9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe
Size

936KB
MD5

d3cb2d98f8ee9ea19963a4f012539a1c
SHA1

8d4371c2177ba2441ce5d936c4ef14c052184b25
SHA256

9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5
SHA512

5fc38d98b2280221d2b824485865aa1eff382b9d9dc1bf1be69871d2c34dd618426a267398977cbea433fa254351a414ff36df84447d44c1948e736fcfbbf471
SSDEEP

24576:CyVdnnYdBeeun/dB7/Ghw1l/CaLvu9y8:pbnYdse+/dB7/lq

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it101770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it101770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it101770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it101770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it101770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it101770.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lr979880.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1528	zibS8846.exe
3008	ziKx4787.exe
640	it101770.exe
4664	jr549715.exe
4408	kp168138.exe
756	lr979880.exe
4264	oneetx.exe
3612	oneetx.exe
3300	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2848	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it101770.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zibS8846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zibS8846.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziKx4787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziKx4787.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 36 IoCs

pid	pid_target	Process	procid_target
4816	4664	WerFault.exe	88
4572	756	WerFault.exe	92
3272	756	WerFault.exe	92
4640	756	WerFault.exe	92
4460	756	WerFault.exe	92
4600	756	WerFault.exe	92
2044	756	WerFault.exe	92
2316	756	WerFault.exe	92
4804	756	WerFault.exe	92
1408	756	WerFault.exe	92
5080	756	WerFault.exe	92
3832	4264	WerFault.exe	112
4404	4264	WerFault.exe	112
1936	4264	WerFault.exe	112
4996	4264	WerFault.exe	112
2612	4264	WerFault.exe	112
3496	4264	WerFault.exe	112
392	4264	WerFault.exe	112
4508	4264	WerFault.exe	112
4956	4264	WerFault.exe	112
2204	4264	WerFault.exe	112
1504	4264	WerFault.exe	112
4816	4264	WerFault.exe	112
1568	4264	WerFault.exe	112
4928	3612	WerFault.exe	151
4432	3612	WerFault.exe	151
4968	3612	WerFault.exe	151
4640	3612	WerFault.exe	151
4596	4264	WerFault.exe	112
4844	4264	WerFault.exe	112
4772	4264	WerFault.exe	112
2092	3300	WerFault.exe	167
3684	3300	WerFault.exe	167
3952	3300	WerFault.exe	167
4384	3300	WerFault.exe	167
3584	4264	WerFault.exe	112

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
640	it101770.exe
640	it101770.exe
4664	jr549715.exe
4664	jr549715.exe
4408	kp168138.exe
4408	kp168138.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	it101770.exe
Token: SeDebugPrivilege	4664	jr549715.exe
Token: SeDebugPrivilege	4408	kp168138.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
756	lr979880.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1528	3456	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe	85
PID 3456 wrote to memory of 1528	3456	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe	85
PID 3456 wrote to memory of 1528	3456	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe	85
PID 1528 wrote to memory of 3008	1528	zibS8846.exe	86
PID 1528 wrote to memory of 3008	1528	zibS8846.exe	86
PID 1528 wrote to memory of 3008	1528	zibS8846.exe	86
PID 3008 wrote to memory of 640	3008	ziKx4787.exe	87
PID 3008 wrote to memory of 640	3008	ziKx4787.exe	87
PID 3008 wrote to memory of 4664	3008	ziKx4787.exe	88
PID 3008 wrote to memory of 4664	3008	ziKx4787.exe	88
PID 3008 wrote to memory of 4664	3008	ziKx4787.exe	88
PID 1528 wrote to memory of 4408	1528	zibS8846.exe	91
PID 1528 wrote to memory of 4408	1528	zibS8846.exe	91
PID 1528 wrote to memory of 4408	1528	zibS8846.exe	91
PID 3456 wrote to memory of 756	3456	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe	92
PID 3456 wrote to memory of 756	3456	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe	92
PID 3456 wrote to memory of 756	3456	9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe	92
PID 756 wrote to memory of 4264	756	lr979880.exe	112
PID 756 wrote to memory of 4264	756	lr979880.exe	112
PID 756 wrote to memory of 4264	756	lr979880.exe	112
PID 4264 wrote to memory of 5108	4264	oneetx.exe	129
PID 4264 wrote to memory of 5108	4264	oneetx.exe	129
PID 4264 wrote to memory of 5108	4264	oneetx.exe	129
PID 4264 wrote to memory of 3740	4264	oneetx.exe	135
PID 4264 wrote to memory of 3740	4264	oneetx.exe	135
PID 4264 wrote to memory of 3740	4264	oneetx.exe	135
PID 3740 wrote to memory of 4608	3740	cmd.exe	139
PID 3740 wrote to memory of 4608	3740	cmd.exe	139
PID 3740 wrote to memory of 4608	3740	cmd.exe	139
PID 3740 wrote to memory of 540	3740	cmd.exe	140
PID 3740 wrote to memory of 540	3740	cmd.exe	140
PID 3740 wrote to memory of 540	3740	cmd.exe	140
PID 3740 wrote to memory of 4400	3740	cmd.exe	141
PID 3740 wrote to memory of 4400	3740	cmd.exe	141
PID 3740 wrote to memory of 4400	3740	cmd.exe	141
PID 3740 wrote to memory of 1780	3740	cmd.exe	143
PID 3740 wrote to memory of 1780	3740	cmd.exe	143
PID 3740 wrote to memory of 1780	3740	cmd.exe	143
PID 3740 wrote to memory of 3764	3740	cmd.exe	142
PID 3740 wrote to memory of 3764	3740	cmd.exe	142
PID 3740 wrote to memory of 3764	3740	cmd.exe	142
PID 3740 wrote to memory of 4488	3740	cmd.exe	144
PID 3740 wrote to memory of 4488	3740	cmd.exe	144
PID 3740 wrote to memory of 4488	3740	cmd.exe	144
PID 4264 wrote to memory of 2848	4264	oneetx.exe	164
PID 4264 wrote to memory of 2848	4264	oneetx.exe	164
PID 4264 wrote to memory of 2848	4264	oneetx.exe	164

