fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b

Analysis

max time kernel
150s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe
Size

966KB
MD5

9ed39d6d84f116b18ed08685f80702d0
SHA1

ad8681afc5ed56af50f9022f7f0fe176b9511bfa
SHA256

fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b
SHA512

cd16991fbd4308cf3bb8cf3a3a8426404ec12d160aceb7155302e1aca3f18ad60f80ef9c5cba3087f46ce3af08b1bfd87a9a9265b1606650172befafaae4a72c
SSDEEP

24576:BymdmYwyJf5s6AXFd9EkE6AeoChwZYcLptf:0mdXR5u9EkE6J9ot

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr609265.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr609265.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr609265.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr609265.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr609265.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr609265.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	si710604.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4896	un916755.exe
4560	un229043.exe
212	pr609265.exe
3432	qu804679.exe
3876	rk052658.exe
4340	si710604.exe
4240	oneetx.exe
3736	oneetx.exe
3048	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1016	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr609265.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr609265.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un916755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un916755.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un229043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un229043.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
4460	212	WerFault.exe	88
3892	3432	WerFault.exe	94
112	4340	WerFault.exe	100
4216	4340	WerFault.exe	100
1600	4340	WerFault.exe	100
1316	4340	WerFault.exe	100
4360	4340	WerFault.exe	100
696	4340	WerFault.exe	100
1900	4340	WerFault.exe	100
396	4340	WerFault.exe	100
3296	4340	WerFault.exe	100
4936	4340	WerFault.exe	100
4080	4340	WerFault.exe	100
1652	4240	WerFault.exe	124
3400	4240	WerFault.exe	124
2520	4240	WerFault.exe	124
4732	4240	WerFault.exe	124
3164	4240	WerFault.exe	124
1132	4240	WerFault.exe	124
3036	4240	WerFault.exe	124
4656	4240	WerFault.exe	124
4132	4240	WerFault.exe	124
4052	4240	WerFault.exe	124
1068	4240	WerFault.exe	124
3240	4240	WerFault.exe	124
4416	4240	WerFault.exe	124
1520	3736	WerFault.exe	163
2196	4240	WerFault.exe	124
4516	4240	WerFault.exe	124
1452	4240	WerFault.exe	124
2784	4240	WerFault.exe	124
2852	3048	WerFault.exe	175

