13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3

Analysis

max time kernel
148s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe
Size

1.1MB
MD5

4a754c674f10b3023297d7d41ca68395
SHA1

e20c301a11c169f654c2c1317bcd8a5bf3c68697
SHA256

13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3
SHA512

3f8a42972e57002562908eabedeb6fda2c443a304e3241d9ca260fe6e22aeeb7908f2d87714485e895e71387a0948eb1d3c99694e755177c33dd219557762053
SSDEEP

24576:4yMVzIZT0xDaIydRRY7N88PtIP3Tt77cLUX68afQcJGWDI:/MVsl0xDc+28PtG3TJHX68WR

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr521811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr521811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr521811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr521811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr521811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr521811.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	si003719.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
2228	un319505.exe
2120	un088173.exe
2788	pr521811.exe
4264	qu378142.exe
4520	rk797733.exe
1780	si003719.exe
796	oneetx.exe
4848	oneetx.exe
3596	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4000	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr521811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr521811.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un319505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un319505.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un088173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un088173.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
4444	2788	WerFault.exe	85
4944	4264	WerFault.exe	91
1256	1780	WerFault.exe	95
1728	1780	WerFault.exe	95
1688	1780	WerFault.exe	95
2268	1780	WerFault.exe	95
2460	1780	WerFault.exe	95
1108	1780	WerFault.exe	95
2776	1780	WerFault.exe	95
3364	1780	WerFault.exe	95
2464	1780	WerFault.exe	95
2848	1780	WerFault.exe	95
2876	796	WerFault.exe	115
2200	796	WerFault.exe	115
4556	796	WerFault.exe	115
3328	796	WerFault.exe	115
3676	796	WerFault.exe	115
2408	796	WerFault.exe	115
4732	796	WerFault.exe	115
4796	796	WerFault.exe	115
1568	796	WerFault.exe	115
4344	796	WerFault.exe	115
4448	796	WerFault.exe	115
1152	796	WerFault.exe	115
2232	796	WerFault.exe	115
1688	796	WerFault.exe	115
3888	796	WerFault.exe	115
1348	4848	WerFault.exe	162
3608	796	WerFault.exe	115
1332	796	WerFault.exe	115
1936	796	WerFault.exe	115
4292	3596	WerFault.exe	172