C:\Users\Admin\AppData\Local\Temp\9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe
"C:\Users\Admin\AppData\Local\Temp\9245e71a6691097e1a3c31980529b55f6d8d71e9d09dcab5977346eb87b186d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS8846.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS8846.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKx4787.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKx4787.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it101770.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it101770.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr549715.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr549715.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1320
        5⤵
        Program crash
        
        PID:4816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp168138.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp168138.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr979880.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr979880.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 696
    3⤵
    - Program crash
    PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 780
    3⤵
    - Program crash
    PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 800
    3⤵
    - Program crash
    PID:4640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 952
    3⤵
    - Program crash
    PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 980
    3⤵
    - Program crash
    PID:4600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 964
    3⤵
    - Program crash
    PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1228
    3⤵
    - Program crash
    PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1228
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1328
    3⤵
    - Program crash
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 692
      4⤵
      Program crash
      PID:3832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 680
      4⤵
      Program crash
      PID:4404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 900
      4⤵
      Program crash
      PID:1936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1052
      4⤵
      Program crash
      PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1060
      4⤵
      Program crash
      PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1060
      4⤵
      Program crash
      PID:3496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1084
      4⤵
      Program crash
      PID:392
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 804
      4⤵
      Program crash
      PID:4508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 788
      4⤵
      Program crash
      PID:4956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:540
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1248
      4⤵
      Program crash
      PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 804
      4⤵
      Program crash
      PID:1504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 788
      4⤵
      Program crash
      PID:4816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1260
      4⤵
      Program crash
      PID:1568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1112
      4⤵
      Program crash
      PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1620
      4⤵
      Program crash
      PID:4844
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1112
      4⤵
      Program crash
      PID:4772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1636
      4⤵
      Program crash
      PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 708
    3⤵
    - Program crash
    PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4664 -ip 4664
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 756 -ip 756
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 756 -ip 756
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 756 -ip 756
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 756 -ip 756
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 756 -ip 756
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 756 -ip 756
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 756 -ip 756
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 756 -ip 756
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 756 -ip 756
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 756 -ip 756
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4264 -ip 4264
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4264 -ip 4264
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4264 -ip 4264
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4264 -ip 4264
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4264 -ip 4264
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4264 -ip 4264
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4264 -ip 4264
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4264 -ip 4264
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4264 -ip 4264
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4264 -ip 4264
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4264 -ip 4264
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4264 -ip 4264
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4264 -ip 4264
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 400
  2⤵
  - Program crash
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 504
  2⤵
  - Program crash
  PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 608
  2⤵
  - Program crash
  PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 628
  2⤵
  - Program crash
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3612 -ip 3612
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3612 -ip 3612
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3612 -ip 3612
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3612 -ip 3612
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4264 -ip 4264
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4264 -ip 4264
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4264 -ip 4264
1⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 392
  2⤵
  - Program crash
  PID:2092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 508
  2⤵
  - Program crash
  PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 612
  2⤵
  - Program crash
  PID:3952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 628
  2⤵
  - Program crash
  PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3300 -ip 3300
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3300 -ip 3300
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3300 -ip 3300
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3300 -ip 3300
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4264 -ip 4264
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr979880.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr979880.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS8846.exe

Filesize
622KB

MD5
2f6f2b7ea209384f5fe1245792c22dbe

SHA1
8f619b2c96d2a59c81427302003d02087cbf4154

SHA256
2828e7c58e6120724facc14bc26da8e45ca6c9c80c24ebf01b09e5d2227ac29f

SHA512
06a4fd2b73a158e4b9ef636551cfea3ed93b9620ad77f12afc32f58d302905abec174d560e2ee6ab9d7ccdf411d1db4404a341062456a1c66124302119b04c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS8846.exe

