Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2023 20:50
Static task
static1
General
-
Target
536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe
-
Size
1.0MB
-
MD5
a6d5ceccebe3529bd8d83bbf5602e33c
-
SHA1
367dda1a9b4b80796641444c4658767d7f6f193f
-
SHA256
536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5
-
SHA512
a78202863fa35fc9e3091530a262c96412a43f4ba3b1a9992087936a4d8d6ab1e9788b732804ace96086efa2c55e70ee0c3bafb3e442151a2f29ca69b5ae0108
-
SSDEEP
24576:7yGBo1b0rBa+wMemKtDv0Lgw4RoxfrgH:uv1eJbwr0LfuoxTg
Malware Config
Extracted
amadey
3.70
77.91.124.207/plays/chapter/index.php
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
brat
176.113.115.145:4125
-
auth_value
1f9c658aed2f70f42f99a57a005561cf
Signatures
-
Processes:
cor5413.exeaz570791.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cor5413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cor5413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cor5413.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az570791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az570791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az570791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az570791.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cor5413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cor5413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cor5413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az570791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az570791.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/2824-234-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-235-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-238-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-240-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-242-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-244-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-246-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-248-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-250-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-252-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-254-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-256-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-258-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-260-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-262-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-264-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-266-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/2824-1154-0x00000000023A0000-0x00000000023B0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bu058545.exeoneetx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation bu058545.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 11 IoCs
Processes:
kina9524.exekina5336.exekina9760.exeaz570791.exebu058545.exeoneetx.execor5413.exedbC76s36.exeen182444.exeoneetx.exeoneetx.exepid process 5068 kina9524.exe 4676 kina5336.exe 1704 kina9760.exe 2240 az570791.exe 1128 bu058545.exe 4564 oneetx.exe 4848 cor5413.exe 2824 dbC76s36.exe 2116 en182444.exe 1528 oneetx.exe 3996 oneetx.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2216 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
az570791.execor5413.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az570791.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cor5413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cor5413.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
kina9524.exekina5336.exekina9760.exe536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kina9524.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kina9524.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kina5336.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kina5336.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kina9760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kina9760.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 30 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5016 1128 WerFault.exe bu058545.exe 2096 1128 WerFault.exe bu058545.exe 4652 1128 WerFault.exe bu058545.exe 3948 1128 WerFault.exe bu058545.exe 1184 1128 WerFault.exe bu058545.exe 2744 1128 WerFault.exe bu058545.exe 3088 1128 WerFault.exe bu058545.exe 4520 1128 WerFault.exe bu058545.exe 228 1128 WerFault.exe bu058545.exe 3588 1128 WerFault.exe bu058545.exe 1336 4564 WerFault.exe oneetx.exe 5024 4564 WerFault.exe oneetx.exe 1768 4564 WerFault.exe oneetx.exe 3136 4564 WerFault.exe oneetx.exe 3936 4564 WerFault.exe oneetx.exe 2232 4564 WerFault.exe oneetx.exe 3296 4564 WerFault.exe oneetx.exe 3564 4564 WerFault.exe oneetx.exe 3888 4564 WerFault.exe oneetx.exe 960 4564 WerFault.exe oneetx.exe 1736 4564 WerFault.exe oneetx.exe 4988 4564 WerFault.exe oneetx.exe 1976 4848 WerFault.exe cor5413.exe 1352 2824 WerFault.exe dbC76s36.exe 4568 4564 WerFault.exe oneetx.exe 1300 1528 WerFault.exe oneetx.exe 4460 4564 WerFault.exe oneetx.exe 4816 4564 WerFault.exe oneetx.exe 1768 4564 WerFault.exe oneetx.exe 3224 3996 WerFault.exe oneetx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
az570791.execor5413.exedbC76s36.exeen182444.exepid process 2240 az570791.exe 2240 az570791.exe 4848 cor5413.exe 4848 cor5413.exe 2824 dbC76s36.exe 2824 dbC76s36.exe 2116 en182444.exe 2116 en182444.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
