18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe
Size

963KB
MD5

ae5dbd571305705f188651fa4ddb34d4
SHA1

5bdbac43adb109972f3b0003808f5ab273543382
SHA256

18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d
SHA512

b322ec798d9b66e40acc681fb1c31ff634dda4ca04fe20ad1a2c6e78229e32b4b5fa6eafbf22b08c7987615999f98a436a0637bb476bf47e89ebd03d908a77c0
SSDEEP

24576:9ydU7/bgmRU5MK346l57fgqUw3mdKl0sQh7+4qqp:Y2zbpHK39/4qUw3m4esQh+4

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr639985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr639985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr639985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr639985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr639985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr639985.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si863396.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
2244	un329976.exe
4040	un278914.exe
688	pr639985.exe
1044	qu341273.exe
3636	rk947786.exe
1480	si863396.exe
1844	oneetx.exe
4636	oneetx.exe
2456	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4112	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr639985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr639985.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un278914.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un278914.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un329976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un329976.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
4944	688	WerFault.exe	78
2604	1044	WerFault.exe	87
2820	1480	WerFault.exe	92
4720	1480	WerFault.exe	92
5056	1480	WerFault.exe	92
5028	1480	WerFault.exe	92
696	1480	WerFault.exe	92
988	1480	WerFault.exe	92
4596	1480	WerFault.exe	92
3968	1480	WerFault.exe	92
1080	1480	WerFault.exe	92
776	1480	WerFault.exe	92
4488	1844	WerFault.exe	112
2160	1844	WerFault.exe	112
2200	1844	WerFault.exe	112
3928	1844	WerFault.exe	112
1124	1844	WerFault.exe	112
1340	1844	WerFault.exe	112
4604	1844	WerFault.exe	112
4280	1844	WerFault.exe	112
2580	1844	WerFault.exe	112
2916	1844	WerFault.exe	112
4532	1844	WerFault.exe	112
4312	1844	WerFault.exe	112
1028	1844	WerFault.exe	112
1136	1844	WerFault.exe	112
808	4636	WerFault.exe	156
1436	1844	WerFault.exe	112
484	1844	WerFault.exe	112
64	1844	WerFault.exe	112
696	1844	WerFault.exe	112
2696	2456	WerFault.exe	168

