amadey | 0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4

Analysis

max time kernel
144s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe
Size

800KB
MD5

5987f595ef3deb56b08de4939c448061
SHA1

60f23879d1aefade3d77eda2d9be611a1853093d
SHA256

0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4
SHA512

4f35864785fd502e39b39c6052843b9598a7117631badce67a0e1ede3b86fcc93083ee822c2d252e44b883a983e669984669f223828bc1cb6de139bed030d4a3
SSDEEP

12288:pMrGy90e5/DQl9hdMFPIjSZVZvSxK7CFmkMoIF+0b/5IctEjcb8bWsT:TyV4/OaOZfqxfFF0F7IcabasT

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it603959.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it603959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it603959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it603959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it603959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it603959.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it603959.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4684-162-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-165-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-163-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-167-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-169-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-171-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-175-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-177-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-179-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-181-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-183-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-185-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-187-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-189-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-191-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-195-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-193-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-197-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-199-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-201-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-203-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-205-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-207-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-209-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-211-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-213-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-217-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-219-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-215-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-221-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-223-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-225-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-227-0x0000000005090000-0x00000000050CF000-memory.dmp	family_redline
behavioral1/memory/4684-1080-0x0000000002420000-0x0000000002430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lr725993.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lr725993.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

Processes:

ziaU8994.exeziCr2753.exeit603959.exejr224085.exekp300903.exelr725993.exeoneetx.exeoneetx.exeoneetx.exe

pid process

1328 ziaU8994.exe
4816 ziCr2753.exe
1280 it603959.exe
4684 jr224085.exe
2064 kp300903.exe
3248 lr725993.exe
1652 oneetx.exe
5100 oneetx.exe
2988 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3388 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it603959.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it603959.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1328	ziaU8994.exe
4816	ziCr2753.exe
1280	it603959.exe
4684	jr224085.exe
2064	kp300903.exe
3248	lr725993.exe
1652	oneetx.exe
5100	oneetx.exe
2988	oneetx.exe

pid	process
3388	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it603959.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exeziaU8994.exeziCr2753.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziaU8994.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziaU8994.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziCr2753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziCr2753.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1764	4684	WerFault.exe	jr224085.exe
4272	3248	WerFault.exe	lr725993.exe
4688	3248	WerFault.exe	lr725993.exe
1520	3248	WerFault.exe	lr725993.exe
3640	3248	WerFault.exe	lr725993.exe
1772	3248	WerFault.exe	lr725993.exe
1008	3248	WerFault.exe	lr725993.exe
1152	3248	WerFault.exe	lr725993.exe
2660	3248	WerFault.exe	lr725993.exe
4772	3248	WerFault.exe	lr725993.exe
3468	3248	WerFault.exe	lr725993.exe
4980	1652	WerFault.exe	oneetx.exe
3536	1652	WerFault.exe	oneetx.exe
3132	1652	WerFault.exe	oneetx.exe
3208	1652	WerFault.exe	oneetx.exe
944	1652	WerFault.exe	oneetx.exe
428	1652	WerFault.exe	oneetx.exe
1460	1652	WerFault.exe	oneetx.exe
2156	1652	WerFault.exe	oneetx.exe
4648	1652	WerFault.exe	oneetx.exe
1068	1652	WerFault.exe	oneetx.exe
1820	1652	WerFault.exe	oneetx.exe
3880	1652	WerFault.exe	oneetx.exe
1168	5100	WerFault.exe	oneetx.exe
1972	1652	WerFault.exe	oneetx.exe
3636	1652	WerFault.exe	oneetx.exe
4672	1652	WerFault.exe	oneetx.exe
652	1652	WerFault.exe	oneetx.exe
1016	2988	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4944 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it603959.exejr224085.exekp300903.exe

pid process

1280 it603959.exe
1280 it603959.exe
4684 jr224085.exe
4684 jr224085.exe
2064 kp300903.exe
2064 kp300903.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

it603959.exejr224085.exekp300903.exe

description pid process

Token: SeDebugPrivilege 1280 it603959.exe
Token: SeDebugPrivilege 4684 jr224085.exe
Token: SeDebugPrivilege 2064 kp300903.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr725993.exe

pid process

3248 lr725993.exe

pid	process
4944	schtasks.exe

pid	process
1280	it603959.exe
1280	it603959.exe
4684	jr224085.exe
4684	jr224085.exe
2064	kp300903.exe
2064	kp300903.exe

description	pid	process
Token: SeDebugPrivilege	1280	it603959.exe
Token: SeDebugPrivilege	4684	jr224085.exe
Token: SeDebugPrivilege	2064	kp300903.exe

pid	process
3248	lr725993.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exeziaU8994.exeziCr2753.exelr725993.exeoneetx.exe

