amadey | 8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe
Size

939KB
MD5

7d16f68f4c11df702ee313df9d56f10a
SHA1

42698674aae50c34819f6b67501c389ac8448d86
SHA256

8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d
SHA512

a7200f0eaf1cbc72fb1cf0defd93f0f26345a5332a40e4be1788879108f0efde5895087aefe522ffadeaf093628c2461767d8c655c4bb820692d026592cea5bd
SSDEEP

24576:syxt6hI4zXffcokvwvU/Uy3cI3E+BIv3XGQE:bxtT0nCvws/UnL+2v3XGQ

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr624438.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr624438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr624438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr624438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr624438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr624438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr624438.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-202-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-203-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-205-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-207-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-209-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-213-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-211-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-215-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-217-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-219-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-221-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-225-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-223-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-227-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-229-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-231-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-233-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/1892-235-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

si615275.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si615275.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

Processes:

un485548.exeun191801.exepr624438.exequ963978.exerk001838.exesi615275.exeoneetx.exeoneetx.exeoneetx.exe

pid process

1012 un485548.exe
4728 un191801.exe
1440 pr624438.exe
1892 qu963978.exe
2084 rk001838.exe
1216 si615275.exe
4056 oneetx.exe
1868 oneetx.exe
1208 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1624 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1012	un485548.exe
4728	un191801.exe
1440	pr624438.exe
1892	qu963978.exe
2084	rk001838.exe
1216	si615275.exe
4056	oneetx.exe
1868	oneetx.exe
1208	oneetx.exe

pid	process
1624	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr624438.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr624438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr624438.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exeun485548.exeun191801.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un485548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un485548.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un191801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un191801.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1056	1440	WerFault.exe	pr624438.exe
736	1892	WerFault.exe	qu963978.exe
1004	1216	WerFault.exe	si615275.exe
2080	1216	WerFault.exe	si615275.exe
1856	1216	WerFault.exe	si615275.exe
748	1216	WerFault.exe	si615275.exe
4176	1216	WerFault.exe	si615275.exe
2248	1216	WerFault.exe	si615275.exe
4124	1216	WerFault.exe	si615275.exe
1592	1216	WerFault.exe	si615275.exe
4472	1216	WerFault.exe	si615275.exe
224	1216	WerFault.exe	si615275.exe
3688	4056	WerFault.exe	oneetx.exe
4160	4056	WerFault.exe	oneetx.exe
4732	4056	WerFault.exe	oneetx.exe
3272	4056	WerFault.exe	oneetx.exe
4960	4056	WerFault.exe	oneetx.exe
4288	4056	WerFault.exe	oneetx.exe
5040	4056	WerFault.exe	oneetx.exe
2344	4056	WerFault.exe	oneetx.exe
2592	4056	WerFault.exe	oneetx.exe
432	4056	WerFault.exe	oneetx.exe
3332	4056	WerFault.exe	oneetx.exe
2256	1868	WerFault.exe	oneetx.exe
4272	4056	WerFault.exe	oneetx.exe
4920	4056	WerFault.exe	oneetx.exe
2004	4056	WerFault.exe	oneetx.exe
3364	4056	WerFault.exe	oneetx.exe
4588	1208	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3136 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr624438.exequ963978.exerk001838.exe

pid process

1440 pr624438.exe
1440 pr624438.exe
1892 qu963978.exe
1892 qu963978.exe
2084 rk001838.exe
2084 rk001838.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr624438.exequ963978.exerk001838.exe

description pid process

Token: SeDebugPrivilege 1440 pr624438.exe
Token: SeDebugPrivilege 1892 qu963978.exe
Token: SeDebugPrivilege 2084 rk001838.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si615275.exe

pid process

1216 si615275.exe

pid	process
3136	schtasks.exe

pid	process
1440	pr624438.exe
1440	pr624438.exe
1892	qu963978.exe
1892	qu963978.exe
2084	rk001838.exe
2084	rk001838.exe

description	pid	process
Token: SeDebugPrivilege	1440	pr624438.exe
Token: SeDebugPrivilege	1892	qu963978.exe
Token: SeDebugPrivilege	2084	rk001838.exe

pid	process
1216	si615275.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exeun485548.exeun191801.exesi615275.exeoneetx.exe