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
688	pr639985.exe
688	pr639985.exe
1044	qu341273.exe
1044	qu341273.exe
3636	rk947786.exe
3636	rk947786.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	pr639985.exe
Token: SeDebugPrivilege	1044	qu341273.exe
Token: SeDebugPrivilege	3636	rk947786.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1480	si863396.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 2244	5108	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe	76
PID 5108 wrote to memory of 2244	5108	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe	76
PID 5108 wrote to memory of 2244	5108	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe	76
PID 2244 wrote to memory of 4040	2244	un329976.exe	77
PID 2244 wrote to memory of 4040	2244	un329976.exe	77
PID 2244 wrote to memory of 4040	2244	un329976.exe	77
PID 4040 wrote to memory of 688	4040	un278914.exe	78
PID 4040 wrote to memory of 688	4040	un278914.exe	78
PID 4040 wrote to memory of 688	4040	un278914.exe	78
PID 4040 wrote to memory of 1044	4040	un278914.exe	87
PID 4040 wrote to memory of 1044	4040	un278914.exe	87
PID 4040 wrote to memory of 1044	4040	un278914.exe	87
PID 2244 wrote to memory of 3636	2244	un329976.exe	90
PID 2244 wrote to memory of 3636	2244	un329976.exe	90
PID 2244 wrote to memory of 3636	2244	un329976.exe	90
PID 5108 wrote to memory of 1480	5108	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe	92
PID 5108 wrote to memory of 1480	5108	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe	92
PID 5108 wrote to memory of 1480	5108	18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe	92
PID 1480 wrote to memory of 1844	1480	si863396.exe	112
PID 1480 wrote to memory of 1844	1480	si863396.exe	112
PID 1480 wrote to memory of 1844	1480	si863396.exe	112
PID 1844 wrote to memory of 4584	1844	oneetx.exe	131
PID 1844 wrote to memory of 4584	1844	oneetx.exe	131
PID 1844 wrote to memory of 4584	1844	oneetx.exe	131
PID 1844 wrote to memory of 3828	1844	oneetx.exe	138
PID 1844 wrote to memory of 3828	1844	oneetx.exe	138
PID 1844 wrote to memory of 3828	1844	oneetx.exe	138
PID 3828 wrote to memory of 4348	3828	cmd.exe	142
PID 3828 wrote to memory of 4348	3828	cmd.exe	142
PID 3828 wrote to memory of 4348	3828	cmd.exe	142
PID 3828 wrote to memory of 2104	3828	cmd.exe	143
PID 3828 wrote to memory of 2104	3828	cmd.exe	143
PID 3828 wrote to memory of 2104	3828	cmd.exe	143
PID 3828 wrote to memory of 936	3828	cmd.exe	144
PID 3828 wrote to memory of 936	3828	cmd.exe	144
PID 3828 wrote to memory of 936	3828	cmd.exe	144
PID 3828 wrote to memory of 1932	3828	cmd.exe	145
PID 3828 wrote to memory of 1932	3828	cmd.exe	145
PID 3828 wrote to memory of 1932	3828	cmd.exe	145
PID 3828 wrote to memory of 3472	3828	cmd.exe	146
PID 3828 wrote to memory of 3472	3828	cmd.exe	146
PID 3828 wrote to memory of 3472	3828	cmd.exe	146
PID 3828 wrote to memory of 3684	3828	cmd.exe	147
PID 3828 wrote to memory of 3684	3828	cmd.exe	147
PID 3828 wrote to memory of 3684	3828	cmd.exe	147
PID 1844 wrote to memory of 4112	1844	oneetx.exe	163
PID 1844 wrote to memory of 4112	1844	oneetx.exe	163
PID 1844 wrote to memory of 4112	1844	oneetx.exe	163

C:\Users\Admin\AppData\Local\Temp\18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe
"C:\Users\Admin\AppData\Local\Temp\18284f7970dc613747e00ea11e25a82018d377876b229f5d6fa12d684ab6725d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un329976.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un329976.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un278914.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un278914.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr639985.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr639985.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1108
        5⤵
        Program crash
        
        PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu341273.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu341273.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1028
        5⤵
        Program crash
        
        PID:2604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk947786.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk947786.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863396.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863396.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 708
    3⤵
    - Program crash
    PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 784
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 808
    3⤵
    - Program crash
    PID:5056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 960
    3⤵
    - Program crash
    PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 812
    3⤵
    - Program crash
    PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 812
    3⤵
    - Program crash
    PID:988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1208
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1240
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1316
    3⤵
    - Program crash
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 704
      4⤵
      Program crash
      PID:4488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 908
      4⤵
      Program crash
      PID:2160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 948
      4⤵
      Program crash
      PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1104
      4⤵
      Program crash
      PID:3928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1112
      4⤵
      Program crash
      PID:1124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1132
      4⤵
      Program crash
      PID:1340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1168
      4⤵
      Program crash
      PID:4604
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1020
      4⤵
      Program crash
      PID:4280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 740
      4⤵
      Program crash
      PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:3684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1272
      4⤵
      Program crash
      PID:2916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 736
      4⤵
      Program crash
      PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 756
      4⤵
      Program crash
      PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1324
      4⤵
      Program crash
      PID:1028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1492
      4⤵
      Program crash
      PID:1136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1136
      4⤵
      Program crash
      PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1604
      4⤵
      Program crash
      PID:484
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1644
      4⤵
      Program crash
      PID:64
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1620
      4⤵
      Program crash
      PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1364
    3⤵
    - Program crash
    PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 688 -ip 688
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1044 -ip 1044
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1480 -ip 1480
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1480 -ip 1480
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1480 -ip 1480
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1480 -ip 1480
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1480 -ip 1480
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1480 -ip 1480
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1480 -ip 1480
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1480 -ip 1480
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1480 -ip 1480
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1480 -ip 1480
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1844 -ip 1844
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1844 -ip 1844
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1844 -ip 1844
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1844 -ip 1844
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1844 -ip 1844
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1844 -ip 1844
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1844 -ip 1844
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1844 -ip 1844
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1844 -ip 1844
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1844 -ip 1844
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1844 -ip 1844
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1844 -ip 1844
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1844 -ip 1844
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1844 -ip 1844
1⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 428
  2⤵
  - Program crash
  PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4636 -ip 4636
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1844 -ip 1844
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1844 -ip 1844
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1844 -ip 1844
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844
1⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 428
  2⤵
  - Program crash
  PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2456 -ip 2456
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863396.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863396.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un329976.exe

