amadey | 6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe
Size

801KB
MD5

eefccbae49fb377c85fca0bea374877e
SHA1

644ad8a0bad82ab7e8b4ad693537774d85bc0cdd
SHA256

6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9
SHA512

ec016b6e53258c8c543f54b13776293b4746bf39542155359bfb6d7b99fd655be47797c0cccdf3d2ef42c4c4542e91843f894134c3b8b6616125b35da6fe3b76
SSDEEP

12288:EMrgy90Vtv5akuR40b6I2UdG3S7xK7CJ2gWiISEbKmtzf+1/5z5s69bUmoq+:syIakFkdG3CxffW5MHNsld

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it918698.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it918698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it918698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it918698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it918698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it918698.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it918698.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1028-165-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-166-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-168-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-170-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-172-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-174-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-176-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-178-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-180-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-182-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-184-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-186-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-188-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-190-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-192-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-194-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-196-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-198-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-200-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-202-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-204-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-206-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-208-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-210-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-212-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-214-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-216-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-218-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-220-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-222-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-224-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-226-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline
behavioral1/memory/1028-228-0x0000000002490000-0x00000000024CF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lr985389.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr985389.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

Processes:

ziXe6588.exeziTJ8466.exeit918698.exejr513550.exekp742503.exelr985389.exeoneetx.exeoneetx.exeoneetx.exe

pid process

4116 ziXe6588.exe
1264 ziTJ8466.exe
4488 it918698.exe
1028 jr513550.exe
932 kp742503.exe
896 lr985389.exe
2536 oneetx.exe
2724 oneetx.exe
2488 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3732 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it918698.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it918698.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4116	ziXe6588.exe
1264	ziTJ8466.exe
4488	it918698.exe
1028	jr513550.exe
932	kp742503.exe
896	lr985389.exe
2536	oneetx.exe
2724	oneetx.exe
2488	oneetx.exe

pid	process
3732	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it918698.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ziXe6588.exeziTJ8466.exe6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziXe6588.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziTJ8466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziTJ8466.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziXe6588.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2220	1028	WerFault.exe	jr513550.exe
3732	896	WerFault.exe	lr985389.exe
4084	896	WerFault.exe	lr985389.exe
1676	896	WerFault.exe	lr985389.exe
4688	896	WerFault.exe	lr985389.exe
5068	896	WerFault.exe	lr985389.exe
3316	896	WerFault.exe	lr985389.exe
616	896	WerFault.exe	lr985389.exe
3952	896	WerFault.exe	lr985389.exe
4000	896	WerFault.exe	lr985389.exe
3460	896	WerFault.exe	lr985389.exe
4456	2536	WerFault.exe	oneetx.exe
536	2536	WerFault.exe	oneetx.exe
3744	2536	WerFault.exe	oneetx.exe
4260	2536	WerFault.exe	oneetx.exe
320	2536	WerFault.exe	oneetx.exe
4816	2536	WerFault.exe	oneetx.exe
1808	2536	WerFault.exe	oneetx.exe
4808	2536	WerFault.exe	oneetx.exe
660	2536	WerFault.exe	oneetx.exe
1152	2536	WerFault.exe	oneetx.exe
3748	2536	WerFault.exe	oneetx.exe
1948	2536	WerFault.exe	oneetx.exe
4896	2724	WerFault.exe	oneetx.exe
3076	2536	WerFault.exe	oneetx.exe
1604	2536	WerFault.exe	oneetx.exe
4612	2536	WerFault.exe	oneetx.exe
2268	2488	WerFault.exe	oneetx.exe
2796	2536	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1660 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it918698.exejr513550.exekp742503.exe

pid process

4488 it918698.exe
4488 it918698.exe
1028 jr513550.exe
1028 jr513550.exe
932 kp742503.exe
932 kp742503.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