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
212	pr609265.exe
212	pr609265.exe
3432	qu804679.exe
3432	qu804679.exe
3876	rk052658.exe
3876	rk052658.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	pr609265.exe
Token: SeDebugPrivilege	3432	qu804679.exe
Token: SeDebugPrivilege	3876	rk052658.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4340	si710604.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4896	4028	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe	86
PID 4028 wrote to memory of 4896	4028	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe	86
PID 4028 wrote to memory of 4896	4028	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe	86
PID 4896 wrote to memory of 4560	4896	un916755.exe	87
PID 4896 wrote to memory of 4560	4896	un916755.exe	87
PID 4896 wrote to memory of 4560	4896	un916755.exe	87
PID 4560 wrote to memory of 212	4560	un229043.exe	88
PID 4560 wrote to memory of 212	4560	un229043.exe	88
PID 4560 wrote to memory of 212	4560	un229043.exe	88
PID 4560 wrote to memory of 3432	4560	un229043.exe	94
PID 4560 wrote to memory of 3432	4560	un229043.exe	94
PID 4560 wrote to memory of 3432	4560	un229043.exe	94
PID 4896 wrote to memory of 3876	4896	un916755.exe	98
PID 4896 wrote to memory of 3876	4896	un916755.exe	98
PID 4896 wrote to memory of 3876	4896	un916755.exe	98
PID 4028 wrote to memory of 4340	4028	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe	100
PID 4028 wrote to memory of 4340	4028	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe	100
PID 4028 wrote to memory of 4340	4028	fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe	100
PID 4340 wrote to memory of 4240	4340	si710604.exe	124
PID 4340 wrote to memory of 4240	4340	si710604.exe	124
PID 4340 wrote to memory of 4240	4340	si710604.exe	124
PID 4240 wrote to memory of 4332	4240	oneetx.exe	141
PID 4240 wrote to memory of 4332	4240	oneetx.exe	141
PID 4240 wrote to memory of 4332	4240	oneetx.exe	141
PID 4240 wrote to memory of 4436	4240	oneetx.exe	147
PID 4240 wrote to memory of 4436	4240	oneetx.exe	147
PID 4240 wrote to memory of 4436	4240	oneetx.exe	147
PID 4436 wrote to memory of 4064	4436	cmd.exe	151
PID 4436 wrote to memory of 4064	4436	cmd.exe	151
PID 4436 wrote to memory of 4064	4436	cmd.exe	151
PID 4436 wrote to memory of 4784	4436	cmd.exe	152
PID 4436 wrote to memory of 4784	4436	cmd.exe	152
PID 4436 wrote to memory of 4784	4436	cmd.exe	152
PID 4436 wrote to memory of 1592	4436	cmd.exe	153
PID 4436 wrote to memory of 1592	4436	cmd.exe	153
PID 4436 wrote to memory of 1592	4436	cmd.exe	153
PID 4436 wrote to memory of 1976	4436	cmd.exe	154
PID 4436 wrote to memory of 1976	4436	cmd.exe	154
PID 4436 wrote to memory of 1976	4436	cmd.exe	154
PID 4436 wrote to memory of 2692	4436	cmd.exe	155
PID 4436 wrote to memory of 2692	4436	cmd.exe	155
PID 4436 wrote to memory of 2692	4436	cmd.exe	155
PID 4436 wrote to memory of 4068	4436	cmd.exe	156
PID 4436 wrote to memory of 4068	4436	cmd.exe	156
PID 4436 wrote to memory of 4068	4436	cmd.exe	156
PID 4240 wrote to memory of 1016	4240	oneetx.exe	170
PID 4240 wrote to memory of 1016	4240	oneetx.exe	170
PID 4240 wrote to memory of 1016	4240	oneetx.exe	170

C:\Users\Admin\AppData\Local\Temp\fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe
"C:\Users\Admin\AppData\Local\Temp\fd89e6f2ff0872aa2d2d3d578a20c08a6fb1f6a1a744e617ec2afabda342a39b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un916755.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un916755.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un229043.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un229043.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr609265.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr609265.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1084
        5⤵
        Program crash
        
        PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu804679.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu804679.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1484
        5⤵
        Program crash
        
        PID:3892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk052658.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk052658.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si710604.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si710604.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 696
    3⤵
    - Program crash
    PID:112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 780
    3⤵
    - Program crash
    PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 876
    3⤵
    - Program crash
    PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 884
    3⤵
    - Program crash
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 880
    3⤵
    - Program crash
    PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 880
    3⤵
    - Program crash
    PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1224
    3⤵
    - Program crash
    PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1324
    3⤵
    - Program crash
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1364
    3⤵
    - Program crash
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1336
    3⤵
    - Program crash
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 628
      4⤵
      Program crash
      PID:1652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 868
      4⤵
      Program crash
      PID:3400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 912
      4⤵
      Program crash
      PID:2520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1052
      4⤵
      Program crash
      PID:4732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1060
      4⤵
      Program crash
      PID:3164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1064
      4⤵
      Program crash
      PID:1132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1060
      4⤵
      Program crash
      PID:3036
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 992
      4⤵
      Program crash
      PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1312
      4⤵
      Program crash
      PID:4132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 768
      4⤵
      Program crash
      PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 992
      4⤵
      Program crash
      PID:1068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 688
      4⤵
      Program crash
      PID:3240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1376
      4⤵
      Program crash
      PID:4416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1108
      4⤵
      Program crash
      PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1108
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1592
      4⤵
      Program crash
      PID:1452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1556
      4⤵
      Program crash
      PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1216
    3⤵
    - Program crash
    PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 212 -ip 212
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3432 -ip 3432
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4340 -ip 4340
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4340 -ip 4340
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4340 -ip 4340
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4340 -ip 4340
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4340 -ip 4340
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4340 -ip 4340
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4340 -ip 4340
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4340 -ip 4340
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4340 -ip 4340
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4340 -ip 4340
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4340 -ip 4340
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4240 -ip 4240
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4240 -ip 4240
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4240 -ip 4240
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4240 -ip 4240
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4240 -ip 4240
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4240 -ip 4240
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4240 -ip 4240
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4240 -ip 4240
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4240 -ip 4240
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4240 -ip 4240
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4240 -ip 4240
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4240 -ip 4240
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4240 -ip 4240
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 312
  2⤵
  - Program crash
  PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3736 -ip 3736
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4240 -ip 4240
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4240 -ip 4240
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4240 -ip 4240
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4240 -ip 4240
1⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 312
  2⤵
  - Program crash
  PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3048 -ip 3048
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si710604.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si710604.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un916755.exe

