxa5Fgv2HfK8R:wyxfv9hUAXucnRaEzOilgD1+DDNPz

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr677426.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr677426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr677426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr677426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr677426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr677426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr677426.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3640-200-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-201-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-203-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-205-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-207-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-209-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-211-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-213-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-215-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-217-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-219-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-221-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-223-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-225-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-227-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-229-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-231-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/3640-233-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

si097934.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	si097934.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

Processes:

un585051.exeun452815.exepr677426.exequ014660.exerk583239.exesi097934.exeoneetx.exeoneetx.exe

pid process

3232 un585051.exe
100 un452815.exe
4916 pr677426.exe
3640 qu014660.exe
1788 rk583239.exe
4912 si097934.exe
2844 oneetx.exe
1836 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2204 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3232	un585051.exe
100	un452815.exe
4916	pr677426.exe
3640	qu014660.exe
1788	rk583239.exe
4912	si097934.exe
2844	oneetx.exe
1836	oneetx.exe

pid	process
2204	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr677426.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr677426.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr677426.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un585051.exeun452815.exe86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un585051.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un452815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un452815.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un585051.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

384 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
384	sc.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2488	4916	WerFault.exe	pr677426.exe
1344	3640	WerFault.exe	qu014660.exe
5016	4912	WerFault.exe	si097934.exe
2360	4912	WerFault.exe	si097934.exe
3368	4912	WerFault.exe	si097934.exe
3332	4912	WerFault.exe	si097934.exe
4452	4912	WerFault.exe	si097934.exe
4144	4912	WerFault.exe	si097934.exe
2276	4912	WerFault.exe	si097934.exe
1824	4912	WerFault.exe	si097934.exe
4816	4912	WerFault.exe	si097934.exe
464	4912	WerFault.exe	si097934.exe
4420	2844	WerFault.exe	oneetx.exe
320	2844	WerFault.exe	oneetx.exe
4924	2844	WerFault.exe	oneetx.exe
3656	2844	WerFault.exe	oneetx.exe
756	2844	WerFault.exe	oneetx.exe
2216	2844	WerFault.exe	oneetx.exe
2116	2844	WerFault.exe	oneetx.exe
4900	2844	WerFault.exe	oneetx.exe
3672	2844	WerFault.exe	oneetx.exe
2964	2844	WerFault.exe	oneetx.exe
1052	2844	WerFault.exe	oneetx.exe
4916	2844	WerFault.exe	oneetx.exe
2984	2844	WerFault.exe	oneetx.exe
3368	2844	WerFault.exe	oneetx.exe
3744	1836	WerFault.exe	oneetx.exe
4148	1836	WerFault.exe	oneetx.exe
4720	1836	WerFault.exe	oneetx.exe
2780	1836	WerFault.exe	oneetx.exe
3624	2844	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3012 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr677426.exequ014660.exerk583239.exe

pid process

4916 pr677426.exe
4916 pr677426.exe
3640 qu014660.exe
3640 qu014660.exe
1788 rk583239.exe
1788 rk583239.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr677426.exequ014660.exerk583239.exe

description pid process

Token: SeDebugPrivilege 4916 pr677426.exe
Token: SeDebugPrivilege 3640 qu014660.exe
Token: SeDebugPrivilege 1788 rk583239.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si097934.exe

pid process

4912 si097934.exe

pid	process
3012	schtasks.exe

pid	process
4916	pr677426.exe
4916	pr677426.exe
3640	qu014660.exe
3640	qu014660.exe
1788	rk583239.exe
1788	rk583239.exe

description	pid	process
Token: SeDebugPrivilege	4916	pr677426.exe
Token: SeDebugPrivilege	3640	qu014660.exe
Token: SeDebugPrivilege	1788	rk583239.exe

pid	process
4912	si097934.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exeun585051.exeun452815.exesi097934.exeoneetx.exe