it918698.exejr513550.exekp742503.exe

description pid process

Token: SeDebugPrivilege 4488 it918698.exe
Token: SeDebugPrivilege 1028 jr513550.exe
Token: SeDebugPrivilege 932 kp742503.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr985389.exe

pid process

896 lr985389.exe

pid	process
1660	schtasks.exe

pid	process
4488	it918698.exe
4488	it918698.exe
1028	jr513550.exe
1028	jr513550.exe
932	kp742503.exe
932	kp742503.exe

description	pid	process
Token: SeDebugPrivilege	4488	it918698.exe
Token: SeDebugPrivilege	1028	jr513550.exe
Token: SeDebugPrivilege	932	kp742503.exe

pid	process
896	lr985389.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exeziXe6588.exeziTJ8466.exelr985389.exeoneetx.exe

description	pid	process	target process
PID 2424 wrote to memory of 4116	2424	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe	ziXe6588.exe
PID 2424 wrote to memory of 4116	2424	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe	ziXe6588.exe
PID 2424 wrote to memory of 4116	2424	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe	ziXe6588.exe
PID 4116 wrote to memory of 1264	4116	ziXe6588.exe	ziTJ8466.exe
PID 4116 wrote to memory of 1264	4116	ziXe6588.exe	ziTJ8466.exe
PID 4116 wrote to memory of 1264	4116	ziXe6588.exe	ziTJ8466.exe
PID 1264 wrote to memory of 4488	1264	ziTJ8466.exe	it918698.exe
PID 1264 wrote to memory of 4488	1264	ziTJ8466.exe	it918698.exe
PID 1264 wrote to memory of 1028	1264	ziTJ8466.exe	jr513550.exe
PID 1264 wrote to memory of 1028	1264	ziTJ8466.exe	jr513550.exe
PID 1264 wrote to memory of 1028	1264	ziTJ8466.exe	jr513550.exe
PID 4116 wrote to memory of 932	4116	ziXe6588.exe	kp742503.exe
PID 4116 wrote to memory of 932	4116	ziXe6588.exe	kp742503.exe
PID 4116 wrote to memory of 932	4116	ziXe6588.exe	kp742503.exe
PID 2424 wrote to memory of 896	2424	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe	lr985389.exe
PID 2424 wrote to memory of 896	2424	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe	lr985389.exe
PID 2424 wrote to memory of 896	2424	6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe	lr985389.exe
PID 896 wrote to memory of 2536	896	lr985389.exe	oneetx.exe
PID 896 wrote to memory of 2536	896	lr985389.exe	oneetx.exe
PID 896 wrote to memory of 2536	896	lr985389.exe	oneetx.exe
PID 2536 wrote to memory of 1660	2536	oneetx.exe	schtasks.exe
PID 2536 wrote to memory of 1660	2536	oneetx.exe	schtasks.exe
PID 2536 wrote to memory of 1660	2536	oneetx.exe	schtasks.exe
PID 2536 wrote to memory of 3732	2536	oneetx.exe	rundll32.exe
PID 2536 wrote to memory of 3732	2536	oneetx.exe	rundll32.exe
PID 2536 wrote to memory of 3732	2536	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe
"C:\Users\Admin\AppData\Local\Temp\6de3d37bfbf0f7b89021823abb408b8177620579fb754650ba3d0c0b5d5e11d9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXe6588.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXe6588.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTJ8466.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTJ8466.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it918698.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it918698.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr513550.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr513550.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1352
5⤵
- Program crash
PID:2220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp742503.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp742503.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985389.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985389.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 696
3⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 780
3⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 812
3⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 980
3⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1004
3⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 956
3⤵
- Program crash
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1220
3⤵
- Program crash
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1208
3⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1320
3⤵
- Program crash
PID:4000

