amadey | 3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b

Analysis

max time kernel
142s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe
Size

801KB
MD5

66c4a14bec64fd56ff99b13bf3afc182
SHA1

a392724c3da0a787040bf3d33a65abc8b3af0d8e
SHA256

3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b
SHA512

16196b4734e5f64f3f4cab4784a1648bb2d65aac590194f381323d947855399e0959b7c36960db8d34a2c782ef067b5a748f5056fe78cef07efb354df30525c2
SSDEEP

12288:pMrcy90itF1Lf9iSaEhldpEzCDjxe7bMbxK7C1Qmc14YrVPMwYwN/9PB4DP5Zp9J:Jy3iS2zOxOkxf84YrGXC5B4tZ/z6/o

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it417591.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it417591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it417591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it417591.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it417591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it417591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it417591.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4084-165-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-168-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-170-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-166-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-172-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-174-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-176-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-178-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-180-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-182-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-184-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-186-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-188-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-190-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-192-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-194-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-196-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-198-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-200-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-202-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-204-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-206-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-208-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-210-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-212-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-214-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-216-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-218-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-220-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-222-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-224-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-226-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline
behavioral1/memory/4084-228-0x0000000005020000-0x000000000505F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lr725781.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	lr725781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

Processes:

ziog9912.exeziWh8092.exeit417591.exejr698204.exekp307076.exelr725781.exeoneetx.exeoneetx.exe

pid process

320 ziog9912.exe
4000 ziWh8092.exe
3656 it417591.exe
4084 jr698204.exe
3340 kp307076.exe
3448 lr725781.exe
4292 oneetx.exe
1272 oneetx.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3768 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it417591.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it417591.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
320	ziog9912.exe
4000	ziWh8092.exe
3656	it417591.exe
4084	jr698204.exe
3340	kp307076.exe
3448	lr725781.exe
4292	oneetx.exe
1272	oneetx.exe

pid	process
3768	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it417591.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ziWh8092.exe3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exeziog9912.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziWh8092.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziog9912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziog9912.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziWh8092.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4976	4084	WerFault.exe	jr698204.exe
2772	3448	WerFault.exe	lr725781.exe
960	3448	WerFault.exe	lr725781.exe
2732	3448	WerFault.exe	lr725781.exe
1540	3448	WerFault.exe	lr725781.exe
1968	3448	WerFault.exe	lr725781.exe
1104	3448	WerFault.exe	lr725781.exe
2024	3448	WerFault.exe	lr725781.exe
1464	3448	WerFault.exe	lr725781.exe
3748	3448	WerFault.exe	lr725781.exe
1544	3448	WerFault.exe	lr725781.exe
4608	4292	WerFault.exe	oneetx.exe
3484	4292	WerFault.exe	oneetx.exe
1584	4292	WerFault.exe	oneetx.exe
3216	4292	WerFault.exe	oneetx.exe
2724	4292	WerFault.exe	oneetx.exe
3100	4292	WerFault.exe	oneetx.exe
4944	4292	WerFault.exe	oneetx.exe
4048	4292	WerFault.exe	oneetx.exe
4688	4292	WerFault.exe	oneetx.exe
4376	4292	WerFault.exe	oneetx.exe
5012	4292	WerFault.exe	oneetx.exe
1148	4292	WerFault.exe	oneetx.exe
8	4292	WerFault.exe	oneetx.exe
2712	4292	WerFault.exe	oneetx.exe
4588	4292	WerFault.exe	oneetx.exe
2044	1272	WerFault.exe	oneetx.exe
320	4292	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

684 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it417591.exejr698204.exekp307076.exe

pid process

3656 it417591.exe
3656 it417591.exe
4084 jr698204.exe
4084 jr698204.exe
3340 kp307076.exe
3340 kp307076.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

it417591.exejr698204.exekp307076.exe

description pid process

Token: SeDebugPrivilege 3656 it417591.exe
Token: SeDebugPrivilege 4084 jr698204.exe
Token: SeDebugPrivilege 3340 kp307076.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr725781.exe

pid process

3448 lr725781.exe

pid	process
684	schtasks.exe

pid	process
3656	it417591.exe
3656	it417591.exe
4084	jr698204.exe
4084	jr698204.exe
3340	kp307076.exe
3340	kp307076.exe

description	pid	process
Token: SeDebugPrivilege	3656	it417591.exe
Token: SeDebugPrivilege	4084	jr698204.exe
Token: SeDebugPrivilege	3340	kp307076.exe

pid	process
3448	lr725781.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exeziog9912.exeziWh8092.exelr725781.exeoneetx.exe

