cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe
Size

965KB
MD5

746de7b60c813a39005e853a06dc4b49
SHA1

96cbb6831db80c0dc36a886f64814388dc285384
SHA256

cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac
SHA512

8640787225618200bee844e368ae64a50860c1d5a2ca7078d53a83e25491a183b2dcfa5cc0d9d6e422718d23386a7b12ac29a4f2da44fc404d60eade123fd88b
SSDEEP

24576:Eygx49ZHgQqKdM51bbiO2ytz+0AEN/B1:TgjQ8aODpN/B

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr876369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr876369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr876369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr876369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr876369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr876369.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si831048.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
3448	un719031.exe
1664	un393565.exe
4108	pr876369.exe
4964	qu434662.exe
3828	rk507964.exe
4816	si831048.exe
1616	oneetx.exe
2024	oneetx.exe
4816	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1152	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr876369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr876369.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un719031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un719031.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un393565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un393565.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
4348	4108	WerFault.exe	85
4668	4964	WerFault.exe	91
1028	4816	WerFault.exe	96
1272	4816	WerFault.exe	96
1704	4816	WerFault.exe	96
1432	4816	WerFault.exe	96
4468	4816	WerFault.exe	96
972	4816	WerFault.exe	96
1292	4816	WerFault.exe	96
1732	4816	WerFault.exe	96
4980	4816	WerFault.exe	96
4580	4816	WerFault.exe	96
1392	1616	WerFault.exe	117
2044	1616	WerFault.exe	117
3908	1616	WerFault.exe	117
4680	1616	WerFault.exe	117
1240	1616	WerFault.exe	117
5004	1616	WerFault.exe	117
4628	1616	WerFault.exe	117
232	1616	WerFault.exe	117
4048	1616	WerFault.exe	117
1400	1616	WerFault.exe	117
5080	1616	WerFault.exe	117
1180	1616	WerFault.exe	117
1880	1616	WerFault.exe	117
1140	2024	WerFault.exe	158
4392	1616	WerFault.exe	117
5068	1616	WerFault.exe	117
5048	1616	WerFault.exe	117
3368	1616	WerFault.exe	117
2704	4816	WerFault.exe	170