Filesize
707KB

MD5
48f86fd54cbcb37b11c2e0766cef36c4

SHA1
d7c3cbb268f96cc50e0d962421a8178f261c7e2c

SHA256
e6425dc8234b160f8f5b2ea5186a97aa11ddfbbad21a5950285c9c5cbbfb88a8

SHA512
da3722992261707941a5f744e4fe1066c7d10785f868a514303aa75a6e1b81bf5371c46e0aec5020b807392ca7a989fb6998da48c7a1d0ed0b5f0a7fa358811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un916755.exe

Filesize
707KB

MD5
48f86fd54cbcb37b11c2e0766cef36c4

SHA1
d7c3cbb268f96cc50e0d962421a8178f261c7e2c

SHA256
e6425dc8234b160f8f5b2ea5186a97aa11ddfbbad21a5950285c9c5cbbfb88a8

SHA512
da3722992261707941a5f744e4fe1066c7d10785f868a514303aa75a6e1b81bf5371c46e0aec5020b807392ca7a989fb6998da48c7a1d0ed0b5f0a7fa358811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk052658.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk052658.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un229043.exe

Filesize
553KB

MD5
5b2f0e85312750d542e75b5d374bead7

SHA1
d46077e90a2af794ba00f22c7ed55147cf0df86f

SHA256
dce875089d89287495e08f2274217c01a9f687440327123ee19d322ac0fa4f9f

SHA512
3395acd383dcb12338e9ab74387bc5c41ebcd390c3fc991295e587f0fe8bc72ad94c35b263ed781348e15877eed3918fdb403a5237eb13a8bc5decb313d1f476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un229043.exe

Filesize
553KB

MD5
5b2f0e85312750d542e75b5d374bead7

SHA1
d46077e90a2af794ba00f22c7ed55147cf0df86f

SHA256
dce875089d89287495e08f2274217c01a9f687440327123ee19d322ac0fa4f9f

SHA512
3395acd383dcb12338e9ab74387bc5c41ebcd390c3fc991295e587f0fe8bc72ad94c35b263ed781348e15877eed3918fdb403a5237eb13a8bc5decb313d1f476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr609265.exe

Filesize
278KB

MD5
903c6a0d09229149ef7bc19b502f458b

SHA1
3d0f0d266439f49368822b92343a338ef6033802

SHA256
57a08e3a2cd735c211aa63929a0585aae44b3c7667652de4f311fc138f71faf1

SHA512
14eaa71dd4ff39125f962d2ce642a3ce9981002ab8c4ae692e28d69134f38d2ca6c26c807965717920cb6d8a7a38b13327c318e418e33e50d7b1f423b6a1f8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr609265.exe