description	pid	process	target process
PID 1228 wrote to memory of 1012	1228	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe	un485548.exe
PID 1228 wrote to memory of 1012	1228	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe	un485548.exe
PID 1228 wrote to memory of 1012	1228	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe	un485548.exe
PID 1012 wrote to memory of 4728	1012	un485548.exe	un191801.exe
PID 1012 wrote to memory of 4728	1012	un485548.exe	un191801.exe
PID 1012 wrote to memory of 4728	1012	un485548.exe	un191801.exe
PID 4728 wrote to memory of 1440	4728	un191801.exe	pr624438.exe
PID 4728 wrote to memory of 1440	4728	un191801.exe	pr624438.exe
PID 4728 wrote to memory of 1440	4728	un191801.exe	pr624438.exe
PID 4728 wrote to memory of 1892	4728	un191801.exe	qu963978.exe
PID 4728 wrote to memory of 1892	4728	un191801.exe	qu963978.exe
PID 4728 wrote to memory of 1892	4728	un191801.exe	qu963978.exe
PID 1012 wrote to memory of 2084	1012	un485548.exe	rk001838.exe
PID 1012 wrote to memory of 2084	1012	un485548.exe	rk001838.exe
PID 1012 wrote to memory of 2084	1012	un485548.exe	rk001838.exe
PID 1228 wrote to memory of 1216	1228	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe	si615275.exe
PID 1228 wrote to memory of 1216	1228	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe	si615275.exe
PID 1228 wrote to memory of 1216	1228	8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe	si615275.exe
PID 1216 wrote to memory of 4056	1216	si615275.exe	oneetx.exe
PID 1216 wrote to memory of 4056	1216	si615275.exe	oneetx.exe
PID 1216 wrote to memory of 4056	1216	si615275.exe	oneetx.exe
PID 4056 wrote to memory of 3136	4056	oneetx.exe	schtasks.exe
PID 4056 wrote to memory of 3136	4056	oneetx.exe	schtasks.exe
PID 4056 wrote to memory of 3136	4056	oneetx.exe	schtasks.exe
PID 4056 wrote to memory of 1624	4056	oneetx.exe	rundll32.exe
PID 4056 wrote to memory of 1624	4056	oneetx.exe	rundll32.exe
PID 4056 wrote to memory of 1624	4056	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe
"C:\Users\Admin\AppData\Local\Temp\8c9b35a9e488358eb87e36f17c2eed2707c501708ede5c46034d56819a94b45d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485548.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485548.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191801.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191801.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr624438.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr624438.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1092
5⤵
- Program crash
PID:1056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu963978.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu963978.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1356
5⤵
- Program crash
PID:736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk001838.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk001838.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si615275.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si615275.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 696
3⤵
- Program crash
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 780
3⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 796
3⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 976
3⤵
- Program crash
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 956
3⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 964
3⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1224
3⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1248
3⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1320
3⤵
- Program crash
PID:4472

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 692
4⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 796
4⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 892
4⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1052
4⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1096
4⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1096
4⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1112
4⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 992
4⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 776
4⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 988
4⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 772
4⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1084
4⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1612
4⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1068
4⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1628
4⤵
- Program crash
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1368
3⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1440 -ip 1440
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1892 -ip 1892
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1216 -ip 1216
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1216 -ip 1216
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1216 -ip 1216
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1216 -ip 1216
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1216 -ip 1216
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1216 -ip 1216
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1216 -ip 1216
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1216 -ip 1216
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1216 -ip 1216
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1216 -ip 1216
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4056 -ip 4056
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4056 -ip 4056
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4056 -ip 4056
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4056 -ip 4056
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4056 -ip 4056
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4056 -ip 4056
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4056 -ip 4056
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4056 -ip 4056
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4056 -ip 4056
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4056 -ip 4056
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4056 -ip 4056
1⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 312
2⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1868 -ip 1868
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4056 -ip 4056
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4056 -ip 4056
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4056 -ip 4056
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4056 -ip 4056
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 320
2⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1208 -ip 1208
1⤵
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si615275.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si615275.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485548.exe
Filesize
674KB

MD5
bb64759bc2a95b53579df8fc7d7291a9

SHA1
87105a240a21657baf05825b3ee682a7fa54bea1

SHA256
cb932fa3d9c6fe5a5896909cd143933e85bc9d5044a7da531d63c5fb6a821425

SHA512
e0415d1a5c9b299afc548d6c3bade07cf6b1c2b1fad54443e760ed36b00d83f7472aa8aa1a8d03cdbe662ae5bbefbf7a5ee26b0aaecf1c7182a2663513235897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485548.exe
Filesize
674KB

MD5
bb64759bc2a95b53579df8fc7d7291a9

SHA1
87105a240a21657baf05825b3ee682a7fa54bea1

SHA256
cb932fa3d9c6fe5a5896909cd143933e85bc9d5044a7da531d63c5fb6a821425

SHA512
e0415d1a5c9b299afc548d6c3bade07cf6b1c2b1fad54443e760ed36b00d83f7472aa8aa1a8d03cdbe662ae5bbefbf7a5ee26b0aaecf1c7182a2663513235897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk001838.exe
Filesize
169KB

MD5
09d9a8db9a30d768c364521510fc6725

SHA1
e3cf04f5e01d1b774a9921e0f86ea4adefbb2b63

SHA256
d3f62ddb9501034f6bf7ddd950f6a9b1eb7a80db581448fa8dc104f29aa8b3a6

SHA512
2805378ab410ed2d47756436e7a27830cde695c62d670b5d04fecc5cad241945db2ee1f720b8fd5abfaa8a399b771b2ecbe0003722d415c88810c392fcbcb5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk001838.exe
Filesize
169KB