Filesize
704KB

MD5
cae5e2a7b50b0e281ddf1fdfea28a797

SHA1
635067ff5a0ad404c7427ec60b2aa278d30dbe20

SHA256
e2500e1ea27a5c475f631ac970f771afe1bb546a9647ac2c7af7879d92f4bea0

SHA512
6c6ae9db886377975cdb4cbe6db428af2e2da50ce78f7a8837f11b6238bc0a6b8407049caf844a9d2336bb35859492de1ab8fd88dd82b70f1a727a56385e97bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un329976.exe

Filesize
704KB

MD5
cae5e2a7b50b0e281ddf1fdfea28a797

SHA1
635067ff5a0ad404c7427ec60b2aa278d30dbe20

SHA256
e2500e1ea27a5c475f631ac970f771afe1bb546a9647ac2c7af7879d92f4bea0

SHA512
6c6ae9db886377975cdb4cbe6db428af2e2da50ce78f7a8837f11b6238bc0a6b8407049caf844a9d2336bb35859492de1ab8fd88dd82b70f1a727a56385e97bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk947786.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk947786.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un278914.exe

Filesize
550KB

MD5
26d77a56a6c5c3d8a039258c6621670e

SHA1
84b9beba642330983de86319a0ed2d12848592eb

SHA256
906dd0415359807578c7863872aaaf82a878bb1f8d9cdaffcf3bafbcc433d9f0

SHA512
0955eff46ab5827e6e5d48f9d1654163e8c2000d1fea233eaec458e815740dd9f2d4d218ea715a99b143944e5977212ea9713a3ff5fd677e005a02a77acbcb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un278914.exe

Filesize
550KB

MD5
26d77a56a6c5c3d8a039258c6621670e

SHA1
84b9beba642330983de86319a0ed2d12848592eb

SHA256
906dd0415359807578c7863872aaaf82a878bb1f8d9cdaffcf3bafbcc433d9f0

SHA512
0955eff46ab5827e6e5d48f9d1654163e8c2000d1fea233eaec458e815740dd9f2d4d218ea715a99b143944e5977212ea9713a3ff5fd677e005a02a77acbcb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr639985.exe

Filesize
277KB

MD5
5a0147caf1419623693b747acc8870d6

SHA1
4ae59c2584ee42fd9434a65eee82acd999deb992

SHA256
dfd0f2e6fcd57dc8d5004ef0a19fbfbcfc6bdc0f42e35969e06b46f356442976

SHA512
25267434cfdbd8c81d4a596ef124bd7f084afa075d72993e1745659509256a4d56ebe30ef2cfb25ffe8958609d026e6565c411b981635cf6bf0b387b9918750d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr639985.exe

