87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0

Analysis

max time kernel
148s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe
Size

965KB
MD5

f75e2973024a0dabe303e618de06783c
SHA1

357271bb3b868cc99379beb1aa05f9548246f897
SHA256

87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0
SHA512

9ec10b93ed36e28dba02ef7fa508b7f30efc4003d2656535d3b1fbeaf5e98142b9cbf70e673ca974359c298bb892d518ee43a1603414d57efd3e04305eea6317
SSDEEP

24576:sy1CtVq1eTMGV0uJLApyP4AuH6WKLOmLLH:botVdMOApyP4Nh6n3

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr913929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr913929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr913929.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr913929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr913929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr913929.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	si788354.exe

Executes dropped EXE 9 IoCs

pid	Process
1396	un668438.exe
2512	un545837.exe
4568	pr913929.exe
660	qu404143.exe
3756	rk215697.exe
4976	si788354.exe
3284	oneetx.exe
3244	oneetx.exe
3164	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2832	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr913929.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr913929.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un668438.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un668438.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un545837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un545837.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
2204	4568	WerFault.exe	87
4332	660	WerFault.exe	94
4044	4976	WerFault.exe	99
5040	4976	WerFault.exe	99
2432	4976	WerFault.exe	99
4876	4976	WerFault.exe	99
1324	4976	WerFault.exe	99
3244	4976	WerFault.exe	99
1972	4976	WerFault.exe	99
1760	4976	WerFault.exe	99
388	4976	WerFault.exe	99
4476	4976	WerFault.exe	99
392	3284	WerFault.exe	120
1052	3284	WerFault.exe	120
4224	3284	WerFault.exe	120
5096	3284	WerFault.exe	120
4444	3284	WerFault.exe	120
2248	3284	WerFault.exe	120
1876	3284	WerFault.exe	120
4368	3284	WerFault.exe	120
224	3284	WerFault.exe	120
216	3284	WerFault.exe	120
3564	3284	WerFault.exe	120
1560	3284	WerFault.exe	120
3828	3284	WerFault.exe	120
3012	3284	WerFault.exe	120
604	3244	WerFault.exe	164
1640	3284	WerFault.exe	120
4560	3284	WerFault.exe	120
1172	3284	WerFault.exe	120
4864	3284	WerFault.exe	120
2488	3164	WerFault.exe	176

