ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7

Analysis

max time kernel
148s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe
Size

963KB
MD5

2066db0c476de67a0197af17d8b1938e
SHA1

8afff614516e70c426fbf4aeefa8bd5c155c1406
SHA256

ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7
SHA512

6e544f3d29393376ad46873b9a566a6b0c735a1f176529e95f4f20b58c32f726579cb05f02469c8251ff1cf1917a59f9913cbc3abdc90f9460e482409fffdd01
SSDEEP

24576:1y3eZmB2AzmElmo7UQRzlv9mXqMJg4t0seYUp+qml:Q3JYASEL7jljAqMJJeJ+

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr914672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr914672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr914672.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr914672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr914672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr914672.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si864246.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
2464	un036470.exe
5060	un522076.exe
1712	pr914672.exe
3280	qu979425.exe
5068	rk059054.exe
1004	si864246.exe
3212	oneetx.exe
1892	oneetx.exe
752	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2612	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr914672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr914672.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un036470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un036470.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un522076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un522076.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
3332	1712	WerFault.exe	85
4132	3280	WerFault.exe	94
4836	1004	WerFault.exe	100
1776	1004	WerFault.exe	100
4280	1004	WerFault.exe	100
1180	1004	WerFault.exe	100
3780	1004	WerFault.exe	100
3668	1004	WerFault.exe	100
1500	1004	WerFault.exe	100
1060	1004	WerFault.exe	100
3020	1004	WerFault.exe	100
2512	1004	WerFault.exe	100
700	3212	WerFault.exe	119
3132	3212	WerFault.exe	119
1092	3212	WerFault.exe	119
228	3212	WerFault.exe	119
4428	3212	WerFault.exe	119
3752	3212	WerFault.exe	119
3348	3212	WerFault.exe	119
1276	3212	WerFault.exe	119
4124	3212	WerFault.exe	119
2628	3212	WerFault.exe	119
4384	3212	WerFault.exe	119
1900	3212	WerFault.exe	119
2036	3212	WerFault.exe	119
2608	3212	WerFault.exe	119
4284	1892	WerFault.exe	160
2544	3212	WerFault.exe	119
1060	3212	WerFault.exe	119
3552	3212	WerFault.exe	119
4756	3212	WerFault.exe	119
4260	752	WerFault.exe	170

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1712	pr914672.exe
1712	pr914672.exe
3280	qu979425.exe
3280	qu979425.exe
5068	rk059054.exe
5068	rk059054.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	pr914672.exe
Token: SeDebugPrivilege	3280	qu979425.exe
Token: SeDebugPrivilege	5068	rk059054.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1004	si864246.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2464	1736	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe	83
PID 1736 wrote to memory of 2464	1736	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe	83
PID 1736 wrote to memory of 2464	1736	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe	83
PID 2464 wrote to memory of 5060	2464	un036470.exe	84
PID 2464 wrote to memory of 5060	2464	un036470.exe	84
PID 2464 wrote to memory of 5060	2464	un036470.exe	84
PID 5060 wrote to memory of 1712	5060	un522076.exe	85
PID 5060 wrote to memory of 1712	5060	un522076.exe	85
PID 5060 wrote to memory of 1712	5060	un522076.exe	85
PID 5060 wrote to memory of 3280	5060	un522076.exe	94
PID 5060 wrote to memory of 3280	5060	un522076.exe	94
PID 5060 wrote to memory of 3280	5060	un522076.exe	94
PID 2464 wrote to memory of 5068	2464	un036470.exe	98
PID 2464 wrote to memory of 5068	2464	un036470.exe	98
PID 2464 wrote to memory of 5068	2464	un036470.exe	98
PID 1736 wrote to memory of 1004	1736	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe	100
PID 1736 wrote to memory of 1004	1736	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe	100
PID 1736 wrote to memory of 1004	1736	ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe	100
PID 1004 wrote to memory of 3212	1004	si864246.exe	119
PID 1004 wrote to memory of 3212	1004	si864246.exe	119
PID 1004 wrote to memory of 3212	1004	si864246.exe	119
PID 3212 wrote to memory of 4708	3212	oneetx.exe	136
PID 3212 wrote to memory of 4708	3212	oneetx.exe	136
PID 3212 wrote to memory of 4708	3212	oneetx.exe	136
PID 3212 wrote to memory of 4544	3212	oneetx.exe	142
PID 3212 wrote to memory of 4544	3212	oneetx.exe	142
PID 3212 wrote to memory of 4544	3212	oneetx.exe	142
PID 4544 wrote to memory of 4572	4544	cmd.exe	146
PID 4544 wrote to memory of 4572	4544	cmd.exe	146
PID 4544 wrote to memory of 4572	4544	cmd.exe	146
PID 4544 wrote to memory of 3108	4544	cmd.exe	147
PID 4544 wrote to memory of 3108	4544	cmd.exe	147
PID 4544 wrote to memory of 3108	4544	cmd.exe	147
PID 4544 wrote to memory of 4132	4544	cmd.exe	148
PID 4544 wrote to memory of 4132	4544	cmd.exe	148
PID 4544 wrote to memory of 4132	4544	cmd.exe	148
PID 4544 wrote to memory of 2720	4544	cmd.exe	150
PID 4544 wrote to memory of 2720	4544	cmd.exe	150
PID 4544 wrote to memory of 2720	4544	cmd.exe	150
PID 4544 wrote to memory of 644	4544	cmd.exe	149
PID 4544 wrote to memory of 644	4544	cmd.exe	149
PID 4544 wrote to memory of 644	4544	cmd.exe	149
PID 4544 wrote to memory of 4796	4544	cmd.exe	151
PID 4544 wrote to memory of 4796	4544	cmd.exe	151
PID 4544 wrote to memory of 4796	4544	cmd.exe	151
PID 3212 wrote to memory of 2612	3212	oneetx.exe	167
PID 3212 wrote to memory of 2612	3212	oneetx.exe	167
PID 3212 wrote to memory of 2612	3212	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe
"C:\Users\Admin\AppData\Local\Temp\ec170219dd0b3acf21756d497fc6024620cbaa83534be938bcff3b92cc68ffb7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036470.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036470.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un522076.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un522076.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr914672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr914672.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1084
        5⤵
        Program crash
        
        PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu979425.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu979425.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1324
        5⤵
        Program crash
        
        PID:4132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059054.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059054.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si864246.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si864246.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 708
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 796
    3⤵
    - Program crash
    PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 824
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 952
    3⤵
    - Program crash
    PID:1180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 984
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 860
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1224
    3⤵
    - Program crash
    PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1264
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1324
    3⤵
    - Program crash
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 704
      4⤵
      Program crash
      PID:700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 800
      4⤵
      Program crash
      PID:3132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 896
      4⤵
      Program crash
      PID:1092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1052
      4⤵
      Program crash
      PID:228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1060
      4⤵
      Program crash
      PID:4428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1108
      4⤵
      Program crash
      PID:3752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1084
      4⤵
      Program crash
      PID:3348
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 992
      4⤵
      Program crash
      PID:1276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 788
      4⤵
      Program crash
      PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1300
      4⤵
      Program crash
      PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 924
      4⤵
      Program crash
      PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 776
      4⤵
      Program crash
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1296
      4⤵
      Program crash
      PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 828
      4⤵
      Program crash
      PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1140
      4⤵
      Program crash
      PID:2544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1620
      4⤵
      Program crash
      PID:1060
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 896
      4⤵
      Program crash
      PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1636
      4⤵
      Program crash
      PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1372
    3⤵
    - Program crash
    PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1712 -ip 1712
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3280 -ip 3280
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1004 -ip 1004
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1004 -ip 1004
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1004 -ip 1004
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1004 -ip 1004
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1004 -ip 1004
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1004 -ip 1004
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1004 -ip 1004
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1004 -ip 1004
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1004 -ip 1004
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1004 -ip 1004
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3212 -ip 3212
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3212 -ip 3212
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3212 -ip 3212
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3212 -ip 3212
1⤵
PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3212 -ip 3212
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3212 -ip 3212
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3212 -ip 3212
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3212 -ip 3212
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3212 -ip 3212
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3212 -ip 3212
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3212 -ip 3212
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3212 -ip 3212
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3212 -ip 3212
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3212 -ip 3212
1⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 428
  2⤵
  - Program crash
  PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1892 -ip 1892
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3212 -ip 3212
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3212 -ip 3212
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3212 -ip 3212
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 356
  2⤵
  - Program crash
  PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3212 -ip 3212
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 752 -ip 752
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si864246.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si864246.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036470.exe

Filesize
704KB

MD5
4f577c57144f4207b03e79ac11eada12

SHA1
42fbfc3d42adf48571a91dc92928d63fb01c4697

SHA256
9fdab61ce03a34901d78a68961ddbbdd38e321d7ea77afcd019ac9eb7eb09e77

SHA512
ed0056d2fe8b72efd23ed94c18a0b7be440efc9727f8a3d38767f86a3dcc8d0f613c89d5a83ba248c04ca8a198882b6dc7d6ace0794a62cd7e0249c68236a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036470.exe

Filesize
704KB

MD5
4f577c57144f4207b03e79ac11eada12

SHA1
42fbfc3d42adf48571a91dc92928d63fb01c4697

SHA256
9fdab61ce03a34901d78a68961ddbbdd38e321d7ea77afcd019ac9eb7eb09e77

SHA512
ed0056d2fe8b72efd23ed94c18a0b7be440efc9727f8a3d38767f86a3dcc8d0f613c89d5a83ba248c04ca8a198882b6dc7d6ace0794a62cd7e0249c68236a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059054.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059054.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un522076.exe

