3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe
Size

965KB
MD5

bae598df46c0253ad00217ba39fd7530
SHA1

b045f9211833d44894f3a4a55eb4c1861b825766
SHA256

3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3
SHA512

4cf7a85871f72d8ccda265e9699c8013ea57b7a0982628452abf9c290501b9ff30f2903ae9ca1f4015953c535bb564ee85f87177b82cdcf033e1f45c657215dc
SSDEEP

24576:+yokLrBFfr6+muRW5Sj85xrfEcUHX20cWu3l:Nokhtwj5xJU32yu

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr020729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr020729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr020729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr020729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr020729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr020729.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si271034.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
3788	un028461.exe
4644	un108372.exe
4000	pr020729.exe
1880	qu558629.exe
2748	rk303467.exe
640	si271034.exe
1620	oneetx.exe
4028	oneetx.exe
3124	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3380	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr020729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr020729.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un028461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un028461.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un108372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un108372.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
2548	4000	WerFault.exe	87
2388	1880	WerFault.exe	93
3984	640	WerFault.exe	98
3996	640	WerFault.exe	98
4212	640	WerFault.exe	98
4860	640	WerFault.exe	98
3188	640	WerFault.exe	98
800	640	WerFault.exe	98
1968	640	WerFault.exe	98
3480	640	WerFault.exe	98
1092	640	WerFault.exe	98
2160	640	WerFault.exe	98
1496	1620	WerFault.exe	118
5112	1620	WerFault.exe	118
1280	1620	WerFault.exe	118
5108	1620	WerFault.exe	118
2040	1620	WerFault.exe	118
2336	1620	WerFault.exe	118
4132	1620	WerFault.exe	118
1704	1620	WerFault.exe	118
4748	1620	WerFault.exe	118
5080	1620	WerFault.exe	118
4984	1620	WerFault.exe	118
4024	1620	WerFault.exe	118
2576	1620	WerFault.exe	118
4476	1620	WerFault.exe	118
5024	4028	WerFault.exe	162
1896	1620	WerFault.exe	118
1576	1620	WerFault.exe	118
2312	1620	WerFault.exe	118
3168	3124	WerFault.exe	172

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4000	pr020729.exe
4000	pr020729.exe
1880	qu558629.exe
1880	qu558629.exe
2748	rk303467.exe
2748	rk303467.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	pr020729.exe
Token: SeDebugPrivilege	1880	qu558629.exe
Token: SeDebugPrivilege	2748	rk303467.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
640	si271034.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3788	3812	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe	85
PID 3812 wrote to memory of 3788	3812	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe	85
PID 3812 wrote to memory of 3788	3812	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe	85
PID 3788 wrote to memory of 4644	3788	un028461.exe	86
PID 3788 wrote to memory of 4644	3788	un028461.exe	86
PID 3788 wrote to memory of 4644	3788	un028461.exe	86
PID 4644 wrote to memory of 4000	4644	un108372.exe	87
PID 4644 wrote to memory of 4000	4644	un108372.exe	87
PID 4644 wrote to memory of 4000	4644	un108372.exe	87
PID 4644 wrote to memory of 1880	4644	un108372.exe	93
PID 4644 wrote to memory of 1880	4644	un108372.exe	93
PID 4644 wrote to memory of 1880	4644	un108372.exe	93
PID 3788 wrote to memory of 2748	3788	un028461.exe	96
PID 3788 wrote to memory of 2748	3788	un028461.exe	96
PID 3788 wrote to memory of 2748	3788	un028461.exe	96
PID 3812 wrote to memory of 640	3812	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe	98
PID 3812 wrote to memory of 640	3812	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe	98
PID 3812 wrote to memory of 640	3812	3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe	98
PID 640 wrote to memory of 1620	640	si271034.exe	118
PID 640 wrote to memory of 1620	640	si271034.exe	118
PID 640 wrote to memory of 1620	640	si271034.exe	118
PID 1620 wrote to memory of 4848	1620	oneetx.exe	138
PID 1620 wrote to memory of 4848	1620	oneetx.exe	138
PID 1620 wrote to memory of 4848	1620	oneetx.exe	138
PID 1620 wrote to memory of 4656	1620	oneetx.exe	144
PID 1620 wrote to memory of 4656	1620	oneetx.exe	144
PID 1620 wrote to memory of 4656	1620	oneetx.exe	144
PID 4656 wrote to memory of 2900	4656	cmd.exe	149
PID 4656 wrote to memory of 2900	4656	cmd.exe	149
PID 4656 wrote to memory of 2900	4656	cmd.exe	149
PID 4656 wrote to memory of 4892	4656	cmd.exe	148
PID 4656 wrote to memory of 4892	4656	cmd.exe	148
PID 4656 wrote to memory of 4892	4656	cmd.exe	148
PID 4656 wrote to memory of 2084	4656	cmd.exe	150
PID 4656 wrote to memory of 2084	4656	cmd.exe	150
PID 4656 wrote to memory of 2084	4656	cmd.exe	150
PID 4656 wrote to memory of 2624	4656	cmd.exe	152
PID 4656 wrote to memory of 2624	4656	cmd.exe	152
PID 4656 wrote to memory of 2624	4656	cmd.exe	152
PID 4656 wrote to memory of 1252	4656	cmd.exe	151
PID 4656 wrote to memory of 1252	4656	cmd.exe	151
PID 4656 wrote to memory of 1252	4656	cmd.exe	151
PID 4656 wrote to memory of 516	4656	cmd.exe	153
PID 4656 wrote to memory of 516	4656	cmd.exe	153
PID 4656 wrote to memory of 516	4656	cmd.exe	153
PID 1620 wrote to memory of 3380	1620	oneetx.exe	167
PID 1620 wrote to memory of 3380	1620	oneetx.exe	167
PID 1620 wrote to memory of 3380	1620	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe
"C:\Users\Admin\AppData\Local\Temp\3d244ae9d728e0bdc90a21f0db1e1b134d740f8156e52221a2bfea73211219f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028461.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028461.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un108372.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un108372.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr020729.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr020729.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1080
        5⤵
        Program crash
        
        PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu558629.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu558629.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1320
        5⤵
        Program crash
        
        PID:2388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk303467.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk303467.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si271034.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si271034.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 696
    3⤵
    - Program crash
    PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 792
    3⤵
    - Program crash
    PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 792
    3⤵
    - Program crash
    PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 968
    3⤵
    - Program crash
    PID:4860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 964
    3⤵
    - Program crash
    PID:3188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 964
    3⤵
    - Program crash
    PID:800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1216
    3⤵
    - Program crash
    PID:1968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1252
    3⤵
    - Program crash
    PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1312
    3⤵
    - Program crash
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 696
      4⤵
      Program crash
      PID:1496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 844
      4⤵
      Program crash
      PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 852
      4⤵
      Program crash
      PID:1280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1052
      4⤵
      Program crash
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1092
      4⤵
      Program crash
      PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1092
      4⤵
      Program crash
      PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1112
      4⤵
      Program crash
      PID:4132
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 992
      4⤵
      Program crash
      PID:1704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1288
      4⤵
      Program crash
      PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 772
      4⤵
      Program crash
      PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1312
      4⤵
      Program crash
      PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 776
      4⤵
      Program crash
      PID:4024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1296
      4⤵
      Program crash
      PID:2576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1144
      4⤵
      Program crash
      PID:4476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1612
      4⤵
      Program crash
      PID:1896
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1552
      4⤵
      Program crash
      PID:1576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1628
      4⤵
      Program crash
      PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1312
    3⤵
    - Program crash
    PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4000 -ip 4000
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1880 -ip 1880
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 640 -ip 640
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 640 -ip 640
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 640 -ip 640
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 640 -ip 640
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 640 -ip 640
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 640 -ip 640
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 640 -ip 640
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 640 -ip 640
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 640 -ip 640
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 640 -ip 640
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1620 -ip 1620
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1620 -ip 1620
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1620 -ip 1620
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1620 -ip 1620
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1620 -ip 1620
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1620 -ip 1620
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1620 -ip 1620
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1620 -ip 1620
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1620 -ip 1620
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1620 -ip 1620
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1620 -ip 1620
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1620 -ip 1620
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1620 -ip 1620
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1620 -ip 1620
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 316
  2⤵
  - Program crash
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4028 -ip 4028
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1620 -ip 1620
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1620 -ip 1620
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1620 -ip 1620
1⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 216
  2⤵
  - Program crash
  PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3124 -ip 3124
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si271034.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si271034.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028461.exe

Filesize
706KB

MD5
1ba1807fc6bcf2987a3a0956b0482ac5

SHA1
3671d9569442f6f04bfdbd24bb9069b94e2636d7

SHA256
73a6818328e82f8e6e3b80aae74e9ecb8b1b4dce61ff4758ef00ba9840ab6e6c

SHA512
845f10ee0686caaa5581286c2babc76a15ab1aba743da29da810df788b46bd617eb8ef98286964f4bebec027d4d2011dba018176b8f0960e3f62363f5ab5533f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028461.exe

Filesize
706KB

MD5
1ba1807fc6bcf2987a3a0956b0482ac5

SHA1
3671d9569442f6f04bfdbd24bb9069b94e2636d7

SHA256
73a6818328e82f8e6e3b80aae74e9ecb8b1b4dce61ff4758ef00ba9840ab6e6c

SHA512
845f10ee0686caaa5581286c2babc76a15ab1aba743da29da810df788b46bd617eb8ef98286964f4bebec027d4d2011dba018176b8f0960e3f62363f5ab5533f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk303467.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk303467.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un108372.exe

Filesize
552KB

MD5
3dc97c37c502f54d1e9e94f042ebdc9d

SHA1
71a166132487ed8c8d0e5c06e4da3a531424fb01

SHA256
befb58b92c031083c8912ee50a6a8cc346c40a49f12236e3c386cb3c413ffc5b

SHA512
e7237a483668a3bddfe40e337acc6603cdc438183137a34cde36813d6e86805242c5130df3d7493fd6a2ab1dc4354963c1d4cdced325a80d51d21a49664f8da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un108372.exe