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2788	pr521811.exe
2788	pr521811.exe
4264	qu378142.exe
4264	qu378142.exe
4520	rk797733.exe
4520	rk797733.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	pr521811.exe
Token: SeDebugPrivilege	4264	qu378142.exe
Token: SeDebugPrivilege	4520	rk797733.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1780	si003719.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2228	3336	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe	83
PID 3336 wrote to memory of 2228	3336	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe	83
PID 3336 wrote to memory of 2228	3336	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe	83
PID 2228 wrote to memory of 2120	2228	un319505.exe	84
PID 2228 wrote to memory of 2120	2228	un319505.exe	84
PID 2228 wrote to memory of 2120	2228	un319505.exe	84
PID 2120 wrote to memory of 2788	2120	un088173.exe	85
PID 2120 wrote to memory of 2788	2120	un088173.exe	85
PID 2120 wrote to memory of 2788	2120	un088173.exe	85
PID 2120 wrote to memory of 4264	2120	un088173.exe	91
PID 2120 wrote to memory of 4264	2120	un088173.exe	91
PID 2120 wrote to memory of 4264	2120	un088173.exe	91
PID 2228 wrote to memory of 4520	2228	un319505.exe	94
PID 2228 wrote to memory of 4520	2228	un319505.exe	94
PID 2228 wrote to memory of 4520	2228	un319505.exe	94
PID 3336 wrote to memory of 1780	3336	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe	95
PID 3336 wrote to memory of 1780	3336	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe	95
PID 3336 wrote to memory of 1780	3336	13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe	95
PID 1780 wrote to memory of 796	1780	si003719.exe	115
PID 1780 wrote to memory of 796	1780	si003719.exe	115
PID 1780 wrote to memory of 796	1780	si003719.exe	115
PID 796 wrote to memory of 4444	796	oneetx.exe	133
PID 796 wrote to memory of 4444	796	oneetx.exe	133
PID 796 wrote to memory of 4444	796	oneetx.exe	133
PID 796 wrote to memory of 1140	796	oneetx.exe	139
PID 796 wrote to memory of 1140	796	oneetx.exe	139
PID 796 wrote to memory of 1140	796	oneetx.exe	139
PID 1140 wrote to memory of 1564	1140	cmd.exe	143
PID 1140 wrote to memory of 1564	1140	cmd.exe	143
PID 1140 wrote to memory of 1564	1140	cmd.exe	143
PID 1140 wrote to memory of 4596	1140	cmd.exe	144
PID 1140 wrote to memory of 4596	1140	cmd.exe	144
PID 1140 wrote to memory of 4596	1140	cmd.exe	144
PID 1140 wrote to memory of 1876	1140	cmd.exe	145
PID 1140 wrote to memory of 1876	1140	cmd.exe	145
PID 1140 wrote to memory of 1876	1140	cmd.exe	145
PID 1140 wrote to memory of 5092	1140	cmd.exe	146
PID 1140 wrote to memory of 5092	1140	cmd.exe	146
PID 1140 wrote to memory of 5092	1140	cmd.exe	146
PID 1140 wrote to memory of 3316	1140	cmd.exe	147
PID 1140 wrote to memory of 3316	1140	cmd.exe	147
PID 1140 wrote to memory of 3316	1140	cmd.exe	147
PID 1140 wrote to memory of 3512	1140	cmd.exe	148
PID 1140 wrote to memory of 3512	1140	cmd.exe	148
PID 1140 wrote to memory of 3512	1140	cmd.exe	148
PID 796 wrote to memory of 4000	796	oneetx.exe	167
PID 796 wrote to memory of 4000	796	oneetx.exe	167
PID 796 wrote to memory of 4000	796	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe
"C:\Users\Admin\AppData\Local\Temp\13023866de2a095ca077c68868bdcc60900e482999fcd0961de3cb349bf389a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un319505.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un319505.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088173.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088173.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr521811.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr521811.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1084
        5⤵
        Program crash
        
        PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu378142.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu378142.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1644
        5⤵
        Program crash
        
        PID:4944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk797733.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk797733.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003719.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003719.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 696
    3⤵
    - Program crash
    PID:1256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 780
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 868
    3⤵
    - Program crash
    PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 952
    3⤵
    - Program crash
    PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 980
    3⤵
    - Program crash
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 980
    3⤵
    - Program crash
    PID:1108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1200
    3⤵
    - Program crash
    PID:2776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1248
    3⤵
    - Program crash
    PID:3364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1316
    3⤵
    - Program crash
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 692
      4⤵
      Program crash
      PID:2876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 840
      4⤵
      Program crash
      PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 856
      4⤵
      Program crash
      PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1048
      4⤵
      Program crash
      PID:3328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1048
      4⤵
      Program crash
      PID:3676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1084
      4⤵
      Program crash
      PID:2408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1128
      4⤵
      Program crash
      PID:4732
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 992
      4⤵
      Program crash
      PID:4796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1300
      4⤵
      Program crash
      PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:3316
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1272
      4⤵
      Program crash
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1292
      4⤵
      Program crash
      PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 752
      4⤵
      Program crash
      PID:1152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 776
      4⤵
      Program crash
      PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1432
      4⤵
      Program crash
      PID:1688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1064
      4⤵
      Program crash
      PID:3888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1644
      4⤵
      Program crash
      PID:3608
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1372
      4⤵
      Program crash
      PID:1332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1652
      4⤵
      Program crash
      PID:1936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1432
    3⤵
    - Program crash
    PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2788 -ip 2788
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4264 -ip 4264
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1780 -ip 1780
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1780 -ip 1780
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1780 -ip 1780
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1780 -ip 1780
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1780 -ip 1780
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1780 -ip 1780
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1780 -ip 1780
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1780 -ip 1780
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1780 -ip 1780
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1780 -ip 1780
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 796 -ip 796
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 796 -ip 796
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 796 -ip 796
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 796 -ip 796
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 796 -ip 796
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 796 -ip 796
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 796 -ip 796
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 796 -ip 796
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 796 -ip 796
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 796 -ip 796
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 796 -ip 796
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 796 -ip 796
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 796 -ip 796
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 796 -ip 796
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 796 -ip 796
1⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 316
  2⤵
  - Program crash
  PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4848 -ip 4848
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 796 -ip 796
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 796 -ip 796
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 796 -ip 796
1⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 320
  2⤵
  - Program crash
  PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3596 -ip 3596
1⤵
PID:4584