description	pid	process	target process
PID 1456 wrote to memory of 1328	1456	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe	ziaU8994.exe
PID 1456 wrote to memory of 1328	1456	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe	ziaU8994.exe
PID 1456 wrote to memory of 1328	1456	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe	ziaU8994.exe
PID 1328 wrote to memory of 4816	1328	ziaU8994.exe	ziCr2753.exe
PID 1328 wrote to memory of 4816	1328	ziaU8994.exe	ziCr2753.exe
PID 1328 wrote to memory of 4816	1328	ziaU8994.exe	ziCr2753.exe
PID 4816 wrote to memory of 1280	4816	ziCr2753.exe	it603959.exe
PID 4816 wrote to memory of 1280	4816	ziCr2753.exe	it603959.exe
PID 4816 wrote to memory of 4684	4816	ziCr2753.exe	jr224085.exe
PID 4816 wrote to memory of 4684	4816	ziCr2753.exe	jr224085.exe
PID 4816 wrote to memory of 4684	4816	ziCr2753.exe	jr224085.exe
PID 1328 wrote to memory of 2064	1328	ziaU8994.exe	kp300903.exe
PID 1328 wrote to memory of 2064	1328	ziaU8994.exe	kp300903.exe
PID 1328 wrote to memory of 2064	1328	ziaU8994.exe	kp300903.exe
PID 1456 wrote to memory of 3248	1456	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe	lr725993.exe
PID 1456 wrote to memory of 3248	1456	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe	lr725993.exe
PID 1456 wrote to memory of 3248	1456	0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe	lr725993.exe
PID 3248 wrote to memory of 1652	3248	lr725993.exe	oneetx.exe
PID 3248 wrote to memory of 1652	3248	lr725993.exe	oneetx.exe
PID 3248 wrote to memory of 1652	3248	lr725993.exe	oneetx.exe
PID 1652 wrote to memory of 4944	1652	oneetx.exe	schtasks.exe
PID 1652 wrote to memory of 4944	1652	oneetx.exe	schtasks.exe
PID 1652 wrote to memory of 4944	1652	oneetx.exe	schtasks.exe
PID 1652 wrote to memory of 3388	1652	oneetx.exe	rundll32.exe
PID 1652 wrote to memory of 3388	1652	oneetx.exe	rundll32.exe
PID 1652 wrote to memory of 3388	1652	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe
"C:\Users\Admin\AppData\Local\Temp\0b44d2ae9a48bb7a7f3c83a11b1f7abf2586b173d4248df246e510c2dbd775b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaU8994.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaU8994.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCr2753.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCr2753.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603959.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603959.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr224085.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr224085.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1348
5⤵
- Program crash
PID:1764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300903.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300903.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725993.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725993.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 696
3⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 780
3⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 796
3⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 800
3⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 968
3⤵
- Program crash
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 968
3⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1216
3⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1220
3⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1312
3⤵
- Program crash
PID:4772

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 692
4⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 832
4⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 888
4⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1052
4⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1092
4⤵
- Program crash
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1112
4⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1068
4⤵
- Program crash
PID:1460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 992
4⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1288
4⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1320
4⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 752
4⤵
- Program crash
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1432
4⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1116
4⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1628
4⤵
- Program crash
PID:3636

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1136
4⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1644
4⤵
- Program crash
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1756
3⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4684 -ip 4684
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3248 -ip 3248
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3248 -ip 3248
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3248 -ip 3248
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3248 -ip 3248
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3248 -ip 3248
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3248 -ip 3248
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3248 -ip 3248
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3248 -ip 3248
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3248 -ip 3248
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3248 -ip 3248
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1652 -ip 1652
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1652 -ip 1652
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1652 -ip 1652
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1652 -ip 1652
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1652 -ip 1652
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1652 -ip 1652
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1652 -ip 1652
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1652 -ip 1652
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1652 -ip 1652
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1652 -ip 1652
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1652 -ip 1652
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1652 -ip 1652
1⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 312
2⤵
- Program crash
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5100 -ip 5100
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1652 -ip 1652
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1652 -ip 1652
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1652 -ip 1652
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1652 -ip 1652
1⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 320
2⤵
- Program crash
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2988 -ip 2988
1⤵
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725993.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725993.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaU8994.exe
Filesize
535KB

MD5
5e8799e543968d17032b256df186eeda

SHA1
25470815823d176566a6ebf047166ad448b87ad3

SHA256
760f67d8583bd4fded5fc8d9a18e949a7966aa2fe56bebed691937f6539e0708

SHA512
f174c5b6f38e8b46ce3733f16e6db59007cf4ecfcbd75e2de338debf600edcf9feebd9719f1d986faa70125eb3ddfa0f4f2d78cf04e660b8fdf83b83beeeac34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaU8994.exe
Filesize
535KB

MD5
5e8799e543968d17032b256df186eeda

SHA1
25470815823d176566a6ebf047166ad448b87ad3

SHA256
760f67d8583bd4fded5fc8d9a18e949a7966aa2fe56bebed691937f6539e0708

SHA512
f174c5b6f38e8b46ce3733f16e6db59007cf4ecfcbd75e2de338debf600edcf9feebd9719f1d986faa70125eb3ddfa0f4f2d78cf04e660b8fdf83b83beeeac34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300903.exe
Filesize
169KB