MD5
09d9a8db9a30d768c364521510fc6725

SHA1
e3cf04f5e01d1b774a9921e0f86ea4adefbb2b63

SHA256
d3f62ddb9501034f6bf7ddd950f6a9b1eb7a80db581448fa8dc104f29aa8b3a6

SHA512
2805378ab410ed2d47756436e7a27830cde695c62d670b5d04fecc5cad241945db2ee1f720b8fd5abfaa8a399b771b2ecbe0003722d415c88810c392fcbcb5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191801.exe
Filesize
520KB

MD5
6d506e9149d0e782ad18bcf802d95fe1

SHA1
2b3d47a6c96c0f529d84e39fa8a29cbb4489f810

SHA256
d6af7b489ab149a90f2ee3164e738b46713bfa7b6f768eb754bd8c7171456b5e

SHA512
3cf47c3ea58df67dff3b0d815725608d5cf7f478f68ed6bf4b4dce7c5dcc27890a2f5be89d508af8f3e5323afee0affeb5684593e7b2c263f91c57e0a2eee80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191801.exe
Filesize
520KB

MD5
6d506e9149d0e782ad18bcf802d95fe1

SHA1
2b3d47a6c96c0f529d84e39fa8a29cbb4489f810

SHA256
d6af7b489ab149a90f2ee3164e738b46713bfa7b6f768eb754bd8c7171456b5e

SHA512
3cf47c3ea58df67dff3b0d815725608d5cf7f478f68ed6bf4b4dce7c5dcc27890a2f5be89d508af8f3e5323afee0affeb5684593e7b2c263f91c57e0a2eee80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr624438.exe
Filesize
239KB

MD5
3dbc798779758a6129cae1e03d5a7313

SHA1
83dcbafb647b9665b6fc73f874958f62eb6a0bff

SHA256
8c61be740e416f1bbd5e38dae33a195378a170fa058a205fa082fec9edee497f

SHA512
b24af21e95c7783515a6c9ed5b343b092cb0304b1a0a0a58da770640cb75ae4561084a5b4aa9beb084461ed3ac40bf58ebce6dd7d6056f867cf8005ab3aa7092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr624438.exe
Filesize
239KB

MD5
3dbc798779758a6129cae1e03d5a7313

SHA1
83dcbafb647b9665b6fc73f874958f62eb6a0bff

SHA256
8c61be740e416f1bbd5e38dae33a195378a170fa058a205fa082fec9edee497f

SHA512
b24af21e95c7783515a6c9ed5b343b092cb0304b1a0a0a58da770640cb75ae4561084a5b4aa9beb084461ed3ac40bf58ebce6dd7d6056f867cf8005ab3aa7092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu963978.exe
Filesize
297KB

MD5
9fc534a97be88478996d9670c9564e0a

SHA1
49ff2f5b2893ada296cdf1e0fb5be526a1ea22c3

SHA256
90de710793cf0005d4319e4a82628852750dbf9347ee71bd70cd694ce6288f4e

SHA512
fb967bb986e05341e8fc9e9a5f582a9388808b00c24ac17d14b0ab0cdda61039311a3402322032ab9afcebe26f2c3d27585f1f97cc537ac1f21eeadd8973e536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu963978.exe
Filesize
297KB

MD5
9fc534a97be88478996d9670c9564e0a

SHA1
49ff2f5b2893ada296cdf1e0fb5be526a1ea22c3

SHA256
90de710793cf0005d4319e4a82628852750dbf9347ee71bd70cd694ce6288f4e

SHA512
fb967bb986e05341e8fc9e9a5f582a9388808b00c24ac17d14b0ab0cdda61039311a3402322032ab9afcebe26f2c3d27585f1f97cc537ac1f21eeadd8973e536

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1216-1135-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1440-174-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-193-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1440-178-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-180-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-182-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-184-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-185-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1440-186-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1440-187-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1440-188-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1440-190-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1440-191-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1440-192-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1440-176-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-172-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-170-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-168-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-164-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-166-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-162-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-160-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-158-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-157-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/1440-156-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1440-155-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/1892-205-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-1116-0x0000000006520000-0x0000000006570000-memory.dmp

Filesize
320KB

Download
memory/1892-219-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-221-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-225-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-223-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-227-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-229-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-231-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-233-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-235-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-1108-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/1892-1109-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/1892-1110-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/1892-1111-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/1892-1112-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1892-1113-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/1892-1114-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1892-1115-0x0000000006490000-0x0000000006506000-memory.dmp

Filesize
472KB

Download
memory/1892-217-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-1118-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1892-1119-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1892-1120-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1892-1121-0x0000000007AD0000-0x0000000007C92000-memory.dmp

Filesize
1.8MB

Download
memory/1892-1122-0x0000000007CA0000-0x00000000081CC000-memory.dmp

Filesize
5.2MB

Download
memory/1892-198-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/1892-215-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-211-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-213-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-209-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-207-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-203-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-202-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/1892-201-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1892-200-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1892-199-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2084-1128-0x0000000000C10000-0x0000000000C40000-memory.dmp

Filesize
192KB

Download
memory/2084-1129-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download