08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624

Analysis

max time kernel
156s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe
Size

942KB
MD5

98d9fbe1622ab6ab531f8c31910f7b09
SHA1

ab03b1179e9913be6dc8fd0b04af553b5eab6c6c
SHA256

08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624
SHA512

89ec4333ad6b21e0d68bc2908c7d0385154a09ba4cb990fd896c68ded1822528369cc57b5d309a7704ba97bdd25e099b242403d3a185026a1a324d0a787daa84
SSDEEP

24576:YyFU8yJZBbWYtCS2mImRngbM4vp1/saSTbLccwEiOBS:fS8V+XgbM+pt0bLcoi

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr458372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr458372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr458372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr458372.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr458372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr458372.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si346853.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
5108	un395476.exe
700	un560038.exe
1696	pr458372.exe
428	qu151951.exe
4064	rk008258.exe
3232	si346853.exe
4656	oneetx.exe
3644	oneetx.exe
4040	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
396	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr458372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr458372.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un395476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un395476.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un560038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un560038.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
2696	1696	WerFault.exe	85
3356	428	WerFault.exe	88
4844	3232	WerFault.exe	93
1388	3232	WerFault.exe	93
3452	3232	WerFault.exe	93
628	3232	WerFault.exe	93
3036	3232	WerFault.exe	93
4644	3232	WerFault.exe	93
4116	3232	WerFault.exe	93
2908	3232	WerFault.exe	93
1828	3232	WerFault.exe	93
3508	3232	WerFault.exe	93
1476	4656	WerFault.exe	112
1796	4656	WerFault.exe	112
4960	4656	WerFault.exe	112
2872	4656	WerFault.exe	112
2208	4656	WerFault.exe	112
520	4656	WerFault.exe	112
3168	4656	WerFault.exe	112
1432	4656	WerFault.exe	112
1608	4656	WerFault.exe	112
4868	4656	WerFault.exe	112
4796	4656	WerFault.exe	112
4160	4656	WerFault.exe	112
3496	4656	WerFault.exe	112
4376	3644	WerFault.exe	151
1896	4656	WerFault.exe	112
4844	4656	WerFault.exe	112
1472	4656	WerFault.exe	112
3396	4040	WerFault.exe	161
948	4656	WerFault.exe	112

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1696	pr458372.exe
1696	pr458372.exe
428	qu151951.exe
428	qu151951.exe
4064	rk008258.exe
4064	rk008258.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	pr458372.exe
Token: SeDebugPrivilege	428	qu151951.exe
Token: SeDebugPrivilege	4064	rk008258.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3232	si346853.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 5108	3028	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe	83
PID 3028 wrote to memory of 5108	3028	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe	83
PID 3028 wrote to memory of 5108	3028	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe	83
PID 5108 wrote to memory of 700	5108	un395476.exe	84
PID 5108 wrote to memory of 700	5108	un395476.exe	84
PID 5108 wrote to memory of 700	5108	un395476.exe	84
PID 700 wrote to memory of 1696	700	un560038.exe	85
PID 700 wrote to memory of 1696	700	un560038.exe	85
PID 700 wrote to memory of 1696	700	un560038.exe	85
PID 700 wrote to memory of 428	700	un560038.exe	88
PID 700 wrote to memory of 428	700	un560038.exe	88
PID 700 wrote to memory of 428	700	un560038.exe	88
PID 5108 wrote to memory of 4064	5108	un395476.exe	92
PID 5108 wrote to memory of 4064	5108	un395476.exe	92
PID 5108 wrote to memory of 4064	5108	un395476.exe	92
PID 3028 wrote to memory of 3232	3028	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe	93
PID 3028 wrote to memory of 3232	3028	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe	93
PID 3028 wrote to memory of 3232	3028	08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe	93
PID 3232 wrote to memory of 4656	3232	si346853.exe	112
PID 3232 wrote to memory of 4656	3232	si346853.exe	112
PID 3232 wrote to memory of 4656	3232	si346853.exe	112
PID 4656 wrote to memory of 5104	4656	oneetx.exe	129
PID 4656 wrote to memory of 5104	4656	oneetx.exe	129
PID 4656 wrote to memory of 5104	4656	oneetx.exe	129
PID 4656 wrote to memory of 1404	4656	oneetx.exe	135
PID 4656 wrote to memory of 1404	4656	oneetx.exe	135
PID 4656 wrote to memory of 1404	4656	oneetx.exe	135
PID 1404 wrote to memory of 1240	1404	cmd.exe	140
PID 1404 wrote to memory of 1240	1404	cmd.exe	140
PID 1404 wrote to memory of 1240	1404	cmd.exe	140
PID 1404 wrote to memory of 2860	1404	cmd.exe	139
PID 1404 wrote to memory of 2860	1404	cmd.exe	139
PID 1404 wrote to memory of 2860	1404	cmd.exe	139
PID 1404 wrote to memory of 2864	1404	cmd.exe	141
PID 1404 wrote to memory of 2864	1404	cmd.exe	141
PID 1404 wrote to memory of 2864	1404	cmd.exe	141
PID 1404 wrote to memory of 2708	1404	cmd.exe	142
PID 1404 wrote to memory of 2708	1404	cmd.exe	142
PID 1404 wrote to memory of 2708	1404	cmd.exe	142
PID 1404 wrote to memory of 4900	1404	cmd.exe	143
PID 1404 wrote to memory of 4900	1404	cmd.exe	143
PID 1404 wrote to memory of 4900	1404	cmd.exe	143
PID 1404 wrote to memory of 1772	1404	cmd.exe	144
PID 1404 wrote to memory of 1772	1404	cmd.exe	144
PID 1404 wrote to memory of 1772	1404	cmd.exe	144
PID 4656 wrote to memory of 396	4656	oneetx.exe	158
PID 4656 wrote to memory of 396	4656	oneetx.exe	158
PID 4656 wrote to memory of 396	4656	oneetx.exe	158