Filesize
552KB

MD5
3dc97c37c502f54d1e9e94f042ebdc9d

SHA1
71a166132487ed8c8d0e5c06e4da3a531424fb01

SHA256
befb58b92c031083c8912ee50a6a8cc346c40a49f12236e3c386cb3c413ffc5b

SHA512
e7237a483668a3bddfe40e337acc6603cdc438183137a34cde36813d6e86805242c5130df3d7493fd6a2ab1dc4354963c1d4cdced325a80d51d21a49664f8da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr020729.exe

Filesize
299KB

MD5
f7cdf7db063ce0eef8af7f43d582bdf3

SHA1
5aa3000af1cdc40a868ecf476ce6c7dfd01a5c3e

SHA256
e9d77aad0af839152c46065c1794f0bb40b778e3bfedeca36640bd231081d9bf

SHA512
3e59e8b245c342e4f8212413da4f1e6c5e09e869b428497cd78f95f5f5314d11d3a781f7245f17ec7eaaac44ee9777a962c85c46c9c31f553d03314fbea59ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr020729.exe

Filesize
299KB

MD5
f7cdf7db063ce0eef8af7f43d582bdf3

SHA1
5aa3000af1cdc40a868ecf476ce6c7dfd01a5c3e

SHA256
e9d77aad0af839152c46065c1794f0bb40b778e3bfedeca36640bd231081d9bf

SHA512
3e59e8b245c342e4f8212413da4f1e6c5e09e869b428497cd78f95f5f5314d11d3a781f7245f17ec7eaaac44ee9777a962c85c46c9c31f553d03314fbea59ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu558629.exe

Filesize
382KB

MD5
69bf3672d246beb8e0389c1fd5223443

SHA1
130ab806f7357be699eb62e1a05dcde14de1c5a1

SHA256
d2a67502cb439dfc0de9306453496e401f23a6faf5cef65d51e7f525f080a3eb

SHA512
ec3f03bb9faf711305838bf3902efec022240127bf88446861b811e187d5aa7fb48852a1ee1367df80df0d7a938212d3a782645a86cce7763c9eee7c46e08515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu558629.exe

Filesize
382KB

MD5
69bf3672d246beb8e0389c1fd5223443

SHA1
130ab806f7357be699eb62e1a05dcde14de1c5a1

SHA256
d2a67502cb439dfc0de9306453496e401f23a6faf5cef65d51e7f525f080a3eb

SHA512
ec3f03bb9faf711305838bf3902efec022240127bf88446861b811e187d5aa7fb48852a1ee1367df80df0d7a938212d3a782645a86cce7763c9eee7c46e08515

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
278KB

MD5
a6c9844cdd03046e8db1fc57072c0c3c

SHA1
cba4c4ef057c5b098c2ec0def1a681a928a287ef

SHA256
be9902b4f8f4f66653261ca97082b85f89c27fee3d30eccf6515fefd1cd3963f

SHA512
b1d8da2052d25db94216364c74288a581feedd25465762e13a20284a9959e422be46d315ebf72fc25385bb4a66359eaf52137705f4bd50b5bf6ef69bd589d74c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/640-1019-0x0000000002BB0000-0x0000000002BE5000-memory.dmp

Filesize
212KB

Download
memory/1880-999-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/1880-234-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-1005-0x0000000004B40000-0x0000000004B90000-memory.dmp

Filesize
320KB

Download
memory/1880-1004-0x000000000B750000-0x000000000B76E000-memory.dmp

Filesize
120KB

Download
memory/1880-1003-0x000000000B1A0000-0x000000000B6CC000-memory.dmp

Filesize
5.2MB

Download
memory/1880-1002-0x000000000AFD0000-0x000000000B192000-memory.dmp

Filesize
1.8MB

Download
memory/1880-1001-0x000000000AEF0000-0x000000000AF66000-memory.dmp

Filesize
472KB

Download
memory/1880-1000-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/1880-998-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1880-997-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/1880-996-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/1880-198-0x0000000004580000-0x00000000045C6000-memory.dmp

Filesize
280KB

Download
memory/1880-200-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1880-199-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1880-201-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-202-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-204-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-206-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-208-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-210-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-212-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-214-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-216-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-218-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-220-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-222-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-224-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-226-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-228-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-230-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-232-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1880-995-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/1880-236-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1880-994-0x0000000009C60000-0x000000000A278000-memory.dmp

Filesize
6.1MB

Download
memory/2748-1012-0x0000000000F10000-0x0000000000F38000-memory.dmp

Filesize
160KB

Download
memory/2748-1013-0x0000000007CB0000-0x0000000007CC0000-memory.dmp

Filesize
64KB

Download
memory/4000-176-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-158-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-180-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-191-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4000-190-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4000-189-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4000-188-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/4000-187-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4000-186-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4000-178-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-185-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4000-184-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-193-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/4000-172-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-182-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-170-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-168-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-166-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-164-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-162-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-160-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-174-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-157-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4000-156-0x00000000074C0000-0x0000000007A64000-memory.dmp

Filesize
5.6MB

Download
memory/4000-155-0x0000000002C90000-0x0000000002CBD000-memory.dmp

Filesize
180KB

Download