az570791.execor5413.exedbC76s36.exeen182444.exedescription pid process Token: SeDebugPrivilege 2240 az570791.exe Token: SeDebugPrivilege 4848 cor5413.exe Token: SeDebugPrivilege 2824 dbC76s36.exe Token: SeDebugPrivilege 2116 en182444.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
bu058545.exepid process 1128 bu058545.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exekina9524.exekina5336.exekina9760.exebu058545.exeoneetx.exedescription pid process target process PID 2692 wrote to memory of 5068 2692 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe kina9524.exe PID 2692 wrote to memory of 5068 2692 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe kina9524.exe PID 2692 wrote to memory of 5068 2692 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe kina9524.exe PID 5068 wrote to memory of 4676 5068 kina9524.exe kina5336.exe PID 5068 wrote to memory of 4676 5068 kina9524.exe kina5336.exe PID 5068 wrote to memory of 4676 5068 kina9524.exe kina5336.exe PID 4676 wrote to memory of 1704 4676 kina5336.exe kina9760.exe PID 4676 wrote to memory of 1704 4676 kina5336.exe kina9760.exe PID 4676 wrote to memory of 1704 4676 kina5336.exe kina9760.exe PID 1704 wrote to memory of 2240 1704 kina9760.exe az570791.exe PID 1704 wrote to memory of 2240 1704 kina9760.exe az570791.exe PID 1704 wrote to memory of 1128 1704 kina9760.exe bu058545.exe PID 1704 wrote to memory of 1128 1704 kina9760.exe bu058545.exe PID 1704 wrote to memory of 1128 1704 kina9760.exe bu058545.exe PID 1128 wrote to memory of 4564 1128 bu058545.exe oneetx.exe PID 1128 wrote to memory of 4564 1128 bu058545.exe oneetx.exe PID 1128 wrote to memory of 4564 1128 bu058545.exe oneetx.exe PID 4676 wrote to memory of 4848 4676 kina5336.exe cor5413.exe PID 4676 wrote to memory of 4848 4676 kina5336.exe cor5413.exe PID 4676 wrote to memory of 4848 4676 kina5336.exe cor5413.exe PID 4564 wrote to memory of 5048 4564 oneetx.exe schtasks.exe PID 4564 wrote to memory of 5048 4564 oneetx.exe schtasks.exe PID 4564 wrote to memory of 5048 4564 oneetx.exe schtasks.exe PID 5068 wrote to memory of 2824 5068 kina9524.exe dbC76s36.exe PID 5068 wrote to memory of 2824 5068 kina9524.exe dbC76s36.exe PID 5068 wrote to memory of 2824 5068 kina9524.exe dbC76s36.exe PID 2692 wrote to memory of 2116 2692 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe en182444.exe PID 2692 wrote to memory of 2116 2692 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe en182444.exe PID 2692 wrote to memory of 2116 2692 536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe en182444.exe PID 4564 wrote to memory of 2216 4564 oneetx.exe rundll32.exe PID 4564 wrote to memory of 2216 4564 oneetx.exe rundll32.exe PID 4564 wrote to memory of 2216 4564 oneetx.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe"C:\Users\Admin\AppData\Local\Temp\536d4bc8f0926b9c711b2653b98dcd79a723c23cf958e6bb8e2d63f86940e3f5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9524.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9524.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5336.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5336.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9760.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9760.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az570791.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az570791.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu058545.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu058545.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 6966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 7286⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 7966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 9726⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 10166⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 9886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 12046⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 12406⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 13126⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 6927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 10047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 10127⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 10927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 11167⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 11447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 11047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 11807⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 9927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 6967⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 7567⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 8847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 11447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 16127⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 11447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 16287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 13566⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5413.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5413.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 10885⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbC76s36.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbC76s36.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 14884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en182444.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en182444.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 48481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4564 -ip 45641⤵
