018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe
Size

1.1MB
MD5

bbad901acf6411ac45bcb806a353621d
SHA1

3d5f00777484400859cf56da5b13c80a60561467
SHA256

018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9
SHA512

9e418a8acd5bdb99836817f6065fc0005ab76d2d7658e19f98da11bd69d1560a6173c4e1599d284b03fa93154b11d5973cd3193931a7f12e2bb060cc91f67a95
SSDEEP

24576:XyPIlsr2eZJUp+T5wpZLb1PqOybImfQJ8PNQhA7qT6UWUTOcUq:iPIlsrpJU0u1PJyLfC8PNMDvU

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr042145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr042145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr042145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr042145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr042145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr042145.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si969943.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1396	un089441.exe
4256	un781995.exe
2620	pr042145.exe
3824	qu289201.exe
3332	rk793681.exe
4892	si969943.exe
1484	oneetx.exe
4900	oneetx.exe
2136	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3560	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr042145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr042145.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un089441.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un781995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un781995.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un089441.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
3800	2620	WerFault.exe	85
2196	3824	WerFault.exe	91
1560	4892	WerFault.exe	95
2928	4892	WerFault.exe	95
3336	4892	WerFault.exe	95
1608	4892	WerFault.exe	95
4464	4892	WerFault.exe	95
3240	4892	WerFault.exe	95
1276	4892	WerFault.exe	95
2056	4892	WerFault.exe	95
4984	4892	WerFault.exe	95
3388	4892	WerFault.exe	95
4004	1484	WerFault.exe	115
400	1484	WerFault.exe	115
1840	1484	WerFault.exe	115
3544	1484	WerFault.exe	115
4404	1484	WerFault.exe	115
2424	1484	WerFault.exe	115
1824	1484	WerFault.exe	115
2960	1484	WerFault.exe	115
2480	1484	WerFault.exe	115
4124	1484	WerFault.exe	115
5100	1484	WerFault.exe	115
1240	1484	WerFault.exe	115
1396	1484	WerFault.exe	115
1304	1484	WerFault.exe	115
4020	4900	WerFault.exe	160
4112	1484	WerFault.exe	115
4208	1484	WerFault.exe	115
5064	1484	WerFault.exe	115
2184	2136	WerFault.exe	170
1524	1484	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2620	pr042145.exe
2620	pr042145.exe
3824	qu289201.exe
3824	qu289201.exe
3332	rk793681.exe
3332	rk793681.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	pr042145.exe
Token: SeDebugPrivilege	3824	qu289201.exe
Token: SeDebugPrivilege	3332	rk793681.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4892	si969943.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1396	4240	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe	83
PID 4240 wrote to memory of 1396	4240	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe	83
PID 4240 wrote to memory of 1396	4240	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe	83
PID 1396 wrote to memory of 4256	1396	un089441.exe	84
PID 1396 wrote to memory of 4256	1396	un089441.exe	84
PID 1396 wrote to memory of 4256	1396	un089441.exe	84
PID 4256 wrote to memory of 2620	4256	un781995.exe	85
PID 4256 wrote to memory of 2620	4256	un781995.exe	85
PID 4256 wrote to memory of 2620	4256	un781995.exe	85
PID 4256 wrote to memory of 3824	4256	un781995.exe	91
PID 4256 wrote to memory of 3824	4256	un781995.exe	91
PID 4256 wrote to memory of 3824	4256	un781995.exe	91
PID 1396 wrote to memory of 3332	1396	un089441.exe	94
PID 1396 wrote to memory of 3332	1396	un089441.exe	94
PID 1396 wrote to memory of 3332	1396	un089441.exe	94
PID 4240 wrote to memory of 4892	4240	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe	95
PID 4240 wrote to memory of 4892	4240	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe	95
PID 4240 wrote to memory of 4892	4240	018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe	95
PID 4892 wrote to memory of 1484	4892	si969943.exe	115
PID 4892 wrote to memory of 1484	4892	si969943.exe	115
PID 4892 wrote to memory of 1484	4892	si969943.exe	115
PID 1484 wrote to memory of 3760	1484	oneetx.exe	133
PID 1484 wrote to memory of 3760	1484	oneetx.exe	133
PID 1484 wrote to memory of 3760	1484	oneetx.exe	133
PID 1484 wrote to memory of 2604	1484	oneetx.exe	139
PID 1484 wrote to memory of 2604	1484	oneetx.exe	139
PID 1484 wrote to memory of 2604	1484	oneetx.exe	139
PID 2604 wrote to memory of 5068	2604	cmd.exe	143
PID 2604 wrote to memory of 5068	2604	cmd.exe	143
PID 2604 wrote to memory of 5068	2604	cmd.exe	143
PID 2604 wrote to memory of 4908	2604	cmd.exe	144
PID 2604 wrote to memory of 4908	2604	cmd.exe	144
PID 2604 wrote to memory of 4908	2604	cmd.exe	144
PID 2604 wrote to memory of 456	2604	cmd.exe	145
PID 2604 wrote to memory of 456	2604	cmd.exe	145
PID 2604 wrote to memory of 456	2604	cmd.exe	145
PID 2604 wrote to memory of 3608	2604	cmd.exe	146
PID 2604 wrote to memory of 3608	2604	cmd.exe	146
PID 2604 wrote to memory of 3608	2604	cmd.exe	146
PID 2604 wrote to memory of 4528	2604	cmd.exe	147
PID 2604 wrote to memory of 4528	2604	cmd.exe	147
PID 2604 wrote to memory of 4528	2604	cmd.exe	147
PID 2604 wrote to memory of 2164	2604	cmd.exe	148
PID 2604 wrote to memory of 2164	2604	cmd.exe	148
PID 2604 wrote to memory of 2164	2604	cmd.exe	148
PID 1484 wrote to memory of 3560	1484	oneetx.exe	167
PID 1484 wrote to memory of 3560	1484	oneetx.exe	167
PID 1484 wrote to memory of 3560	1484	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe
"C:\Users\Admin\AppData\Local\Temp\018a852bb737ba3692fb1aabd9153efb0ae390ab14b72df84140a1bb5c84a1f9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089441.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089441.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un781995.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un781995.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr042145.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr042145.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1092
        5⤵
        Program crash
        
        PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu289201.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu289201.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1856
        5⤵
        Program crash
        
        PID:2196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk793681.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk793681.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si969943.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si969943.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 696
    3⤵
    - Program crash
    PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 780
    3⤵
    - Program crash
    PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 856
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 968
    3⤵
    - Program crash
    PID:1608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 976
    3⤵
    - Program crash
    PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 976
    3⤵
    - Program crash
    PID:3240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1216
    3⤵
    - Program crash
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1232
    3⤵
    - Program crash
    PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1276
    3⤵
    - Program crash
    PID:4984
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 692
      4⤵
      Program crash
      PID:4004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 840
      4⤵
      Program crash
      PID:400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 932
      4⤵
      Program crash
      PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1052
      4⤵
      Program crash
      PID:3544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1060
      4⤵
      Program crash
      PID:4404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1084
      4⤵
      Program crash
      PID:2424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1128
      4⤵
      Program crash
      PID:1824
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 992
      4⤵
      Program crash
      PID:2960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 728
      4⤵
      Program crash
      PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3608
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 992
      4⤵
      Program crash
      PID:4124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1288
      4⤵
      Program crash
      PID:5100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 944
      4⤵
      Program crash
      PID:1240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1256
      4⤵
      Program crash
      PID:1396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1428
      4⤵
      Program crash
      PID:1304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1156
      4⤵
      Program crash
      PID:4112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1632
      4⤵
      Program crash
      PID:4208
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1096
      4⤵
      Program crash
      PID:5064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1644
      4⤵
      Program crash
      PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 748
    3⤵
    - Program crash
    PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2620 -ip 2620
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3824 -ip 3824
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4892 -ip 4892
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4892 -ip 4892
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4892 -ip 4892
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4892 -ip 4892
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4892 -ip 4892
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4892 -ip 4892
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4892 -ip 4892
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4892 -ip 4892
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4892 -ip 4892
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1484 -ip 1484
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1484 -ip 1484
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1484 -ip 1484
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1484 -ip 1484
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1484 -ip 1484
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1484 -ip 1484
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1484 -ip 1484
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1484 -ip 1484
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1484 -ip 1484
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1484 -ip 1484
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1484 -ip 1484
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1484 -ip 1484
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1484 -ip 1484
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1484 -ip 1484
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 316
  2⤵
  - Program crash
  PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4900 -ip 4900
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1484 -ip 1484
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1484 -ip 1484
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1484 -ip 1484
1⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 312
  2⤵
  - Program crash
  PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2136 -ip 2136
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1484 -ip 1484
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si969943.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si969943.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089441.exe