description	pid	process	target process
PID 1916 wrote to memory of 3232	1916	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe	un585051.exe
PID 1916 wrote to memory of 3232	1916	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe	un585051.exe
PID 1916 wrote to memory of 3232	1916	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe	un585051.exe
PID 3232 wrote to memory of 100	3232	un585051.exe	un452815.exe
PID 3232 wrote to memory of 100	3232	un585051.exe	un452815.exe
PID 3232 wrote to memory of 100	3232	un585051.exe	un452815.exe
PID 100 wrote to memory of 4916	100	un452815.exe	pr677426.exe
PID 100 wrote to memory of 4916	100	un452815.exe	pr677426.exe
PID 100 wrote to memory of 4916	100	un452815.exe	pr677426.exe
PID 100 wrote to memory of 3640	100	un452815.exe	qu014660.exe
PID 100 wrote to memory of 3640	100	un452815.exe	qu014660.exe
PID 100 wrote to memory of 3640	100	un452815.exe	qu014660.exe
PID 3232 wrote to memory of 1788	3232	un585051.exe	rk583239.exe
PID 3232 wrote to memory of 1788	3232	un585051.exe	rk583239.exe
PID 3232 wrote to memory of 1788	3232	un585051.exe	rk583239.exe
PID 1916 wrote to memory of 4912	1916	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe	si097934.exe
PID 1916 wrote to memory of 4912	1916	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe	si097934.exe
PID 1916 wrote to memory of 4912	1916	86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe	si097934.exe
PID 4912 wrote to memory of 2844	4912	si097934.exe	oneetx.exe
PID 4912 wrote to memory of 2844	4912	si097934.exe	oneetx.exe
PID 4912 wrote to memory of 2844	4912	si097934.exe	oneetx.exe
PID 2844 wrote to memory of 3012	2844	oneetx.exe	schtasks.exe
PID 2844 wrote to memory of 3012	2844	oneetx.exe	schtasks.exe
PID 2844 wrote to memory of 3012	2844	oneetx.exe	schtasks.exe
PID 2844 wrote to memory of 2204	2844	oneetx.exe	rundll32.exe
PID 2844 wrote to memory of 2204	2844	oneetx.exe	rundll32.exe
PID 2844 wrote to memory of 2204	2844	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe
"C:\Users\Admin\AppData\Local\Temp\86ccce71d1b4a78603a6d9f95db9a7ce85efb757309db3bbe8519391dd0bf57b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un585051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un585051.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un452815.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un452815.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677426.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677426.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1084
        5⤵
        Program crash
        
        PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu014660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu014660.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1764
        5⤵
        Program crash
        
        PID:1344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk583239.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk583239.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097934.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097934.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 780
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 812
    3⤵
    - Program crash
    PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 860
    3⤵
    - Program crash
    PID:3332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 976
    3⤵
    - Program crash
    PID:4452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 976
    3⤵
    - Program crash
    PID:4144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1208
    3⤵
    - Program crash
    PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
    3⤵
    - Program crash
    PID:1824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1316
    3⤵
    - Program crash
    PID:4816
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 692
      4⤵
      Program crash
      PID:4420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 728
      4⤵
      Program crash
      PID:320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 876
      4⤵
      Program crash
      PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1060
      4⤵
      Program crash
      PID:3656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1092
      4⤵
      Program crash
      PID:756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1092
      4⤵
      Program crash
      PID:2216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1072
      4⤵
      Program crash
      PID:2116
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 992
      4⤵
      Program crash
      PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1296
      4⤵
      Program crash
      PID:3672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 716
      4⤵
      Program crash
      PID:2964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 696
      4⤵
      Program crash
      PID:1052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1080
      4⤵
      Program crash
      PID:4916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1612
      4⤵
      Program crash
      PID:2984
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1560
      4⤵
      Program crash
      PID:3368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1628
      4⤵
      Program crash
      PID:3624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1584
    3⤵
    - Program crash
    PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4916 -ip 4916
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3640 -ip 3640
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4912 -ip 4912
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4912 -ip 4912
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4912 -ip 4912
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4912 -ip 4912
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4912 -ip 4912
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4912 -ip 4912
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4912 -ip 4912
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4912 -ip 4912
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4912 -ip 4912
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4912 -ip 4912
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2844 -ip 2844
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2844 -ip 2844
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2844 -ip 2844
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2844 -ip 2844
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2844 -ip 2844
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2844 -ip 2844
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2844 -ip 2844
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2844 -ip 2844
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2844 -ip 2844
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2844 -ip 2844
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2844 -ip 2844
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2844 -ip 2844
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2844 -ip 2844
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2844 -ip 2844
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 392
  2⤵
  - Program crash
  PID:3744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 548
  2⤵
  - Program crash
  PID:4148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 608
  2⤵
  - Program crash
  PID:4720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 652
  2⤵
  - Program crash
  PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1836 -ip 1836
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1836 -ip 1836
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1836 -ip 1836
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1836 -ip 1836
1⤵
PID:3076