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4568	pr913929.exe
4568	pr913929.exe
660	qu404143.exe
660	qu404143.exe
3756	rk215697.exe
3756	rk215697.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	pr913929.exe
Token: SeDebugPrivilege	660	qu404143.exe
Token: SeDebugPrivilege	3756	rk215697.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4976	si788354.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1396	5056	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe	85
PID 5056 wrote to memory of 1396	5056	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe	85
PID 5056 wrote to memory of 1396	5056	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe	85
PID 1396 wrote to memory of 2512	1396	un668438.exe	86
PID 1396 wrote to memory of 2512	1396	un668438.exe	86
PID 1396 wrote to memory of 2512	1396	un668438.exe	86
PID 2512 wrote to memory of 4568	2512	un545837.exe	87
PID 2512 wrote to memory of 4568	2512	un545837.exe	87
PID 2512 wrote to memory of 4568	2512	un545837.exe	87
PID 2512 wrote to memory of 660	2512	un545837.exe	94
PID 2512 wrote to memory of 660	2512	un545837.exe	94
PID 2512 wrote to memory of 660	2512	un545837.exe	94
PID 1396 wrote to memory of 3756	1396	un668438.exe	97
PID 1396 wrote to memory of 3756	1396	un668438.exe	97
PID 1396 wrote to memory of 3756	1396	un668438.exe	97
PID 5056 wrote to memory of 4976	5056	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe	99
PID 5056 wrote to memory of 4976	5056	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe	99
PID 5056 wrote to memory of 4976	5056	87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe	99
PID 4976 wrote to memory of 3284	4976	si788354.exe	120
PID 4976 wrote to memory of 3284	4976	si788354.exe	120
PID 4976 wrote to memory of 3284	4976	si788354.exe	120
PID 3284 wrote to memory of 4836	3284	oneetx.exe	141
PID 3284 wrote to memory of 4836	3284	oneetx.exe	141
PID 3284 wrote to memory of 4836	3284	oneetx.exe	141
PID 3284 wrote to memory of 4176	3284	oneetx.exe	147
PID 3284 wrote to memory of 4176	3284	oneetx.exe	147
PID 3284 wrote to memory of 4176	3284	oneetx.exe	147
PID 4176 wrote to memory of 2156	4176	cmd.exe	151
PID 4176 wrote to memory of 2156	4176	cmd.exe	151
PID 4176 wrote to memory of 2156	4176	cmd.exe	151
PID 4176 wrote to memory of 3360	4176	cmd.exe	152
PID 4176 wrote to memory of 3360	4176	cmd.exe	152
PID 4176 wrote to memory of 3360	4176	cmd.exe	152
PID 4176 wrote to memory of 3272	4176	cmd.exe	153
PID 4176 wrote to memory of 3272	4176	cmd.exe	153
PID 4176 wrote to memory of 3272	4176	cmd.exe	153
PID 4176 wrote to memory of 4992	4176	cmd.exe	154
PID 4176 wrote to memory of 4992	4176	cmd.exe	154
PID 4176 wrote to memory of 4992	4176	cmd.exe	154
PID 4176 wrote to memory of 680	4176	cmd.exe	155
PID 4176 wrote to memory of 680	4176	cmd.exe	155
PID 4176 wrote to memory of 680	4176	cmd.exe	155
PID 4176 wrote to memory of 5044	4176	cmd.exe	156
PID 4176 wrote to memory of 5044	4176	cmd.exe	156
PID 4176 wrote to memory of 5044	4176	cmd.exe	156
PID 3284 wrote to memory of 2832	3284	oneetx.exe	171
PID 3284 wrote to memory of 2832	3284	oneetx.exe	171
PID 3284 wrote to memory of 2832	3284	oneetx.exe	171

C:\Users\Admin\AppData\Local\Temp\87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe
"C:\Users\Admin\AppData\Local\Temp\87fc2b0f52eba88c61c2195fcf22dd642ccb70194d72a763938401678b55c1c0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un668438.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un668438.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un545837.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un545837.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr913929.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr913929.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1080
        5⤵
        Program crash
        
        PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404143.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404143.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1332
        5⤵
        Program crash
        
        PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk215697.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk215697.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788354.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788354.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 696
    3⤵
    - Program crash
    PID:4044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 780
    3⤵
    - Program crash
    PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 856
    3⤵
    - Program crash
    PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 952
    3⤵
    - Program crash
    PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 976
    3⤵
    - Program crash
    PID:1324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 976
    3⤵
    - Program crash
    PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1216
    3⤵
    - Program crash
    PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1212
    3⤵
    - Program crash
    PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1316
    3⤵
    - Program crash
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 692
      4⤵
      Program crash
      PID:392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 948
      4⤵
      Program crash
      PID:1052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1072
      4⤵
      Program crash
      PID:4224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 972
      4⤵
      Program crash
      PID:5096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 972
      4⤵
      Program crash
      PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1088
      4⤵
      Program crash
      PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1132
      4⤵
      Program crash
      PID:1876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 972
      4⤵
      Program crash
      PID:4368
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1012
      4⤵
      Program crash
      PID:224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 728
      4⤵
      Program crash
      PID:216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:3360
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1292
      4⤵
      Program crash
      PID:3564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 132
      4⤵
      Program crash
      PID:1560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 888
      4⤵
      Program crash
      PID:3828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 892
      4⤵
      Program crash
      PID:3012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1116
      4⤵
      Program crash
      PID:1640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1636
      4⤵
      Program crash
      PID:4560
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1668
      4⤵
      Program crash
      PID:1172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1644
      4⤵
      Program crash
      PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1352
    3⤵
    - Program crash
    PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4568 -ip 4568
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 660 -ip 660
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4976 -ip 4976
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4976 -ip 4976
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4976 -ip 4976
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4976 -ip 4976
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4976 -ip 4976
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4976 -ip 4976
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4976 -ip 4976
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4976 -ip 4976
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4976 -ip 4976
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4976 -ip 4976
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3284 -ip 3284
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3284 -ip 3284
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3284 -ip 3284
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3284 -ip 3284
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3284 -ip 3284
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3284 -ip 3284
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3284 -ip 3284
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3284 -ip 3284
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3284 -ip 3284
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3284 -ip 3284
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3284 -ip 3284
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3284 -ip 3284
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3284 -ip 3284
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3284 -ip 3284
1⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 320
  2⤵
  - Program crash
  PID:604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3244 -ip 3244
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3284 -ip 3284
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3284 -ip 3284
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3284 -ip 3284
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3284 -ip 3284
1⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 312
  2⤵
  - Program crash
  PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3164 -ip 3164
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788354.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si788354.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un668438.exe