Filesize
764KB

MD5
40b9eb9c3a70c2d6f31692a4b0cb72ff

SHA1
aa365a1e8d3f93888954b7c49b0c86333ccab792

SHA256
c8c08901a2e8c93553c518c69d085c1fc436d79599e2e0865fabc7f5b8d0a2b8

SHA512
bf6e9ba5eabc01be7163120e6d3c115e8e949bee9a9e6574dabaadf8f5647beed7e6e3b4ea6851e292b13bb5796098445421e1f653c9c2ead7b997eaff96f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089441.exe

Filesize
764KB

MD5
40b9eb9c3a70c2d6f31692a4b0cb72ff

SHA1
aa365a1e8d3f93888954b7c49b0c86333ccab792

SHA256
c8c08901a2e8c93553c518c69d085c1fc436d79599e2e0865fabc7f5b8d0a2b8

SHA512
bf6e9ba5eabc01be7163120e6d3c115e8e949bee9a9e6574dabaadf8f5647beed7e6e3b4ea6851e292b13bb5796098445421e1f653c9c2ead7b997eaff96f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk793681.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk793681.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un781995.exe

Filesize
609KB

MD5
42b6aaa15c70b568ffa4f5e7de058aed

SHA1
447f4221f043a8f282c23c56b9e89417d4add433

SHA256
368ffb3764faa19c7e9aa102cc1b7c2b66e91f4fb4bfc9070c298fa3d6937bac

SHA512
236f21f2eb19629af99a936c644d9867b4b1f1d975552d3697c8738d7b94bfa958e30b5b95f66b730eb9c8a975b7e5edb330e05775a7c807fc8264af8110162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un781995.exe

Filesize
609KB

MD5
42b6aaa15c70b568ffa4f5e7de058aed

SHA1
447f4221f043a8f282c23c56b9e89417d4add433

SHA256
368ffb3764faa19c7e9aa102cc1b7c2b66e91f4fb4bfc9070c298fa3d6937bac

SHA512
236f21f2eb19629af99a936c644d9867b4b1f1d975552d3697c8738d7b94bfa958e30b5b95f66b730eb9c8a975b7e5edb330e05775a7c807fc8264af8110162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr042145.exe

Filesize
405KB

MD5
fdaaa2f1bd223b1dfc7a9e646b688ae3

SHA1
76bdf536ea8fe0665f7c8dcb76cd3807366c993e

SHA256
092eaa258a61d93024159f00c57e46dc6c9964b4203a26c46c10e0a804247b9e

SHA512
a1f41f2a1d0e6025034e4bee41660070a441a72a3ac8d65016cfbcddec78d29e7e968148b8fe7a2f00eaf063daee04dd24f3e6435fa913ea5b4bfe66cb3fc57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr042145.exe