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 2162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1528 -ip 15281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4564 -ip 45641⤵
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 3122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3996 -ip 39961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en182444.exeFilesize
168KB
MD5c433d1ef09e0c37fcc947ee95e7eefca
SHA1e354d8ce1b1cfb4d2a722224308ba2f8bf2efcef
SHA2566704e6c8e91d6f34e8eb68bcc16814a85655b53ee8ee557f8c623a8677d5b014
SHA5122419130851051a36f58962de322c21c8ff98db2c813f29afd8115b8c24d6c2a917ae40b68621a0e02199ce729258c6ada4af306cc7128e5fb49d6c0a19fda323
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en182444.exeFilesize
168KB
MD5c433d1ef09e0c37fcc947ee95e7eefca
SHA1e354d8ce1b1cfb4d2a722224308ba2f8bf2efcef
SHA2566704e6c8e91d6f34e8eb68bcc16814a85655b53ee8ee557f8c623a8677d5b014
SHA5122419130851051a36f58962de322c21c8ff98db2c813f29afd8115b8c24d6c2a917ae40b68621a0e02199ce729258c6ada4af306cc7128e5fb49d6c0a19fda323
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9524.exeFilesize
921KB
MD52545b48195a9a3898ae2c2a37f85e7a0
SHA1fa7cf7cc9b7f4143ddf5330ca7ea8249d1c75efa
SHA2565385152b9f129d373b515206e62a6eb5da8c49738168dc20ab705d4fd7e58f0d
SHA51263ded484199ae220369c84be62a42eca580194f73aea40a1e9897c2730575d13a7fdf91eee9aeaabeb37486663055f6d68ccec317dec12d62ca4e5891c90c70a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9524.exeFilesize
921KB
MD52545b48195a9a3898ae2c2a37f85e7a0
SHA1fa7cf7cc9b7f4143ddf5330ca7ea8249d1c75efa
SHA2565385152b9f129d373b515206e62a6eb5da8c49738168dc20ab705d4fd7e58f0d
SHA51263ded484199ae220369c84be62a42eca580194f73aea40a1e9897c2730575d13a7fdf91eee9aeaabeb37486663055f6d68ccec317dec12d62ca4e5891c90c70a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbC76s36.exeFilesize
297KB
MD564f48b48507ca000df7b8440a889d0b9
SHA197a375ff485ceb35dfba7ec5ce394b18d62c6797
SHA256f12480c21f178a631667d2e51340700712e4ef2b864eb2d46b675536d5020496
SHA51262a2e69dcedf1f7f9b47f4097d8831c14f3e83de937122f33515779f1a142cea43143ff873039f7176739b65f9b81ba0b8c857f7e3c88c94e8fbb8a3e918aa72
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbC76s36.exeFilesize
297KB
MD564f48b48507ca000df7b8440a889d0b9
SHA197a375ff485ceb35dfba7ec5ce394b18d62c6797
SHA256f12480c21f178a631667d2e51340700712e4ef2b864eb2d46b675536d5020496
SHA51262a2e69dcedf1f7f9b47f4097d8831c14f3e83de937122f33515779f1a142cea43143ff873039f7176739b65f9b81ba0b8c857f7e3c88c94e8fbb8a3e918aa72
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5336.exeFilesize
589KB
MD5995efcf0c9685f7587f9432ff031f243
SHA1cecf2df1dda34715e3bbc73fa03af6c7af66a30e
SHA25611cf7ec326f4e300b3ab3cdaf624a52074b5539dca3c28f59efb9c2905a94c8c
SHA512a252651650b0510e4d213e03521020a5f492c9953ffb360dd8b3e95942a3fe11ebea36ed1bc0204ce7dbcc8ed567309ebf317b93b73bf888922aee0977c49dc9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5336.exeFilesize
589KB
MD5995efcf0c9685f7587f9432ff031f243
SHA1cecf2df1dda34715e3bbc73fa03af6c7af66a30e
SHA25611cf7ec326f4e300b3ab3cdaf624a52074b5539dca3c28f59efb9c2905a94c8c
SHA512a252651650b0510e4d213e03521020a5f492c9953ffb360dd8b3e95942a3fe11ebea36ed1bc0204ce7dbcc8ed567309ebf317b93b73bf888922aee0977c49dc9
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5413.exeFilesize
239KB
MD527e0566bf6134b0563fbe6b7db492031
SHA1ff1344c9c27a15b3837e750935f86c935deca094
SHA2562e7b454b85da56493af5465da9a7641a96e40caab774f693b424843777d385d7
SHA512ddabc623c58611de76c801de519d864624144e609586d63433ddba9b6ebfd575d77300082dbf6f261c657fb3787560fb7e6c8726cc89b6e6fbe11767b5d8e30f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5413.exeFilesize
239KB
MD527e0566bf6134b0563fbe6b7db492031
SHA1ff1344c9c27a15b3837e750935f86c935deca094
SHA2562e7b454b85da56493af5465da9a7641a96e40caab774f693b424843777d385d7
SHA512ddabc623c58611de76c801de519d864624144e609586d63433ddba9b6ebfd575d77300082dbf6f261c657fb3787560fb7e6c8726cc89b6e6fbe11767b5d8e30f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9760.exeFilesize
316KB
MD50bf16439b317afae5e0b9aec22dc0687
SHA183f730c9abf725fb9216f30ae36410378a91fec5
SHA256221cff2a1d3f13d5e607c3ad8028f76c6141baee3710ed1c96790b93f91e647b
SHA5122390c7cbf770594ea3628f75ccbd376751b662dac94771df1b4922d44bccd508d384415186a9319c2c622fcc5fb306420a34783184b1dca1b08bc81ec77ac3db
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9760.exeFilesize
316KB
MD50bf16439b317afae5e0b9aec22dc0687
SHA183f730c9abf725fb9216f30ae36410378a91fec5
SHA256221cff2a1d3f13d5e607c3ad8028f76c6141baee3710ed1c96790b93f91e647b
SHA5122390c7cbf770594ea3628f75ccbd376751b662dac94771df1b4922d44bccd508d384415186a9319c2c622fcc5fb306420a34783184b1dca1b08bc81ec77ac3db
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az570791.exeFilesize