Filesize
550KB

MD5
3720fe9b47e3b2a6208ea506ca6f6d7b

SHA1
cb6320f3533ae78e07d0fae7004942d1ab676bd4

SHA256
c24769c4a6fc0db24acbda4a2d73a1be279cfdca8fb62d1620e51c6cedf385fe

SHA512
db47eebcd825ad8fb26f76fbe3e50eb458a6651e4b2ed5d67f303284fbe66db2fdb866675ed23fed8ac9275103ca553e2bd67a90cf9c8b36d2e2a5f8c5db4094

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un522076.exe

Filesize
550KB

MD5
3720fe9b47e3b2a6208ea506ca6f6d7b

SHA1
cb6320f3533ae78e07d0fae7004942d1ab676bd4

SHA256
c24769c4a6fc0db24acbda4a2d73a1be279cfdca8fb62d1620e51c6cedf385fe

SHA512
db47eebcd825ad8fb26f76fbe3e50eb458a6651e4b2ed5d67f303284fbe66db2fdb866675ed23fed8ac9275103ca553e2bd67a90cf9c8b36d2e2a5f8c5db4094

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr914672.exe

Filesize
277KB

MD5
3810f359fb55a4da17d661942450a880

SHA1
0a4a7be79b866b48bd1f98733ab160381bc37906

SHA256
1e179a48f04c485a271dffb45f509fd081ea6349f6d9c8490a8afe6bee26bbd7

SHA512
6002e1cf9eeadd6f128eb32cf38b06e3f5964e6354388a73e290b2de10146d3c3e9065fe5ab985077d6acc25715c8300147b1518c22d90a23bc937bab701c327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr914672.exe

Filesize
277KB

MD5
3810f359fb55a4da17d661942450a880

SHA1
0a4a7be79b866b48bd1f98733ab160381bc37906

SHA256
1e179a48f04c485a271dffb45f509fd081ea6349f6d9c8490a8afe6bee26bbd7

SHA512
6002e1cf9eeadd6f128eb32cf38b06e3f5964e6354388a73e290b2de10146d3c3e9065fe5ab985077d6acc25715c8300147b1518c22d90a23bc937bab701c327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu979425.exe

Filesize
360KB

MD5
10fe77dabcaab1c0c49cf690ae8c203d

SHA1
b939d4de80a8caa70deb6a8fb90d252bada5adb6

SHA256
002f02f27cd6f0d0b805c8cb298f3757b19b3b15187cab4372d13a8ce75a2660

SHA512
0d5cf839dede204ccae78719a3bb145b9fc987af141f082086597f2c555060234f277c67b74de79da7779ce62f68b5a7654c1d336067efb223c7f630f2274501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu979425.exe

Filesize
360KB

MD5
10fe77dabcaab1c0c49cf690ae8c203d

SHA1
b939d4de80a8caa70deb6a8fb90d252bada5adb6

SHA256
002f02f27cd6f0d0b805c8cb298f3757b19b3b15187cab4372d13a8ce75a2660

SHA512
0d5cf839dede204ccae78719a3bb145b9fc987af141f082086597f2c555060234f277c67b74de79da7779ce62f68b5a7654c1d336067efb223c7f630f2274501

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
64e3aaf5ed7b20ff358b3885f68b5c99

SHA1
acabf526b79f293165ce8a7293c660d3096ca089

SHA256
b65a3d43a589d6a91fd8b5ddc4ecc7a323bb91edb1786ec117fe63887a5283a9

SHA512
59a6652f802806d67c9d1c5b53871c4265ab271e8fabf3549d888d4efefe3cb97a7f6e2ab574c87f8781ae153c13b565d55dce0e068a331bf3430e595681f31d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1004-1018-0x0000000002CF0000-0x0000000002D25000-memory.dmp

Filesize
212KB

Download
memory/1712-172-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-190-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1712-176-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-178-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-180-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-182-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-184-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-186-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-187-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/1712-188-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1712-189-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1712-174-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-192-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/1712-170-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-168-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-166-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-164-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-162-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-160-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-159-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1712-158-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1712-157-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1712-156-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/1712-155-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/3280-206-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-999-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/3280-222-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-225-0x0000000002D10000-0x0000000002D56000-memory.dmp

Filesize
280KB

Download
memory/3280-224-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-227-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3280-228-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-231-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-230-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3280-232-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3280-234-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-993-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

Filesize
6.1MB

Download
memory/3280-994-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/3280-995-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/3280-996-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/3280-997-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3280-998-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/3280-220-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-1000-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/3280-1001-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/3280-1002-0x000000000B010000-0x000000000B060000-memory.dmp

Filesize
320KB

Download
memory/3280-1003-0x000000000B1A0000-0x000000000B362000-memory.dmp

Filesize
1.8MB

Download
memory/3280-1004-0x000000000B580000-0x000000000BAAC000-memory.dmp

Filesize
5.2MB

Download
memory/3280-197-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-218-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-216-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-214-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-212-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-210-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-208-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-204-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-198-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-202-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/3280-200-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/5068-1011-0x0000000000CB0000-0x0000000000CD8000-memory.dmp

Filesize
160KB

Download
memory/5068-1012-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download