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 692
4⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 828
4⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 904
4⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1052
4⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1088
4⤵
- Program crash
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1080
4⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1076
4⤵
- Program crash
PID:1808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 996
4⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1264
4⤵
- Program crash
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 756
4⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 780
4⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1444
4⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1108
4⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1628
4⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1448
4⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1644
4⤵
- Program crash
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1312
3⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1028 -ip 1028
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 896 -ip 896
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 896 -ip 896
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 896 -ip 896
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 896 -ip 896
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 896 -ip 896
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 896 -ip 896
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 896 -ip 896
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 896 -ip 896
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 896 -ip 896
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 896 -ip 896
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2536 -ip 2536
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2536 -ip 2536
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2536 -ip 2536
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2536 -ip 2536
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2536 -ip 2536
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2536 -ip 2536
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2536 -ip 2536
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2536 -ip 2536
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2536 -ip 2536
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2536 -ip 2536
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2536 -ip 2536
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2536 -ip 2536
1⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 316
2⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2724 -ip 2724
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2536 -ip 2536
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2536 -ip 2536
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2536 -ip 2536
1⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 216
2⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2488 -ip 2488
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2536 -ip 2536
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985389.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985389.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXe6588.exe
Filesize
536KB

MD5
4da985da51b3aafb45dca3864e2ccb65

SHA1
eaee1356cf08fe82b88bd5cb8b8c590a5d863793

SHA256
d316a42d5557017b16fd9185373c4ce36fd3b1b4b90492fee6af9ce5b0fb02e2

SHA512
87cd3572460cb6780d1bf5a7632d0fd1376c4924ad8259ce6fbaa66944a8d68245cef272e378f0927b667c9f4755b45fe80f8c3e20eadd1be3de1c9437b1a7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXe6588.exe
Filesize
536KB

MD5
4da985da51b3aafb45dca3864e2ccb65

SHA1
eaee1356cf08fe82b88bd5cb8b8c590a5d863793

SHA256
d316a42d5557017b16fd9185373c4ce36fd3b1b4b90492fee6af9ce5b0fb02e2

SHA512
87cd3572460cb6780d1bf5a7632d0fd1376c4924ad8259ce6fbaa66944a8d68245cef272e378f0927b667c9f4755b45fe80f8c3e20eadd1be3de1c9437b1a7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp742503.exe
Filesize
169KB

MD5
133ab8c96bae7b047868bbcf10094bfd

SHA1
e0279923006c86097620409782bb6dd5ac6a4f1a

SHA256
94258e542fba474a3ae9b8059d89d61d8a3ea7ec179474d77d4a2b0ee04259b4

SHA512
b78809c065c14b8e42e7eaaeac6dab5263c25a07e6dbe22a73c2472a48cb4e56cc896ec0710f3da83771570b7b5a327b3dd6732d6a6a6fbc1248860f78bdbf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp742503.exe
Filesize
169KB

MD5
133ab8c96bae7b047868bbcf10094bfd

SHA1
e0279923006c86097620409782bb6dd5ac6a4f1a

SHA256
94258e542fba474a3ae9b8059d89d61d8a3ea7ec179474d77d4a2b0ee04259b4

SHA512
b78809c065c14b8e42e7eaaeac6dab5263c25a07e6dbe22a73c2472a48cb4e56cc896ec0710f3da83771570b7b5a327b3dd6732d6a6a6fbc1248860f78bdbf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTJ8466.exe
Filesize
382KB

MD5
fe5503a9239fb9a1d40634af24711948

SHA1
9d09b59e67e1fc6dedcad437795c736b44d85054

SHA256
42fa03e9d35065c7833244fbbd3f745d0859b01d1c3a30d44ce75415e8196eaa

SHA512
b408f08e78335ae65eb1ef99f7c992a0aaa0813f87094549736859c821e498e8c6679a5b339597941bac6057ac38d7d720ab3a26d0de27a6612e686f7882e891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTJ8466.exe
Filesize
382KB