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4108	pr876369.exe
4108	pr876369.exe
4964	qu434662.exe
4964	qu434662.exe
3828	rk507964.exe
3828	rk507964.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	pr876369.exe
Token: SeDebugPrivilege	4964	qu434662.exe
Token: SeDebugPrivilege	3828	rk507964.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4816	si831048.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3448	3992	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe	83
PID 3992 wrote to memory of 3448	3992	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe	83
PID 3992 wrote to memory of 3448	3992	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe	83
PID 3448 wrote to memory of 1664	3448	un719031.exe	84
PID 3448 wrote to memory of 1664	3448	un719031.exe	84
PID 3448 wrote to memory of 1664	3448	un719031.exe	84
PID 1664 wrote to memory of 4108	1664	un393565.exe	85
PID 1664 wrote to memory of 4108	1664	un393565.exe	85
PID 1664 wrote to memory of 4108	1664	un393565.exe	85
PID 1664 wrote to memory of 4964	1664	un393565.exe	91
PID 1664 wrote to memory of 4964	1664	un393565.exe	91
PID 1664 wrote to memory of 4964	1664	un393565.exe	91
PID 3448 wrote to memory of 3828	3448	un719031.exe	94
PID 3448 wrote to memory of 3828	3448	un719031.exe	94
PID 3448 wrote to memory of 3828	3448	un719031.exe	94
PID 3992 wrote to memory of 4816	3992	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe	96
PID 3992 wrote to memory of 4816	3992	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe	96
PID 3992 wrote to memory of 4816	3992	cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe	96
PID 4816 wrote to memory of 1616	4816	si831048.exe	117
PID 4816 wrote to memory of 1616	4816	si831048.exe	117
PID 4816 wrote to memory of 1616	4816	si831048.exe	117
PID 1616 wrote to memory of 4620	1616	oneetx.exe	136
PID 1616 wrote to memory of 4620	1616	oneetx.exe	136
PID 1616 wrote to memory of 4620	1616	oneetx.exe	136
PID 1616 wrote to memory of 1424	1616	oneetx.exe	142
PID 1616 wrote to memory of 1424	1616	oneetx.exe	142
PID 1616 wrote to memory of 1424	1616	oneetx.exe	142
PID 1424 wrote to memory of 3884	1424	cmd.exe	146
PID 1424 wrote to memory of 3884	1424	cmd.exe	146
PID 1424 wrote to memory of 3884	1424	cmd.exe	146
PID 1424 wrote to memory of 4632	1424	cmd.exe	147
PID 1424 wrote to memory of 4632	1424	cmd.exe	147
PID 1424 wrote to memory of 4632	1424	cmd.exe	147
PID 1424 wrote to memory of 4492	1424	cmd.exe	148
PID 1424 wrote to memory of 4492	1424	cmd.exe	148
PID 1424 wrote to memory of 4492	1424	cmd.exe	148
PID 1424 wrote to memory of 4236	1424	cmd.exe	149
PID 1424 wrote to memory of 4236	1424	cmd.exe	149
PID 1424 wrote to memory of 4236	1424	cmd.exe	149
PID 1424 wrote to memory of 2104	1424	cmd.exe	150
PID 1424 wrote to memory of 2104	1424	cmd.exe	150
PID 1424 wrote to memory of 2104	1424	cmd.exe	150
PID 1424 wrote to memory of 4108	1424	cmd.exe	151
PID 1424 wrote to memory of 4108	1424	cmd.exe	151
PID 1424 wrote to memory of 4108	1424	cmd.exe	151
PID 1616 wrote to memory of 1152	1616	oneetx.exe	165
PID 1616 wrote to memory of 1152	1616	oneetx.exe	165
PID 1616 wrote to memory of 1152	1616	oneetx.exe	165

C:\Users\Admin\AppData\Local\Temp\cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe
"C:\Users\Admin\AppData\Local\Temp\cc4a349c91cbce2224f7ff31f71ca2999d031cf2e5025fc33d1018740c6509ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un719031.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un719031.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un393565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un393565.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr876369.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr876369.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1080
        5⤵
        Program crash
        
        PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu434662.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu434662.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1788
        5⤵
        Program crash
        
        PID:4668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk507964.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk507964.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si831048.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si831048.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 696
    3⤵
    - Program crash
    PID:1028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 776
    3⤵
    - Program crash
    PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 812
    3⤵
    - Program crash
    PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 960
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 952
    3⤵
    - Program crash
    PID:4468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 952
    3⤵
    - Program crash
    PID:972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1216
    3⤵
    - Program crash
    PID:1292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1248
    3⤵
    - Program crash
    PID:1732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1320
    3⤵
    - Program crash
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 692
      4⤵
      Program crash
      PID:1392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 816
      4⤵
      Program crash
      PID:2044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 908
      4⤵
      Program crash
      PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1052
      4⤵
      Program crash
      PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1060
      4⤵
      Program crash
      PID:1240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1084
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1096
      4⤵
      Program crash
      PID:4628
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1008
      4⤵
      Program crash
      PID:232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 760
      4⤵
      Program crash
      PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1288
      4⤵
      Program crash
      PID:1400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1260
      4⤵
      Program crash
      PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1316
      4⤵
      Program crash
      PID:1180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1268
      4⤵
      Program crash
      PID:1880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1112
      4⤵
      Program crash
      PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1600
      4⤵
      Program crash
      PID:5068
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1580
      4⤵
      Program crash
      PID:5048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1436
      4⤵
      Program crash
      PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1564
    3⤵
    - Program crash
    PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4108 -ip 4108
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 4964
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4816 -ip 4816
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4816 -ip 4816
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4816 -ip 4816
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4816 -ip 4816
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4816 -ip 4816
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4816 -ip 4816
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4816 -ip 4816
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4816 -ip 4816
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4816 -ip 4816
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4816 -ip 4816
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1616 -ip 1616
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1616 -ip 1616
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1616 -ip 1616
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1616 -ip 1616
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1616 -ip 1616
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1616 -ip 1616
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1616 -ip 1616
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1616 -ip 1616
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1616 -ip 1616
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1616 -ip 1616
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1616 -ip 1616
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1616 -ip 1616
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1616 -ip 1616
1⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 320
  2⤵
  - Program crash
  PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2024 -ip 2024
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1616 -ip 1616
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1616 -ip 1616
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1616 -ip 1616
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1616 -ip 1616
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 320
  2⤵
  - Program crash
  PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4816 -ip 4816
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si831048.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si831048.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un719031.exe