description	pid	process	target process
PID 828 wrote to memory of 320	828	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe	ziog9912.exe
PID 828 wrote to memory of 320	828	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe	ziog9912.exe
PID 828 wrote to memory of 320	828	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe	ziog9912.exe
PID 320 wrote to memory of 4000	320	ziog9912.exe	ziWh8092.exe
PID 320 wrote to memory of 4000	320	ziog9912.exe	ziWh8092.exe
PID 320 wrote to memory of 4000	320	ziog9912.exe	ziWh8092.exe
PID 4000 wrote to memory of 3656	4000	ziWh8092.exe	it417591.exe
PID 4000 wrote to memory of 3656	4000	ziWh8092.exe	it417591.exe
PID 4000 wrote to memory of 4084	4000	ziWh8092.exe	jr698204.exe
PID 4000 wrote to memory of 4084	4000	ziWh8092.exe	jr698204.exe
PID 4000 wrote to memory of 4084	4000	ziWh8092.exe	jr698204.exe
PID 320 wrote to memory of 3340	320	ziog9912.exe	kp307076.exe
PID 320 wrote to memory of 3340	320	ziog9912.exe	kp307076.exe
PID 320 wrote to memory of 3340	320	ziog9912.exe	kp307076.exe
PID 828 wrote to memory of 3448	828	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe	lr725781.exe
PID 828 wrote to memory of 3448	828	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe	lr725781.exe
PID 828 wrote to memory of 3448	828	3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe	lr725781.exe
PID 3448 wrote to memory of 4292	3448	lr725781.exe	oneetx.exe
PID 3448 wrote to memory of 4292	3448	lr725781.exe	oneetx.exe
PID 3448 wrote to memory of 4292	3448	lr725781.exe	oneetx.exe
PID 4292 wrote to memory of 684	4292	oneetx.exe	schtasks.exe
PID 4292 wrote to memory of 684	4292	oneetx.exe	schtasks.exe
PID 4292 wrote to memory of 684	4292	oneetx.exe	schtasks.exe
PID 4292 wrote to memory of 3768	4292	oneetx.exe	rundll32.exe
PID 4292 wrote to memory of 3768	4292	oneetx.exe	rundll32.exe
PID 4292 wrote to memory of 3768	4292	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe
"C:\Users\Admin\AppData\Local\Temp\3dad71371867f73f4a6e0d4fdd354c130a28101858676462ff38ccf661b6e68b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziog9912.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziog9912.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh8092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh8092.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it417591.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it417591.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr698204.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr698204.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 2024
5⤵
- Program crash
PID:4976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307076.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307076.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725781.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725781.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 696
3⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 716
3⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 800
3⤵
- Program crash
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 960
3⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 964
3⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 980
3⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1216
3⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1232
3⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1316
3⤵
- Program crash
PID:3748

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 692
4⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 844
4⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 900
4⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1052
4⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1072
4⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1072
4⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1128
4⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 992
4⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 744
4⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 692
4⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 904
4⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1492
4⤵
- Program crash
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1088
4⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1632
4⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1592
4⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1644
4⤵
- Program crash
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 768
3⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4084 -ip 4084
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3448 -ip 3448
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3448 -ip 3448
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3448 -ip 3448
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3448 -ip 3448
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3448 -ip 3448
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3448 -ip 3448
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3448 -ip 3448
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 3448
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3448 -ip 3448
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3448 -ip 3448
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4292 -ip 4292
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4292 -ip 4292
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4292 -ip 4292
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4292 -ip 4292
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4292 -ip 4292
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4292 -ip 4292
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4292 -ip 4292
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4292 -ip 4292
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4292 -ip 4292
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4292 -ip 4292
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4292 -ip 4292
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4292 -ip 4292
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4292 -ip 4292
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4292 -ip 4292
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4292 -ip 4292
1⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 216
2⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1272 -ip 1272
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4292 -ip 4292
1⤵
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725781.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725781.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziog9912.exe
Filesize
536KB

MD5
286f0b8e44728ab851cdfb13731cf4fc

SHA1
9e8dce45c34207ac9e85ba2e255f788039fdcaa0

SHA256
0eeb5ab56213a99232a80751578c5618bb0decd73f2fd0893c8629381b86a041

SHA512
308b3be73138bbc1d2e98726b8e97ad06d848a4db98884b17f0c58e7cecae9ed2c5fa4c526b460e8263575dabf21434462752a952b761857d889e15c8c866a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziog9912.exe
Filesize
536KB

MD5
286f0b8e44728ab851cdfb13731cf4fc

SHA1
9e8dce45c34207ac9e85ba2e255f788039fdcaa0

SHA256
0eeb5ab56213a99232a80751578c5618bb0decd73f2fd0893c8629381b86a041

SHA512
308b3be73138bbc1d2e98726b8e97ad06d848a4db98884b17f0c58e7cecae9ed2c5fa4c526b460e8263575dabf21434462752a952b761857d889e15c8c866a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307076.exe
Filesize
169KB

MD5
b92f761f571ccbf647e19586b53766d4

SHA1
8f4e97acd19c8b724bb24bf9e41c5df7f6c471b2

SHA256
feea59f2fa1d56c58834c18cf11002f69272dccefeadc79a5e2b050ef2a28ba0

SHA512
a42918e6f41c007500175cb86cc5a1eb95defe00d230b40438bbbce6ebaffc37058512e5b191c0f1e7e4134bdb62ca937b4e5a52f1b29c80e5ffd05a552a739c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307076.exe
Filesize
169KB