11KB
MD51a7b9559d14c81c22ffd3883f84d963c
SHA149b7f5ee1ddf3b0ac85b2339fe6d3f1f81f0b603
SHA256c5d102c4c9e239f09a976e9a80a7007f91eeb77d49b84cc30fe4f6393aa4e63c
SHA5120bbe187d7f54e7cdc1ec5473ec4aa34eed6c60e6561b28e0b04b592ed0657cb266114d87dc335d970a062d196edbbe1f9edd029cba6a2e23c1e7ca4e210f05c2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az570791.exeFilesize
11KB
MD51a7b9559d14c81c22ffd3883f84d963c
SHA149b7f5ee1ddf3b0ac85b2339fe6d3f1f81f0b603
SHA256c5d102c4c9e239f09a976e9a80a7007f91eeb77d49b84cc30fe4f6393aa4e63c
SHA5120bbe187d7f54e7cdc1ec5473ec4aa34eed6c60e6561b28e0b04b592ed0657cb266114d87dc335d970a062d196edbbe1f9edd029cba6a2e23c1e7ca4e210f05c2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu058545.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu058545.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/1128-182-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1128-167-0x0000000000580000-0x00000000005BB000-memory.dmpFilesize
236KB
-
memory/2116-1164-0x0000000005260000-0x0000000005270000-memory.dmpFilesize
64KB
-
memory/2116-1163-0x0000000000A10000-0x0000000000A40000-memory.dmpFilesize
192KB
-
memory/2240-161-0x00000000003A0000-0x00000000003AA000-memory.dmpFilesize
40KB
-
memory/2824-1143-0x00000000053C0000-0x00000000053D2000-memory.dmpFilesize
72KB
-
memory/2824-256-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-1157-0x0000000007300000-0x0000000007350000-memory.dmpFilesize
320KB
-
memory/2824-1156-0x0000000007270000-0x00000000072E6000-memory.dmpFilesize
472KB
-
memory/2824-1155-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-1151-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-1154-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-1152-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-1153-0x00000000068D0000-0x0000000006DFC000-memory.dmpFilesize
5.2MB
-
memory/2824-1149-0x00000000066F0000-0x00000000068B2000-memory.dmpFilesize
1.8MB
-
memory/2824-1148-0x0000000005770000-0x00000000057D6000-memory.dmpFilesize
408KB
-
memory/2824-1147-0x00000000056D0000-0x0000000005762000-memory.dmpFilesize
584KB
-
memory/2824-1145-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-1144-0x00000000053E0000-0x000000000541C000-memory.dmpFilesize
240KB
-
memory/2824-1142-0x0000000005280000-0x000000000538A000-memory.dmpFilesize
1.0MB
-
memory/2824-1141-0x0000000005820000-0x0000000005E38000-memory.dmpFilesize
6.1MB
-
memory/2824-231-0x00000000004C0000-0x000000000050B000-memory.dmpFilesize
300KB
-
memory/2824-232-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-234-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-233-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-236-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2824-235-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-238-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-240-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-242-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-244-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-246-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-248-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-250-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-252-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-254-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-266-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-258-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-260-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-262-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/2824-264-0x0000000002640000-0x000000000267F000-memory.dmpFilesize
252KB
-
memory/4564-220-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4848-217-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/4848-224-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/4848-216-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-226-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4848-214-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-225-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/4848-223-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/4848-212-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-206-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-219-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/4848-218-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/4848-210-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-204-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-208-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-221-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4848-202-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-200-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-198-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-196-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-194-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-192-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-190-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-189-0x00000000026C0000-0x00000000026D2000-memory.dmpFilesize
72KB
-
memory/4848-188-0x0000000004CD0000-0x0000000005274000-memory.dmpFilesize
5.6MB
-
memory/4848-187-0x0000000000580000-0x00000000005AD000-memory.dmpFilesize
180KB