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2844 -ip 2844
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097934.exe

Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si097934.exe

Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un585051.exe

Filesize
671KB

MD5
185ddb861689d9decf62c5053de90c87

SHA1
2a4ceeb05d3616393f20369efcf2cecfaf87ac74

SHA256
090d155373eff95f6134f1ac79e1d2fb5d20e713e34ebee71326937538e2ad83

SHA512
c9d181f62136dfb13f9b7887024606cec190a6e16dcaa5c296920421948b3bf9286a690d33a65584f68c801707f122ad763401aae207187ac0c8180f230ba134

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un585051.exe

Filesize
671KB

MD5
185ddb861689d9decf62c5053de90c87

SHA1
2a4ceeb05d3616393f20369efcf2cecfaf87ac74

SHA256
090d155373eff95f6134f1ac79e1d2fb5d20e713e34ebee71326937538e2ad83

SHA512
c9d181f62136dfb13f9b7887024606cec190a6e16dcaa5c296920421948b3bf9286a690d33a65584f68c801707f122ad763401aae207187ac0c8180f230ba134

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk583239.exe

Filesize
168KB

MD5
eaad2ca0080468ac683e0679890a082f

SHA1
3f972a8f00f8603552c8f9ac0238dd641de35b8d

SHA256
18d74c7bbf4dda5eed5b0017f9e1f412ee165acc9c9434c7a17e4d4dc0d864af

SHA512
45ef43ddd1861525ccb73bdbdb206a0f7228f45ad2ddfe553c57452c304e859b637413c0ac07db60cf372bc9c5a40002698e256ad5a3c1f8c50d93a089003883

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk583239.exe

Filesize
168KB

MD5
eaad2ca0080468ac683e0679890a082f

SHA1
3f972a8f00f8603552c8f9ac0238dd641de35b8d

SHA256
18d74c7bbf4dda5eed5b0017f9e1f412ee165acc9c9434c7a17e4d4dc0d864af

SHA512
45ef43ddd1861525ccb73bdbdb206a0f7228f45ad2ddfe553c57452c304e859b637413c0ac07db60cf372bc9c5a40002698e256ad5a3c1f8c50d93a089003883

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un452815.exe

Filesize
518KB

MD5
6712474001a6a29d9e68c18818869e26

SHA1
68657baf6f257a9e1489c7742309a6fc3eda6ab6

SHA256
bb6ac073762d7390bd0844392255e3b8d3b5a0c259c9b0bbc55bca707de753bb

SHA512
bea43f05a8b5d0a3c1da77e689fa41d4c59ed5803c81cadcb97c341e5d147ddbb0c432aa711909516be350b8a277c593b8fde8359b7dca31fadf7d575ab316de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un452815.exe