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003719.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003719.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un319505.exe

Filesize
763KB

MD5
4f2c4c5fdcf88e909a56071a8dd8421e

SHA1
50821f6cc1b60d19e8b58fd6bd97eb6da738a3ef

SHA256
aee35586fa53c99bb3fc71f25f36c62a69322aba3f4924320d04947ed375b142

SHA512
19a1ecb527b758e3235b23ee4ecb2f5d9066d31901071bcf9cc2e115c0f95e9568cba01ba83d4a9fc46d45f5a4d2fa8120d4f5c4ffce04946c882dc51ea10018

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un319505.exe

Filesize
763KB

MD5
4f2c4c5fdcf88e909a56071a8dd8421e

SHA1
50821f6cc1b60d19e8b58fd6bd97eb6da738a3ef

SHA256
aee35586fa53c99bb3fc71f25f36c62a69322aba3f4924320d04947ed375b142

SHA512
19a1ecb527b758e3235b23ee4ecb2f5d9066d31901071bcf9cc2e115c0f95e9568cba01ba83d4a9fc46d45f5a4d2fa8120d4f5c4ffce04946c882dc51ea10018

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk797733.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk797733.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088173.exe

Filesize
609KB

MD5
cc170965c32cff899fab603d61b10251

SHA1
aee3deb203d6a9238bd2637cbf9b12026a695902

SHA256
981d9f0b9d2d444fb08b6122d21044d4f91afbb1c46ad1a87f6576f6eb4734a1

SHA512
229adacbcbe0e1ec3aafbcd7b7d2ee83dd0c50060809b266071986c5524037adf30466717a0262c95cf32a4e6b678e8684e1d0382665f46a1e444fb2029af97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088173.exe

Filesize
609KB

MD5
cc170965c32cff899fab603d61b10251

SHA1
aee3deb203d6a9238bd2637cbf9b12026a695902

SHA256
981d9f0b9d2d444fb08b6122d21044d4f91afbb1c46ad1a87f6576f6eb4734a1

SHA512
229adacbcbe0e1ec3aafbcd7b7d2ee83dd0c50060809b266071986c5524037adf30466717a0262c95cf32a4e6b678e8684e1d0382665f46a1e444fb2029af97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr521811.exe

Filesize
405KB

MD5
b7099992e96c93af316f91d2c6549388

SHA1
8d5ddd41b96cd8af4b896929e2e35ca3a5e53a3f

SHA256
99c5ec9ad24ea91d1d4dfe3274de371a2516df41985027eeb60761c3ff6dda09

SHA512
27d5c27bd5a1f516d43b4590f516b89dc69ea7878deb1bae68f2f03a307c0646bfefca522fa095c34a08cd824cd43e929e69673bff8ac27682c3d311bc519909

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr521811.exe

Filesize
405KB

MD5
b7099992e96c93af316f91d2c6549388

SHA1
8d5ddd41b96cd8af4b896929e2e35ca3a5e53a3f

SHA256
99c5ec9ad24ea91d1d4dfe3274de371a2516df41985027eeb60761c3ff6dda09

SHA512
27d5c27bd5a1f516d43b4590f516b89dc69ea7878deb1bae68f2f03a307c0646bfefca522fa095c34a08cd824cd43e929e69673bff8ac27682c3d311bc519909