Filesize
706KB

MD5
d36b983d80ffcc3e735edd87dc7a37d3

SHA1
e69a8b8c029a3a274f1f94df7a65ce868789423e

SHA256
55e0c9ab43e2380b91c57abf87e4590c9ba933691fe6c094675e53f40627ebc5

SHA512
44617a1abf0afb863d7641f094458c701558949a9a488d546025bf466dc9f63f249a74272fc053ac25ddc00ec4e897b88033696a56c11d46176dc7d1bc3a2e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un719031.exe

Filesize
706KB

MD5
d36b983d80ffcc3e735edd87dc7a37d3

SHA1
e69a8b8c029a3a274f1f94df7a65ce868789423e

SHA256
55e0c9ab43e2380b91c57abf87e4590c9ba933691fe6c094675e53f40627ebc5

SHA512
44617a1abf0afb863d7641f094458c701558949a9a488d546025bf466dc9f63f249a74272fc053ac25ddc00ec4e897b88033696a56c11d46176dc7d1bc3a2e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk507964.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk507964.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un393565.exe

Filesize
551KB

MD5
49bec94b7f4ed2afe7eb3718fdb5dfcc

SHA1
1fa1fb405d9c7f8e34c0bee75db445a932377bb9

SHA256
37575a6b1ed4152d8eea52a3ea81159e3774ed94675edd01f9d3ae5f24e49b97

SHA512
724a11c37c6c3631b0b3b182be3026294e77f88b00b08e0d1c5b0852d75af785170fda77bff16eff5ce8a02ea0cf54e1abcc3a5fbff0aa0066f99688dd24d21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un393565.exe

Filesize
551KB

MD5
49bec94b7f4ed2afe7eb3718fdb5dfcc

SHA1
1fa1fb405d9c7f8e34c0bee75db445a932377bb9

SHA256
37575a6b1ed4152d8eea52a3ea81159e3774ed94675edd01f9d3ae5f24e49b97

SHA512
724a11c37c6c3631b0b3b182be3026294e77f88b00b08e0d1c5b0852d75af785170fda77bff16eff5ce8a02ea0cf54e1abcc3a5fbff0aa0066f99688dd24d21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr876369.exe

Filesize
279KB

MD5
ec3e4014bbe8861642aaac3a413c0d09

SHA1
bf3be2aa4efd97f4e1df774a05b6f2a11d882055

SHA256
31eb8c3d835e4cd660978165bfbd7e3008a2d48ba51f95ee8ebd4cf2478d2c44

SHA512
d40fadc5f627722226a8a8657749f88047622570c971bffc1b6236ccbea411a1db7bc91367646bd7d653c50f63a2233a812f884543837d6269d72e665af3550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr876369.exe