Filesize
622KB

MD5
2f6f2b7ea209384f5fe1245792c22dbe

SHA1
8f619b2c96d2a59c81427302003d02087cbf4154

SHA256
2828e7c58e6120724facc14bc26da8e45ca6c9c80c24ebf01b09e5d2227ac29f

SHA512
06a4fd2b73a158e4b9ef636551cfea3ed93b9620ad77f12afc32f58d302905abec174d560e2ee6ab9d7ccdf411d1db4404a341062456a1c66124302119b04c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp168138.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp168138.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKx4787.exe

Filesize
468KB

MD5
d6c3db962e91575bedd1faf32ffee111

SHA1
bb68be83457957de212181dba54cea649300488a

SHA256
dc28a6dd16e80fd21dedf78d9a5faaa0fe5f5cd2a3fa5c966997552eb541f0bc

SHA512
d8fa377401989815b6136b4fba7001e2f2bf439f728b3966a1457a2e027d37a46712c23f799b51e1f161f32a9e83b8f377762bc1c4f4b9a303106eeda7d00481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKx4787.exe

Filesize
468KB

MD5
d6c3db962e91575bedd1faf32ffee111

SHA1
bb68be83457957de212181dba54cea649300488a

SHA256
dc28a6dd16e80fd21dedf78d9a5faaa0fe5f5cd2a3fa5c966997552eb541f0bc

SHA512
d8fa377401989815b6136b4fba7001e2f2bf439f728b3966a1457a2e027d37a46712c23f799b51e1f161f32a9e83b8f377762bc1c4f4b9a303106eeda7d00481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it101770.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it101770.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr549715.exe

Filesize
487KB

MD5
b8b70b0b384f4bbe37cd49568ec9f285

SHA1
2ef59ad3157a50029901165e8011e172e1b7138b

SHA256
917dc87fa972a2632e5979fa732f45903f16892cbfa3338b144718d6fd8b5a4f

SHA512
a25874ffe09e294b219242767012d995352f2a20cb318e5f94626cebd91a6a22eb8e62683faca3f6262515fcc41bb22fea1b55b5620a6cf45ca3a06d6b41ec27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr549715.exe

Filesize
487KB

MD5
b8b70b0b384f4bbe37cd49568ec9f285

SHA1
2ef59ad3157a50029901165e8011e172e1b7138b

SHA256
917dc87fa972a2632e5979fa732f45903f16892cbfa3338b144718d6fd8b5a4f

SHA512
a25874ffe09e294b219242767012d995352f2a20cb318e5f94626cebd91a6a22eb8e62683faca3f6262515fcc41bb22fea1b55b5620a6cf45ca3a06d6b41ec27

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
03b86ab4605cf4c2c57fcc1c7fb265e0

SHA1
29ee781f7986dffea1abd59551c61fcf18a00e40

SHA256
31f02ab447a5a4863af88ff846b9f125fe6977ed18bafda921b9812774830b34

SHA512
773a70c242ef3043f75c13e2d854fd51b410cfd2d3de788a41a8f413805e6da157a95e501a6790e6732d96949e51e1d874c14d00344e0e11762bb58781696f5d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/640-154-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download
memory/756-981-0x0000000000AD0000-0x0000000000B05000-memory.dmp

Filesize
212KB

Download
memory/4408-974-0x0000000000AA0000-0x0000000000AC8000-memory.dmp

Filesize
160KB

Download
memory/4408-975-0x0000000007BB0000-0x0000000007BC0000-memory.dmp

Filesize
64KB

Download
memory/4664-203-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-957-0x0000000005010000-0x0000000005022000-memory.dmp

Filesize
72KB

Download
memory/4664-185-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-187-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-189-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-191-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-193-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-195-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-197-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-199-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-201-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-181-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-205-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-207-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-209-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-211-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-213-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-215-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-217-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-219-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-221-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-223-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-225-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-227-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-956-0x0000000007A10000-0x0000000008028000-memory.dmp

Filesize
6.1MB

Download
memory/4664-183-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-958-0x0000000008030000-0x000000000813A000-memory.dmp

Filesize
1.0MB

Download
memory/4664-959-0x0000000005040000-0x000000000507C000-memory.dmp

Filesize
240KB

Download
memory/4664-960-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4664-961-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4664-962-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/4664-963-0x0000000008C40000-0x0000000008CB6000-memory.dmp

Filesize
472KB

Download
memory/4664-964-0x0000000008D10000-0x0000000008ED2000-memory.dmp

Filesize
1.8MB

Download
memory/4664-179-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-177-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-175-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-173-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-171-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-169-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-167-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-165-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-164-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/4664-163-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4664-162-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4664-161-0x00000000009B0000-0x00000000009F6000-memory.dmp

Filesize
280KB

Download
memory/4664-160-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/4664-965-0x0000000008EF0000-0x000000000941C000-memory.dmp

Filesize
5.2MB

Download
memory/4664-966-0x0000000009540000-0x000000000955E000-memory.dmp

Filesize
120KB

Download
memory/4664-967-0x00000000095A0000-0x00000000095F0000-memory.dmp

Filesize
320KB

Download