MD5
b92f761f571ccbf647e19586b53766d4

SHA1
8f4e97acd19c8b724bb24bf9e41c5df7f6c471b2

SHA256
feea59f2fa1d56c58834c18cf11002f69272dccefeadc79a5e2b050ef2a28ba0

SHA512
a42918e6f41c007500175cb86cc5a1eb95defe00d230b40438bbbce6ebaffc37058512e5b191c0f1e7e4134bdb62ca937b4e5a52f1b29c80e5ffd05a552a739c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh8092.exe
Filesize
382KB

MD5
d91f7dd7aafa7880ef1b805fe5c2d874

SHA1
39e753648888980ff2c76ba71e4a92ef39edcd88

SHA256
c3727fdae7910d2491b0e328b7756912fe43ad8e2cd9988b57b5e7e8b6cee4fb

SHA512
263391c184dbf2b4bda843ae801dd82a86defe8ce1f0e6a1d4b889d4ad7f8f3891fcee7cade4f677089fed3cea14c571a36768a9d80a47e205c0dbf4091b3c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh8092.exe
Filesize
382KB

MD5
d91f7dd7aafa7880ef1b805fe5c2d874

SHA1
39e753648888980ff2c76ba71e4a92ef39edcd88

SHA256
c3727fdae7910d2491b0e328b7756912fe43ad8e2cd9988b57b5e7e8b6cee4fb

SHA512
263391c184dbf2b4bda843ae801dd82a86defe8ce1f0e6a1d4b889d4ad7f8f3891fcee7cade4f677089fed3cea14c571a36768a9d80a47e205c0dbf4091b3c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it417591.exe
Filesize
11KB

MD5
3e93298d9c8ec3e5bffeaecd73d304fb

SHA1
9a80854ab78b82d54911731b6f90b286cf143189

SHA256
b6f526e716440c0151c35004d3af2a05cf16cc35317382bc7539617cf52f4f7d

SHA512
cd37302c86e51476169f17b3f812e5d1300bd6b2bc7306f67478e40d3707eeb4df580fec2f0394deb7e9db5a18ae9d47ecd48359d11b9a826c9db35d35bb7f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it417591.exe
Filesize
11KB

MD5
3e93298d9c8ec3e5bffeaecd73d304fb

SHA1
9a80854ab78b82d54911731b6f90b286cf143189

SHA256
b6f526e716440c0151c35004d3af2a05cf16cc35317382bc7539617cf52f4f7d

SHA512
cd37302c86e51476169f17b3f812e5d1300bd6b2bc7306f67478e40d3707eeb4df580fec2f0394deb7e9db5a18ae9d47ecd48359d11b9a826c9db35d35bb7f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr698204.exe
Filesize
297KB

MD5
47f0be0c367501eaf3c985533c0f82ed

SHA1
ee8752d835022e95a1eb3a5c3ab8d8161dee9ba6

SHA256
d6067c08f81e1eee8200910a705630d9126c5bda814e178fe8094dce73b81988

SHA512
516726353a3116dd401529aa1f692bbc21daa563fc5aced991aa8b297c49a0099a3f93bd9b62d2a532c4882b8b0933460a32c4b8c0748b5ddaa4966cda2bbaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr698204.exe
Filesize
297KB

MD5
47f0be0c367501eaf3c985533c0f82ed

SHA1
ee8752d835022e95a1eb3a5c3ab8d8161dee9ba6

SHA256
d6067c08f81e1eee8200910a705630d9126c5bda814e178fe8094dce73b81988

SHA512
516726353a3116dd401529aa1f692bbc21daa563fc5aced991aa8b297c49a0099a3f93bd9b62d2a532c4882b8b0933460a32c4b8c0748b5ddaa4966cda2bbaca

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3340-1093-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3340-1092-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/3340-1094-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3448-1100-0x0000000000740000-0x000000000077B000-memory.dmp

Filesize
236KB

Download
memory/3656-154-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/4084-204-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-1072-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4084-182-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-184-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-186-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-188-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-190-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-192-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-194-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-196-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-198-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-200-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-202-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-178-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-206-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-208-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-210-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-212-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-214-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-216-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-218-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-220-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-222-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-224-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-226-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-228-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-1071-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/4084-180-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-1073-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/4084-1074-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/4084-1075-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-1077-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-1078-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-1079-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-1080-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/4084-1081-0x0000000006260000-0x00000000062F2000-memory.dmp

Filesize
584KB

Download
memory/4084-1082-0x0000000006350000-0x00000000063C6000-memory.dmp

Filesize
472KB

Download
memory/4084-176-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-174-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-172-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-166-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-170-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-168-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-165-0x0000000005020000-0x000000000505F000-memory.dmp

Filesize
252KB

Download
memory/4084-163-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-164-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-162-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-161-0x00000000006A0000-0x00000000006EB000-memory.dmp

Filesize
300KB

Download
memory/4084-160-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4084-1083-0x00000000063E0000-0x0000000006430000-memory.dmp

Filesize
320KB

Download
memory/4084-1084-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4084-1085-0x0000000006750000-0x0000000006912000-memory.dmp

Filesize
1.8MB

Download
memory/4084-1086-0x0000000006940000-0x0000000006E6C000-memory.dmp

Filesize
5.2MB

Download