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu378142.exe

Filesize
488KB

MD5
0425f11f3a490c0fc80d2fd020017b6f

SHA1
25242d678fc8dc2d5ef4965cb6b00e9948d65290

SHA256
31ae630fe8146a42df6d5d6e72efcfae518f85090a04e2d24cfedb6319f254fb

SHA512
d5bef32f6ba79a29846ea2cda6e104994692f6f3b0646260a3416dfe17ea7ab29f51c4442927fc2e2f752ce3eb0ecdaf3cc9e24e5fa69aaff5f39bf8f8f1a79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu378142.exe

Filesize
488KB

MD5
0425f11f3a490c0fc80d2fd020017b6f

SHA1
25242d678fc8dc2d5ef4965cb6b00e9948d65290

SHA256
31ae630fe8146a42df6d5d6e72efcfae518f85090a04e2d24cfedb6319f254fb

SHA512
d5bef32f6ba79a29846ea2cda6e104994692f6f3b0646260a3416dfe17ea7ab29f51c4442927fc2e2f752ce3eb0ecdaf3cc9e24e5fa69aaff5f39bf8f8f1a79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
73103505b786d5d7b9c085bc34423658

SHA1
2fd0c02cdd734d9dcccbbcfaac3876d1727b28a6

SHA256
263b2b84732398c0d5b7205395b19aeeed4d128e3684831982d51ec8d0ad26c6

SHA512
83897536e59bf678e70a54484a66a86217ec87eee34f44a683b6f5f8592170311abc218242c2e38a0342b065ba77144d743d5976216783315612eeeb2c33cd20

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1780-1019-0x0000000002450000-0x0000000002485000-memory.dmp

Filesize
212KB

Download
memory/2788-173-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-171-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-177-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-179-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-181-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-183-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-185-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-187-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2788-189-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2788-190-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2788-191-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2788-193-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2788-175-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-169-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-167-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-165-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-163-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-161-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-160-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2788-159-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2788-158-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2788-157-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2788-156-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/2788-155-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/4264-205-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-1001-0x0000000008D20000-0x0000000008EE2000-memory.dmp

Filesize
1.8MB

Download
memory/4264-223-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-225-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-227-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-229-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-231-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-233-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-513-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4264-993-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/4264-994-0x0000000008070000-0x0000000008082000-memory.dmp

Filesize
72KB

Download
memory/4264-995-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/4264-996-0x00000000081F0000-0x000000000822C000-memory.dmp

Filesize
240KB

Download
memory/4264-997-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4264-998-0x00000000084B0000-0x0000000008516000-memory.dmp

Filesize
408KB

Download
memory/4264-999-0x0000000008B70000-0x0000000008C02000-memory.dmp

Filesize
584KB

Download
memory/4264-1000-0x0000000008C40000-0x0000000008CB6000-memory.dmp

Filesize
472KB

Download
memory/4264-221-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-1002-0x0000000008EF0000-0x000000000941C000-memory.dmp

Filesize
5.2MB

Download
memory/4264-1003-0x0000000009530000-0x000000000954E000-memory.dmp

Filesize
120KB

Download
memory/4264-1004-0x0000000002560000-0x00000000025B0000-memory.dmp

Filesize
320KB

Download
memory/4264-198-0x00000000008B0000-0x00000000008F6000-memory.dmp

Filesize
280KB

Download
memory/4264-199-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4264-219-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-217-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-215-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-213-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-211-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-209-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-207-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-203-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-201-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4264-200-0x0000000005490000-0x00000000054C5000-memory.dmp

Filesize
212KB

Download
memory/4520-1013-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/4520-1012-0x0000000000680000-0x00000000006A8000-memory.dmp

Filesize
160KB

Download