Filesize
277KB

MD5
5a0147caf1419623693b747acc8870d6

SHA1
4ae59c2584ee42fd9434a65eee82acd999deb992

SHA256
dfd0f2e6fcd57dc8d5004ef0a19fbfbcfc6bdc0f42e35969e06b46f356442976

SHA512
25267434cfdbd8c81d4a596ef124bd7f084afa075d72993e1745659509256a4d56ebe30ef2cfb25ffe8958609d026e6565c411b981635cf6bf0b387b9918750d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu341273.exe

Filesize
360KB

MD5
c0100ac99b339fe4ad124a832cba3693

SHA1
8812c070985e0f39fda8391e8271986f9998eaa3

SHA256
fc5c8c4103d1c405d21f81645e9f02e4dc71b6d2baa3da9bdb766eb7c351e3aa

SHA512
32f690666342dccb6ca9da1c4c86ce424dfba608eb7288be6c5c99cb73b36c2c995ac6c367b9b0f15aff96b52df4e2396ea34df3059263eee4a8a4dc1fdd2b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu341273.exe

Filesize
360KB

MD5
c0100ac99b339fe4ad124a832cba3693

SHA1
8812c070985e0f39fda8391e8271986f9998eaa3

SHA256
fc5c8c4103d1c405d21f81645e9f02e4dc71b6d2baa3da9bdb766eb7c351e3aa

SHA512
32f690666342dccb6ca9da1c4c86ce424dfba608eb7288be6c5c99cb73b36c2c995ac6c367b9b0f15aff96b52df4e2396ea34df3059263eee4a8a4dc1fdd2b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
1412bf020ec4bb7cfcca1f5863af6718

SHA1
fe0de46c911bdc589c6429153b1db80f76696324

SHA256
df2b52fdaee78020ee934baf0e64c10769561707337e7c2b2153a73eac307d2f

SHA512
5088a5a3a2123c05725f8dce2285ff1376f56c28af5e81695e857b8e305d28101f2dd68475cf063af9146483682fd5d97ce9fe769ec63114e57c544a438f7f40

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/688-170-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/688-189-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/688-174-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-176-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-178-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-180-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-182-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-184-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-186-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-187-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/688-188-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/688-171-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-191-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/688-192-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/688-172-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/688-168-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-166-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-164-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-162-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-160-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-158-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-157-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/688-156-0x0000000007320000-0x00000000078C4000-memory.dmp

Filesize
5.6MB

Download
memory/688-155-0x0000000002D20000-0x0000000002D4D000-memory.dmp

Filesize
180KB

Download
memory/1044-205-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1044-1000-0x000000000AEE0000-0x000000000AF56000-memory.dmp

Filesize
472KB

Download
memory/1044-216-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-218-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-220-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-222-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-224-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-226-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-228-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-230-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-234-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-232-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-993-0x0000000009E50000-0x000000000A468000-memory.dmp

Filesize
6.1MB

Download
memory/1044-994-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/1044-995-0x000000000A470000-0x000000000A57A000-memory.dmp

Filesize
1.0MB

Download
memory/1044-996-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download
memory/1044-997-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1044-998-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/1044-999-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/1044-214-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-1001-0x000000000AFC0000-0x000000000B182000-memory.dmp

Filesize
1.8MB

Download
memory/1044-1002-0x000000000B190000-0x000000000B6BC000-memory.dmp

Filesize
5.2MB

Download
memory/1044-1003-0x000000000B7D0000-0x000000000B7EE000-memory.dmp

Filesize
120KB

Download
memory/1044-1004-0x0000000004950000-0x00000000049A0000-memory.dmp

Filesize
320KB

Download
memory/1044-197-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-212-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-198-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-209-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1044-207-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1044-210-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-206-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-202-0x0000000002D60000-0x0000000002DA6000-memory.dmp

Filesize
280KB

Download
memory/1044-203-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1044-200-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1480-1018-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/3636-1011-0x0000000000390000-0x00000000003B8000-memory.dmp

Filesize
160KB

Download
memory/3636-1012-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download