C:\Users\Admin\AppData\Local\Temp\08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe
"C:\Users\Admin\AppData\Local\Temp\08d6bd4767d6b37b5533514e8486524f3871626a18b19dfbcd751a1877674624.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un395476.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un395476.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un560038.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un560038.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr458372.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr458372.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1084
        5⤵
        Program crash
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu151951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu151951.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1616
        5⤵
        Program crash
        
        PID:3356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008258.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008258.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346853.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346853.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 696
    3⤵
    - Program crash
    PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 720
    3⤵
    - Program crash
    PID:1388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 720
    3⤵
    - Program crash
    PID:3452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 800
    3⤵
    - Program crash
    PID:628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 796
    3⤵
    - Program crash
    PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 972
    3⤵
    - Program crash
    PID:4644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1204
    3⤵
    - Program crash
    PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1244
    3⤵
    - Program crash
    PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1312
    3⤵
    - Program crash
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 700
      4⤵
      Program crash
      PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 884
      4⤵
      Program crash
      PID:1796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 940
      4⤵
      Program crash
      PID:4960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1052
      4⤵
      Program crash
      PID:2872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1060
      4⤵
      Program crash
      PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1060
      4⤵
      Program crash
      PID:520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1104
      4⤵
      Program crash
      PID:3168
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 892
      4⤵
      Program crash
      PID:1432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 724
      4⤵
      Program crash
      PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4900
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:1772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1324
      4⤵
      Program crash
      PID:4868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1292
      4⤵
      Program crash
      PID:4796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1348
      4⤵
      Program crash
      PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1312
      4⤵
      Program crash
      PID:3496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1100
      4⤵
      Program crash
      PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1660
      4⤵
      Program crash
      PID:4844
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1588
      4⤵
      Program crash
      PID:1472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1700
      4⤵
      Program crash
      PID:948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1344
    3⤵
    - Program crash
    PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1696 -ip 1696
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 428 -ip 428
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3232 -ip 3232
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3232 -ip 3232
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3232 -ip 3232
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3232 -ip 3232
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3232 -ip 3232
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3232 -ip 3232
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3232 -ip 3232
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3232 -ip 3232
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4656 -ip 4656
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4656 -ip 4656
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4656 -ip 4656
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4656 -ip 4656
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4656 -ip 4656
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4656 -ip 4656
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4656 -ip 4656
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4656 -ip 4656
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4656 -ip 4656
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4656 -ip 4656
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4656 -ip 4656
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4656 -ip 4656
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4656 -ip 4656
1⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 216
  2⤵
  - Program crash
  PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3644 -ip 3644
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4656 -ip 4656
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4656 -ip 4656
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4656 -ip 4656
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 320
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4040 -ip 4040
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4656 -ip 4656
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346853.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346853.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un395476.exe

Filesize
694KB

MD5
7f9242fa37d0944ba8c1fd2b710b326c

SHA1
14b5365eca627d1ac30b036790a5a601535d0368

SHA256
f937a4ec51206bf1ef16f0582d88171241d97468b43a814895e93e05b27c225e

SHA512
22c0c5b1cc66a94bf02eec0ff9b36a3598f5c667260fbdfbe6ead2e02e2d9f281862b902b041b20e3718e91d9e169a1ef13ff7e97b7f7f6204b539c31bf24529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un395476.exe

Filesize
694KB

MD5
7f9242fa37d0944ba8c1fd2b710b326c

SHA1
14b5365eca627d1ac30b036790a5a601535d0368

SHA256
f937a4ec51206bf1ef16f0582d88171241d97468b43a814895e93e05b27c225e

SHA512
22c0c5b1cc66a94bf02eec0ff9b36a3598f5c667260fbdfbe6ead2e02e2d9f281862b902b041b20e3718e91d9e169a1ef13ff7e97b7f7f6204b539c31bf24529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008258.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008258.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un560038.exe

Filesize
540KB

MD5
46ab6253e815610a51541ef952f00c78

SHA1
ca1ad42dce998d85ad8f697e061435beba676dbc

SHA256
f601a0ec47a0f8f2a6f11453abe1e07c5e77a8afcd69370c3d98d0c2b20326fd

SHA512
d05436a295021162b2493f0f57c6e93278d0b0bc0225c5c65f189c5e1f0e251c9b621d5867d6508e86c5eb578ffff4afd7f4c1c2e1ae6644440d9fc2c3b0619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un560038.exe