MD5
b90f7b0cd1e6b0f7fdb042d4bf84ce93

SHA1
9fdb16b546997c86a7f7f1d49af7b09aaa01c03f

SHA256
62899530a01ce3c79672bd9a1f28479c1a898ce3cf7469c62c91d2c47b865481

SHA512
d79bd777f17298111ef08c54e292bb3c3e7da81906d1d0911b55cc447571265793283978597a52da82ea811a029c57bb88e5bdd582e3f123fc2542f92aa3b358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300903.exe
Filesize
169KB

MD5
b90f7b0cd1e6b0f7fdb042d4bf84ce93

SHA1
9fdb16b546997c86a7f7f1d49af7b09aaa01c03f

SHA256
62899530a01ce3c79672bd9a1f28479c1a898ce3cf7469c62c91d2c47b865481

SHA512
d79bd777f17298111ef08c54e292bb3c3e7da81906d1d0911b55cc447571265793283978597a52da82ea811a029c57bb88e5bdd582e3f123fc2542f92aa3b358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCr2753.exe
Filesize
382KB

MD5
a703d7f27d746141af47956572c0a63a

SHA1
4eeac064f4c73de54150a6d773e315c00db8903f

SHA256
3068d5b3c8b6effd705c528ef7e5745af7370c2672e452fbc5aebf2e0207e6f5

SHA512
ae43d553e570ae99c4b18e328620250ba6b75e34fb3466d5ab9ee6bc3a8676e3b81c720e48ae39fccdd5c68735b921ca6d413087c2133dd3b789c4714bf21e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCr2753.exe
Filesize
382KB

MD5
a703d7f27d746141af47956572c0a63a

SHA1
4eeac064f4c73de54150a6d773e315c00db8903f

SHA256
3068d5b3c8b6effd705c528ef7e5745af7370c2672e452fbc5aebf2e0207e6f5

SHA512
ae43d553e570ae99c4b18e328620250ba6b75e34fb3466d5ab9ee6bc3a8676e3b81c720e48ae39fccdd5c68735b921ca6d413087c2133dd3b789c4714bf21e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603959.exe
Filesize
11KB

MD5
dce80cd173227baec918467eb5fc866a

SHA1
a152c2a8b6937591b17992d076b9bd87d80bd476

SHA256
811e7f0dc3fafe8c8a1995e710e74afa46725bcdfd4ed2d54c8398149f4ff4ba

SHA512
8e1508e54cc5e876fabeeffe7a0ed06f4d681567bd66f68c0604db2ba5b49d01a7147dcd7c9b374e386f7878dea35efac613f3f2a5a77db9f4960b4a66dead43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603959.exe
Filesize
11KB

MD5
dce80cd173227baec918467eb5fc866a

SHA1
a152c2a8b6937591b17992d076b9bd87d80bd476

SHA256
811e7f0dc3fafe8c8a1995e710e74afa46725bcdfd4ed2d54c8398149f4ff4ba

SHA512
8e1508e54cc5e876fabeeffe7a0ed06f4d681567bd66f68c0604db2ba5b49d01a7147dcd7c9b374e386f7878dea35efac613f3f2a5a77db9f4960b4a66dead43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr224085.exe
Filesize
297KB

MD5
b9fa708384290697ce1fa5e4d45d23be

SHA1
c17431bc1d84c1269bcf0806e241b6103046b97c

SHA256
f2dff06aa9e37ac780e2553be7e2843ac63db12a832195a24ee13942d35e7198

SHA512
3655861126a35aeaec6b442082731ffd00130bb1b9ff8cf307962bfd07f240bb58169b5d01becf61f2d9197df478b665cb6f79916da8daf35f6805302bbb2bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr224085.exe
Filesize
297KB

MD5
b9fa708384290697ce1fa5e4d45d23be

SHA1
c17431bc1d84c1269bcf0806e241b6103046b97c

SHA256
f2dff06aa9e37ac780e2553be7e2843ac63db12a832195a24ee13942d35e7198

SHA512
3655861126a35aeaec6b442082731ffd00130bb1b9ff8cf307962bfd07f240bb58169b5d01becf61f2d9197df478b665cb6f79916da8daf35f6805302bbb2bf7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1280-154-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2064-1091-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2064-1092-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/3248-1098-0x00000000005C0000-0x00000000005FB000-memory.dmp

Filesize
236KB

Download
memory/4684-207-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-1071-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4684-185-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-187-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-189-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-191-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-195-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-193-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-197-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-199-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-201-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-203-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-205-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-181-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-209-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-211-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-213-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-217-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-219-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-215-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-221-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-223-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-225-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-227-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-1070-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/4684-183-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-1072-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/4684-1073-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-1074-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/4684-1076-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/4684-1077-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/4684-1078-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-1079-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-1080-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-1081-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/4684-1082-0x00000000067D0000-0x0000000006CFC000-memory.dmp

Filesize
5.2MB

Download
memory/4684-179-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-177-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-175-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-173-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-171-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-172-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-169-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-167-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-163-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-165-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-162-0x0000000005090000-0x00000000050CF000-memory.dmp

Filesize
252KB

Download
memory/4684-161-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4684-160-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/4684-1083-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4684-1084-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/4684-1085-0x0000000006E90000-0x0000000006EE0000-memory.dmp

Filesize
320KB

Download