Filesize
518KB

MD5
6712474001a6a29d9e68c18818869e26

SHA1
68657baf6f257a9e1489c7742309a6fc3eda6ab6

SHA256
bb6ac073762d7390bd0844392255e3b8d3b5a0c259c9b0bbc55bca707de753bb

SHA512
bea43f05a8b5d0a3c1da77e689fa41d4c59ed5803c81cadcb97c341e5d147ddbb0c432aa711909516be350b8a277c593b8fde8359b7dca31fadf7d575ab316de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677426.exe

Filesize
239KB

MD5
c95c803947ba082b4b119a0183dfd504

SHA1
7b382c9deb94f5c084b245f5e8d18e3bb094f74c

SHA256
a3d7c8d0365d9656d53f7d4fe1e71dd2471e59237b3500d6cef07d9d4eb04aba

SHA512
906bc5c6c53d841bc6538fdcb2ec98730a20422f576a3a0d78fad441de90bc39ab3636f61312cf9deb7204f1d54d2ee33e372fa148655b4b0372d0588a70ac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677426.exe

Filesize
239KB

MD5
c95c803947ba082b4b119a0183dfd504

SHA1
7b382c9deb94f5c084b245f5e8d18e3bb094f74c

SHA256
a3d7c8d0365d9656d53f7d4fe1e71dd2471e59237b3500d6cef07d9d4eb04aba

SHA512
906bc5c6c53d841bc6538fdcb2ec98730a20422f576a3a0d78fad441de90bc39ab3636f61312cf9deb7204f1d54d2ee33e372fa148655b4b0372d0588a70ac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu014660.exe

Filesize
298KB

MD5
03cbb12996eefa2e64e56359662ecf0c

SHA1
afdd5e73c8b0deef39b974c475ef2cf2efec836b

SHA256
0554b18409e90e52ef8d11c50540fbbe6640a4f0d04511b3a79700ce673fc5e4

SHA512
f68b66d456b40508396334af387ce45dc408ee0b86da450c74a4e6c771387b4b8d4a33ab17243d0d9b694317bab80a62388640623c8e63f8128664bdd5d5d8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu014660.exe

Filesize
298KB

MD5
03cbb12996eefa2e64e56359662ecf0c

SHA1
afdd5e73c8b0deef39b974c475ef2cf2efec836b

SHA256
0554b18409e90e52ef8d11c50540fbbe6640a4f0d04511b3a79700ce673fc5e4

SHA512
f68b66d456b40508396334af387ce45dc408ee0b86da450c74a4e6c771387b4b8d4a33ab17243d0d9b694317bab80a62388640623c8e63f8128664bdd5d5d8c4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1788-1128-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/1788-1127-0x0000000000D00000-0x0000000000D30000-memory.dmp

Filesize
192KB

Download
memory/3640-1114-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-1106-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/3640-1121-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-1120-0x0000000006770000-0x0000000006C9C000-memory.dmp

Filesize
5.2MB

Download
memory/3640-1119-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/3640-1118-0x0000000006540000-0x0000000006590000-memory.dmp

Filesize
320KB

Download
memory/3640-1117-0x00000000064B0000-0x0000000006526000-memory.dmp

Filesize
472KB

Download
memory/3640-1116-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-1115-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-196-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/3640-198-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-197-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-199-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-200-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-201-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-203-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-205-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-207-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-209-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-211-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-213-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-215-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-217-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-219-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-221-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-223-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-225-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-227-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-229-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-231-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-233-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/3640-1112-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3640-1107-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/3640-1108-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3640-1109-0x0000000005A50000-0x0000000005A8C000-memory.dmp

Filesize
240KB

Download
memory/3640-1110-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3640-1111-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4912-1134-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/4916-169-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-155-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/4916-171-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-191-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4916-189-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4916-188-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4916-187-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-185-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-175-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-167-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-181-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-179-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-173-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-165-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-177-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-163-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-161-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-160-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4916-159-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4916-157-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4916-158-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4916-156-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/4916-183-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download