Filesize
707KB

MD5
df1eb1c2cc1037a17991707dc2b1b893

SHA1
2cc77175d8565a637dafff12272512902e669eee

SHA256
acdfa39fbf2843fba537655e8944d31e07d78ef0553a76e568a7fc58a4b4cf8c

SHA512
431a083dfe3bc70dc267ecb7d2162aae88e9484d7bb7ced22b22d7d15aed54a81dc24bf79485fcc53349068d27e48d791c87bc3f9fd916054aa5a5530122dc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un668438.exe

Filesize
707KB

MD5
df1eb1c2cc1037a17991707dc2b1b893

SHA1
2cc77175d8565a637dafff12272512902e669eee

SHA256
acdfa39fbf2843fba537655e8944d31e07d78ef0553a76e568a7fc58a4b4cf8c

SHA512
431a083dfe3bc70dc267ecb7d2162aae88e9484d7bb7ced22b22d7d15aed54a81dc24bf79485fcc53349068d27e48d791c87bc3f9fd916054aa5a5530122dc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk215697.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk215697.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un545837.exe

Filesize
553KB

MD5
e12e022a3ae0b7ef6e7c570e4e2a3650

SHA1
f423829c39981e7365cfdb0fc6a54b9dbbeec7d1

SHA256
9594f893e542ffe370f71d9799cedf91a6dd592c5708eda7382dfb8c902b7a1e

SHA512
37efa02e66a9a198365767302dd7ea78024d12a1dd6ae583ef02a49e93b64be411d712e99b9f5f79e2aa9e7b2a55bc2f7cf1f95bef2810bb882f84400ff5333c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un545837.exe

Filesize
553KB

MD5
e12e022a3ae0b7ef6e7c570e4e2a3650

SHA1
f423829c39981e7365cfdb0fc6a54b9dbbeec7d1

SHA256
9594f893e542ffe370f71d9799cedf91a6dd592c5708eda7382dfb8c902b7a1e

SHA512
37efa02e66a9a198365767302dd7ea78024d12a1dd6ae583ef02a49e93b64be411d712e99b9f5f79e2aa9e7b2a55bc2f7cf1f95bef2810bb882f84400ff5333c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr913929.exe

Filesize
278KB

MD5
c5c050f8be54fcbdbb9e68944d3370d6

SHA1
c69bbf764d45ce11b3b5fe7c4b6684bbf14517c9

SHA256
4530f496ecb2b19ef78b6bebe73236423eef0f2a0ae9e6aa9600a2263595c066

SHA512
7823df94cfcab0fc45b125c507972a6cd95db656dd5138196c4eabbdc5a708f03f513303c4f177e18e128db043898647a3dd8112017d1651ba97c408aec76eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr913929.exe