MD5
fe5503a9239fb9a1d40634af24711948

SHA1
9d09b59e67e1fc6dedcad437795c736b44d85054

SHA256
42fa03e9d35065c7833244fbbd3f745d0859b01d1c3a30d44ce75415e8196eaa

SHA512
b408f08e78335ae65eb1ef99f7c992a0aaa0813f87094549736859c821e498e8c6679a5b339597941bac6057ac38d7d720ab3a26d0de27a6612e686f7882e891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it918698.exe
Filesize
11KB

MD5
c1ff8564f84dd52872f813fa244586ae

SHA1
3d63a44b92ce9c60259ec55470badeefef7655b2

SHA256
755b410e66e33f5c07de52150c0eb9bd0e165a5cc3830bc83945bcf00dbed91c

SHA512
ebbb1b3a67bb4efb2555cfaf19d46a4816bd7c326c2ad56c4f45921d234d483afc010cc26f54891732a5654e5a2587671317443baa565e276a4e34f830e0836f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it918698.exe
Filesize
11KB

MD5
c1ff8564f84dd52872f813fa244586ae

SHA1
3d63a44b92ce9c60259ec55470badeefef7655b2

SHA256
755b410e66e33f5c07de52150c0eb9bd0e165a5cc3830bc83945bcf00dbed91c

SHA512
ebbb1b3a67bb4efb2555cfaf19d46a4816bd7c326c2ad56c4f45921d234d483afc010cc26f54891732a5654e5a2587671317443baa565e276a4e34f830e0836f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr513550.exe
Filesize
297KB

MD5
d44cb0a7ea15e201eb7d211abe771669

SHA1
ae0ca3ae1e1af615a9cd1d0d237f1a80d7d975a8

SHA256
ab640023bb0ca3e3f4c92abcff9efb4e9acd227662ae0a7350240faee8ea4d1e

SHA512
9d386709e9330c6c5ca11a5612837d437835c1863e9b5bb9e60f947b734cfe78ee99f9b0cc9b697c96d79b788ebfaeefbd26f49b926b490c6103bbe3c7e19481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr513550.exe
Filesize
297KB

MD5
d44cb0a7ea15e201eb7d211abe771669

SHA1
ae0ca3ae1e1af615a9cd1d0d237f1a80d7d975a8

SHA256
ab640023bb0ca3e3f4c92abcff9efb4e9acd227662ae0a7350240faee8ea4d1e

SHA512
9d386709e9330c6c5ca11a5612837d437835c1863e9b5bb9e60f947b734cfe78ee99f9b0cc9b697c96d79b788ebfaeefbd26f49b926b490c6103bbe3c7e19481

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/896-1097-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/932-1091-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/932-1090-0x0000000000A20000-0x0000000000A50000-memory.dmp

Filesize
192KB

Download
memory/1028-206-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-228-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-182-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-184-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-186-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-188-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-190-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-192-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-194-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-196-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-198-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-200-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-202-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-204-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-178-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-208-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-210-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-212-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-214-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-216-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-218-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-220-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-222-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-224-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-226-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-180-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-1071-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/1028-1072-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/1028-1073-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/1028-1074-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/1028-1075-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1028-1077-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/1028-1078-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1028-1079-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1028-1080-0x0000000006830000-0x00000000069F2000-memory.dmp

Filesize
1.8MB

Download
memory/1028-176-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-174-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-172-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-170-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-168-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-166-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-165-0x0000000002490000-0x00000000024CF000-memory.dmp

Filesize
252KB

Download
memory/1028-164-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1028-163-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1028-162-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1028-160-0x0000000000820000-0x000000000086B000-memory.dmp

Filesize
300KB

Download
memory/1028-161-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1028-1081-0x0000000006A10000-0x0000000006F3C000-memory.dmp

Filesize
5.2MB

Download
memory/1028-1082-0x0000000007070000-0x00000000070E6000-memory.dmp

Filesize
472KB

Download
memory/1028-1083-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download
memory/1028-1084-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/4488-154-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download