Filesize
540KB

MD5
46ab6253e815610a51541ef952f00c78

SHA1
ca1ad42dce998d85ad8f697e061435beba676dbc

SHA256
f601a0ec47a0f8f2a6f11453abe1e07c5e77a8afcd69370c3d98d0c2b20326fd

SHA512
d05436a295021162b2493f0f57c6e93278d0b0bc0225c5c65f189c5e1f0e251c9b621d5867d6508e86c5eb578ffff4afd7f4c1c2e1ae6644440d9fc2c3b0619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr458372.exe

Filesize
277KB

MD5
8c471fec031a7e68a38d4b3db08b205f

SHA1
6a97dc38555ce1d6a36321b798a884372b255b65

SHA256
f444aa2c47757fc710adffe84ebeaed51eee92c32b06f4fbbb0cc798134adad3

SHA512
90eeca8a5c2f123818b3d39411b89ccf3d06ea55a9542b8d032564d77c2afe9e28175b646626eed91ab0373855da493b4be879eb0763dc1f984257ea756120f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr458372.exe

Filesize
277KB

MD5
8c471fec031a7e68a38d4b3db08b205f

SHA1
6a97dc38555ce1d6a36321b798a884372b255b65

SHA256
f444aa2c47757fc710adffe84ebeaed51eee92c32b06f4fbbb0cc798134adad3

SHA512
90eeca8a5c2f123818b3d39411b89ccf3d06ea55a9542b8d032564d77c2afe9e28175b646626eed91ab0373855da493b4be879eb0763dc1f984257ea756120f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu151951.exe

Filesize
360KB

MD5
48d111a7adbad069b4f09047c1a86ccd

SHA1
bd7268a13b7297f5fbab4ac32f025b4d97009db7

SHA256
ecf7e260adde6fc35b49762b2bed9b34047750cb989739fa76f98803cf90431c

SHA512
6f293d987b3c85621d4cf85f63ec4dff0f8b65f90216bd4acb7c30b48869f7b4ce5ae8c0972e0692dfe833c15700ffe4f341c3f4b647f774bb89ebf29a2017d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu151951.exe

Filesize
360KB

MD5
48d111a7adbad069b4f09047c1a86ccd

SHA1
bd7268a13b7297f5fbab4ac32f025b4d97009db7

SHA256
ecf7e260adde6fc35b49762b2bed9b34047750cb989739fa76f98803cf90431c

SHA512
6f293d987b3c85621d4cf85f63ec4dff0f8b65f90216bd4acb7c30b48869f7b4ce5ae8c0972e0692dfe833c15700ffe4f341c3f4b647f774bb89ebf29a2017d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
020c2c0aafc9e9ff99f8a555629aae03

SHA1
2b10e51e98876c700dcb68e9446d1f162a0fa141

SHA256
1422e675fe8fb8cdc3c567bd6b031fa934864022c3e114f695ef046d9d5a728b

SHA512
09c655379c9eaef2f5c7978105dc7a653dd04e81a9ff06758681ded30ec10d0d88afdbab8138ae562ca09591bb65827b4e613384acd0d57fb3ecf6eb2e617d04

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/428-1002-0x000000000B1A0000-0x000000000B6CC000-memory.dmp

Filesize
5.2MB

Download
memory/428-234-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-1008-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/428-1007-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/428-1004-0x0000000004C30000-0x0000000004C80000-memory.dmp

Filesize
320KB

Download
memory/428-1003-0x000000000B7E0000-0x000000000B7FE000-memory.dmp

Filesize
120KB

Download
memory/428-1001-0x000000000AFD0000-0x000000000B192000-memory.dmp

Filesize
1.8MB

Download
memory/428-1000-0x000000000AEF0000-0x000000000AF66000-memory.dmp

Filesize
472KB

Download
memory/428-999-0x000000000AE30000-0x000000000AEC2000-memory.dmp

Filesize
584KB

Download
memory/428-998-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/428-997-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/428-197-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/428-199-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/428-198-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/428-200-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/428-201-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-204-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-202-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-206-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-208-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-210-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-212-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-214-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-216-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-218-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-220-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-222-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-224-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-226-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-228-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-230-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-996-0x000000000A4B0000-0x000000000A4EC000-memory.dmp

Filesize
240KB

Download
memory/428-232-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/428-993-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

Filesize
6.1MB

Download
memory/428-994-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/428-995-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-171-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-158-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1696-179-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-192-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1696-190-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1696-189-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1696-175-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-188-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1696-187-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-185-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-183-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-155-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/1696-177-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-181-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-173-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-169-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-167-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-156-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/1696-165-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-163-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-161-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-160-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/1696-159-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1696-157-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3232-1020-0x0000000002BB0000-0x0000000002BE5000-memory.dmp

Filesize
212KB

Download
memory/4064-1013-0x0000000000A20000-0x0000000000A48000-memory.dmp

Filesize
160KB

Download
memory/4064-1014-0x0000000007820000-0x0000000007830000-memory.dmp

Filesize
64KB

Download