Filesize
278KB

MD5
c5c050f8be54fcbdbb9e68944d3370d6

SHA1
c69bbf764d45ce11b3b5fe7c4b6684bbf14517c9

SHA256
4530f496ecb2b19ef78b6bebe73236423eef0f2a0ae9e6aa9600a2263595c066

SHA512
7823df94cfcab0fc45b125c507972a6cd95db656dd5138196c4eabbdc5a708f03f513303c4f177e18e128db043898647a3dd8112017d1651ba97c408aec76eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404143.exe

Filesize
360KB

MD5
7928799502ab7031868eb5e0b6d906ea

SHA1
76d96f6b75de883f4b0095839ebfcac687796cad

SHA256
d62f84c9d1230e456b966198bcbd89af4ba9663c687dde9b0f818d0c2bd037ce

SHA512
115cbac581fb716269a73994f0971c41846261d387adb3daac3820a066a05f4c6b04f157bc0814d42bf0cb296c96a5baa1e95d54521ea3c93615f221675aabac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404143.exe

Filesize
360KB

MD5
7928799502ab7031868eb5e0b6d906ea

SHA1
76d96f6b75de883f4b0095839ebfcac687796cad

SHA256
d62f84c9d1230e456b966198bcbd89af4ba9663c687dde9b0f818d0c2bd037ce

SHA512
115cbac581fb716269a73994f0971c41846261d387adb3daac3820a066a05f4c6b04f157bc0814d42bf0cb296c96a5baa1e95d54521ea3c93615f221675aabac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
db15d151e83476c0d22ceacc780d4d8b

SHA1
192f1f54eb30ca50dcb4d3e193064c2a3237132a

SHA256
df519b2e423fdb0f59e4fc12747f8f97130985da16f74e9cfd5fc618248aee98

SHA512
b3a97fe9bcbffcec09bff19865827de911e2663aecfdc367b3aa23ccecac7e45dd9078c55faa37bda089ba2696eed53786dedb9ac6ac8879dd53b6bc62b77c4b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/660-999-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/660-231-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-1005-0x0000000004960000-0x00000000049B0000-memory.dmp

Filesize
320KB

Download
memory/660-1004-0x000000000B7D0000-0x000000000B7EE000-memory.dmp

Filesize
120KB

Download
memory/660-1003-0x000000000B190000-0x000000000B6BC000-memory.dmp

Filesize
5.2MB

Download
memory/660-1002-0x000000000AFC0000-0x000000000B182000-memory.dmp

Filesize
1.8MB

Download
memory/660-1001-0x000000000AEE0000-0x000000000AF56000-memory.dmp

Filesize
472KB

Download
memory/660-1000-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/660-998-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/660-997-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/660-996-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/660-995-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/660-198-0x0000000002D70000-0x0000000002DB6000-memory.dmp

Filesize
280KB

Download
memory/660-199-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/660-201-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/660-200-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-204-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/660-202-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-205-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-207-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-209-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-211-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-213-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-215-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-217-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-219-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-221-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-223-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-225-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-227-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-229-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-994-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

Filesize
6.1MB

Download
memory/660-233-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/660-235-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3756-1012-0x00000000002C0000-0x00000000002E8000-memory.dmp

Filesize
160KB

Download
memory/3756-1013-0x0000000006FF0000-0x0000000007000000-memory.dmp

Filesize
64KB

Download
memory/4568-189-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4568-158-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-191-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4568-178-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-190-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4568-184-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-188-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/4568-187-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4568-186-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4568-185-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4568-176-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-174-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-193-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/4568-182-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-166-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-170-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-155-0x0000000002D20000-0x0000000002D4D000-memory.dmp

Filesize
180KB

Download
memory/4568-168-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-172-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-164-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-162-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-160-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-180-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-157-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4568-156-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/4976-1019-0x0000000004800000-0x0000000004835000-memory.dmp

Filesize
212KB

Download