Filesize
278KB

MD5
903c6a0d09229149ef7bc19b502f458b

SHA1
3d0f0d266439f49368822b92343a338ef6033802

SHA256
57a08e3a2cd735c211aa63929a0585aae44b3c7667652de4f311fc138f71faf1

SHA512
14eaa71dd4ff39125f962d2ce642a3ce9981002ab8c4ae692e28d69134f38d2ca6c26c807965717920cb6d8a7a38b13327c318e418e33e50d7b1f423b6a1f8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu804679.exe

Filesize
360KB

MD5
287d09b54150b445b7290839245e1bf7

SHA1
203179a9199b253f216ab5bc9731e91a81792374

SHA256
f38b131c20786b6842c2c17b285da174553aab752441b39e50eabdaece62b6d5

SHA512
9b4a25bcfa9a63de03213cd0c268f7b98030c6024caae90ebfaf063f4e4019858aaca0cdab9cb7ca76f9c642c062b7a3b9a00a400220a8b0bf81dbf7f6843df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu804679.exe

Filesize
360KB

MD5
287d09b54150b445b7290839245e1bf7

SHA1
203179a9199b253f216ab5bc9731e91a81792374

SHA256
f38b131c20786b6842c2c17b285da174553aab752441b39e50eabdaece62b6d5

SHA512
9b4a25bcfa9a63de03213cd0c268f7b98030c6024caae90ebfaf063f4e4019858aaca0cdab9cb7ca76f9c642c062b7a3b9a00a400220a8b0bf81dbf7f6843df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
52f61676f0f1db9c09182a8cf109ebd6

SHA1
bfbb52338aa38ab36ca63c6ec3d7ca8724fac3ac

SHA256
537e330cec6c8f1d9b3043a031b405ac88a98279e80c2d5b3c7fc3d2c0a966c8

SHA512
63ee6c2507b603055c60208eec7c49c451179c2de6e43a7e4423c61ecf85e3fbd38366b0fe39b7398d9f177e81e1bdfec49954197d76acba47d8770d7849b86f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/212-174-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-191-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/212-176-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-178-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-180-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-182-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-184-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-185-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/212-186-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/212-187-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/212-188-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/212-190-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/212-192-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/212-172-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-193-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/212-170-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-166-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-168-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-164-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-162-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-160-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-158-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-157-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/212-156-0x0000000007120000-0x00000000076C4000-memory.dmp

Filesize
5.6MB

Download
memory/212-155-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/3432-208-0x0000000002D20000-0x0000000002D66000-memory.dmp

Filesize
280KB

Download
memory/3432-1002-0x000000000B170000-0x000000000B1E6000-memory.dmp

Filesize
472KB

Download
memory/3432-218-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-220-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-222-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-224-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-226-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-228-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-230-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-232-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-234-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-993-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/3432-994-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/3432-995-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/3432-996-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/3432-997-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3432-999-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/3432-1000-0x000000000AF50000-0x000000000AFE2000-memory.dmp

Filesize
584KB

Download
memory/3432-1001-0x000000000B110000-0x000000000B160000-memory.dmp

Filesize
320KB

Download
memory/3432-216-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-1003-0x000000000B240000-0x000000000B402000-memory.dmp

Filesize
1.8MB

Download
memory/3432-1004-0x000000000B420000-0x000000000B94C000-memory.dmp

Filesize
5.2MB

Download
memory/3432-1005-0x000000000BA60000-0x000000000BA7E000-memory.dmp

Filesize
120KB

Download
memory/3432-1007-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3432-1008-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3432-1009-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3432-199-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-213-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3432-198-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-201-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-214-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-211-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3432-210-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-207-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-205-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3432-203-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/3876-1015-0x0000000007BE0000-0x0000000007BF0000-memory.dmp

Filesize
64KB

Download
memory/3876-1014-0x0000000000AF0000-0x0000000000B18000-memory.dmp

Filesize
160KB

Download
memory/4340-1021-0x0000000002E40000-0x0000000002E75000-memory.dmp

Filesize
212KB

Download