Filesize
279KB

MD5
ec3e4014bbe8861642aaac3a413c0d09

SHA1
bf3be2aa4efd97f4e1df774a05b6f2a11d882055

SHA256
31eb8c3d835e4cd660978165bfbd7e3008a2d48ba51f95ee8ebd4cf2478d2c44

SHA512
d40fadc5f627722226a8a8657749f88047622570c971bffc1b6236ccbea411a1db7bc91367646bd7d653c50f63a2233a812f884543837d6269d72e665af3550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu434662.exe

Filesize
362KB

MD5
e728da94c54cbd02917ed27dff4fe5ef

SHA1
8a0ec4558f148937f5dd5f42156010547aad1efb

SHA256
b68fd5c047879ef70c965fb938194bfcf808583886052f53b6c8a8cd058470cf

SHA512
de1603d094cb0717127ed31852ac02425364fb0e445c5f2f5d081370c97848ad8696cf57a4990616b643298c5f66e8e5006ed52ae4a3928ea8ec985bd8936564

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu434662.exe

Filesize
362KB

MD5
e728da94c54cbd02917ed27dff4fe5ef

SHA1
8a0ec4558f148937f5dd5f42156010547aad1efb

SHA256
b68fd5c047879ef70c965fb938194bfcf808583886052f53b6c8a8cd058470cf

SHA512
de1603d094cb0717127ed31852ac02425364fb0e445c5f2f5d081370c97848ad8696cf57a4990616b643298c5f66e8e5006ed52ae4a3928ea8ec985bd8936564

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
258KB

MD5
c43a184e311d755baa2f5e642563bcc0

SHA1
12f6fc7b1467caa7d146bae7594dcaaba6975e5e

SHA256
2b75638d4f9fcbd72547a1a4de46fbc113e92d429bc50a5270715c600ba39ae7

SHA512
b2cbfa0b19c23eb051ad0f4fe7ee1ea2c9c333d8c665b6b0d7895fcaa92e243f4619a2e8eeb02098bad9334f79d80e754a97c69b8c5e8eda9461a645d9ae61b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
cfe2ef912f30ac9bc36d8686888ca0d3

SHA1
ddbbb63670b2f5bd903dadcff54ff8270825499b

SHA256
675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d

SHA512
5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3828-1012-0x0000000007EF0000-0x0000000007F00000-memory.dmp

Filesize
64KB

Download
memory/3828-1011-0x0000000000E20000-0x0000000000E48000-memory.dmp

Filesize
160KB

Download
memory/4108-172-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-170-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-176-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-178-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-180-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-182-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-184-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-186-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-187-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4108-188-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4108-189-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4108-190-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4108-192-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4108-174-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-168-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-166-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-164-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-162-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-160-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-159-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4108-158-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4108-157-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4108-155-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/4108-156-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/4816-1018-0x0000000002C80000-0x0000000002CB5000-memory.dmp

Filesize
212KB

Download
memory/4964-203-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-219-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-221-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-223-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-225-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-227-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-229-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-231-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-233-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-646-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4964-993-0x0000000009C60000-0x000000000A278000-memory.dmp

Filesize
6.1MB

Download
memory/4964-994-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/4964-995-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/4964-996-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/4964-997-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4964-998-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/4964-999-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/4964-1000-0x000000000AFF0000-0x000000000B066000-memory.dmp

Filesize
472KB

Download
memory/4964-1002-0x000000000B090000-0x000000000B0AE000-memory.dmp

Filesize
120KB

Download
memory/4964-217-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-215-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-213-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-211-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-209-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-207-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-205-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-201-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-200-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4964-199-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4964-198-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4964-197-0x0000000002D30000-0x0000000002D76000-memory.dmp

Filesize
280KB

Download
memory/4964-1003-0x000000000B130000-0x000000000B180000-memory.dmp

Filesize
320KB

Download
memory/4964-1004-0x000000000B1C0000-0x000000000B382000-memory.dmp

Filesize
1.8MB

Download
memory/4964-1005-0x000000000B390000-0x000000000B8BC000-memory.dmp

Filesize
5.2MB

Download