Filesize
405KB

MD5
fdaaa2f1bd223b1dfc7a9e646b688ae3

SHA1
76bdf536ea8fe0665f7c8dcb76cd3807366c993e

SHA256
092eaa258a61d93024159f00c57e46dc6c9964b4203a26c46c10e0a804247b9e

SHA512
a1f41f2a1d0e6025034e4bee41660070a441a72a3ac8d65016cfbcddec78d29e7e968148b8fe7a2f00eaf063daee04dd24f3e6435fa913ea5b4bfe66cb3fc57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu289201.exe

Filesize
488KB

MD5
59e63cc67d6c2b39737c8990c5f9fbd5

SHA1
c1fbbca60ec96ef91df432dbf79e484d9cf85499

SHA256
4004d65d1f543250ccea1f0519e740005363356fef71f3003f775e109b7eb389

SHA512
beec2873ae8726a00588963d5901a54e6bbf0e0ecf7c57a12a71d3625248e5d3e44ff1b4151eef9a6025fa585c1a90a077adbaceaa50f56f223bc84c717d2941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu289201.exe

Filesize
488KB

MD5
59e63cc67d6c2b39737c8990c5f9fbd5

SHA1
c1fbbca60ec96ef91df432dbf79e484d9cf85499

SHA256
4004d65d1f543250ccea1f0519e740005363356fef71f3003f775e109b7eb389

SHA512
beec2873ae8726a00588963d5901a54e6bbf0e0ecf7c57a12a71d3625248e5d3e44ff1b4151eef9a6025fa585c1a90a077adbaceaa50f56f223bc84c717d2941

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
16241ec92585cf9dbdd3cf153bce30c1

SHA1
0172c3160608160c27c782fa68dc61bf3a73969c

SHA256
4b3a1c0d81405061f7d4954d242ccfad9c50a56bd8f8602e7b555a2e675f82c7

SHA512
1dbc3fb1bd63dc6bececc597f36c2e6c247fd5d8e81e083740fdc0315f8d5bc6d8a7690edca9d873944f2c53164f2ec6dfa0e6bbc3a9c53f5512e0f67d7eb402

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2620-157-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-193-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2620-178-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-180-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-182-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-184-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-185-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2620-186-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2620-187-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2620-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2620-191-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2620-190-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2620-192-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2620-176-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-155-0x0000000002420000-0x000000000244D000-memory.dmp

Filesize
180KB

Download
memory/2620-174-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-172-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-170-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-168-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-166-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-164-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-162-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-160-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-158-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/2620-156-0x0000000004DB0000-0x0000000005354000-memory.dmp

Filesize
5.6MB

Download
memory/3332-1012-0x0000000007730000-0x0000000007740000-memory.dmp

Filesize
64KB

Download
memory/3332-1011-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/3824-205-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-1001-0x0000000008C50000-0x0000000008CC6000-memory.dmp

Filesize
472KB

Download
memory/3824-225-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-227-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-228-0x0000000002390000-0x00000000023D6000-memory.dmp

Filesize
280KB

Download
memory/3824-231-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-230-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3824-232-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3824-234-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3824-235-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-994-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/3824-995-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3824-996-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3824-997-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3824-998-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3824-999-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/3824-1000-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/3824-223-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-1002-0x0000000008CE0000-0x0000000008CFE000-memory.dmp

Filesize
120KB

Download
memory/3824-221-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-219-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-217-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-1003-0x0000000008D80000-0x0000000008DD0000-memory.dmp

Filesize
320KB

Download
memory/3824-1004-0x0000000008E20000-0x0000000008FE2000-memory.dmp

Filesize
1.8MB

Download
memory/3824-1005-0x0000000008FF0000-0x000000000951C000-memory.dmp

Filesize
5.2MB

Download
memory/3824-199-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-215-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-213-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-211-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-209-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-207-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-203-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-201-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/3824-198-0x0000000005400000-0x0000000005435000-memory.dmp

Filesize
212KB

Download
memory/4892-1018-0x0000000000960000-0x0000000000995000-memory.dmp

Filesize
212KB

Download