85cb515f54e9d8c32042a33fe90ab8fdc38aab35cfbe2c2ea4dc058dcb7b2169

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 02:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe
Size

1.1MB
MD5

ae334f9c06fba1aed1dabd8778cfa184
SHA1

b3f95000480ecce5f5903a489d2bee1dd20d4e9b
SHA256

8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825
SHA512

7b79b7be3c94b070e819240b193024a0105b92a936d95da90b669200b4edd2d5759fbd05917b4cd84ee51dc0f18dd7cafba5de79a78467f68eccdc5f2cf739ce
SSDEEP

24576:WyOXwY91jsb0FSiGMV5I6Kx08hdwYZFBeOxL7k:lOgY91jk0FSC5Ix08hpFBeO

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l3804040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l3804040.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	l9947857.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	m7538151.exe

Executes dropped EXE 10 IoCs

pid	Process
1464	y1705132.exe
1248	y5591870.exe
1812	k3040995.exe
3984	l3804040.exe
740	l9947857.exe
4432	oneetx.exe
4964	m7538151.exe
4780	1.exe
4972	oneetx.exe
3660	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4620	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l3804040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l3804040.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1705132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1705132.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5591870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5591870.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Temp\\1.exe"	m7538151.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1344	740	WerFault.exe	94
3608	740	WerFault.exe	94
904	740	WerFault.exe	94
2864	740	WerFault.exe	94
4344	740	WerFault.exe	94
4620	740	WerFault.exe	94
2044	740	WerFault.exe	94
4144	740	WerFault.exe	94
1548	740	WerFault.exe	94
1676	740	WerFault.exe	94
4596	4432	WerFault.exe	113
1516	4432	WerFault.exe	113
4772	4432	WerFault.exe	113
3644	4432	WerFault.exe	113
3964	4432	WerFault.exe	113
692	4432	WerFault.exe	113
4212	4432	WerFault.exe	113
4880	4432	WerFault.exe	113
2204	4432	WerFault.exe	113
4152	4432	WerFault.exe	113
4684	4432	WerFault.exe	113
4940	4432	WerFault.exe	113
4460	4432	WerFault.exe	113
2396	4432	WerFault.exe	113
3088	4964	WerFault.exe	118
5096	4972	WerFault.exe	159
4296	4432	WerFault.exe	113
520	4432	WerFault.exe	113
2276	4432	WerFault.exe	113
4464	4432	WerFault.exe	113
4136	3660	WerFault.exe	171

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1812	k3040995.exe
1812	k3040995.exe
3984	l3804040.exe
3984	l3804040.exe
4780	1.exe
4780	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	k3040995.exe
Token: SeDebugPrivilege	3984	l3804040.exe
Token: SeDebugPrivilege	4964	m7538151.exe
Token: SeDebugPrivilege	4780	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
740	l9947857.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 1464	4536	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe	84
PID 4536 wrote to memory of 1464	4536	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe	84
PID 4536 wrote to memory of 1464	4536	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe	84
PID 1464 wrote to memory of 1248	1464	y1705132.exe	85
PID 1464 wrote to memory of 1248	1464	y1705132.exe	85
PID 1464 wrote to memory of 1248	1464	y1705132.exe	85
PID 1248 wrote to memory of 1812	1248	y5591870.exe	86
PID 1248 wrote to memory of 1812	1248	y5591870.exe	86
PID 1248 wrote to memory of 1812	1248	y5591870.exe	86
PID 1248 wrote to memory of 3984	1248	y5591870.exe	90
PID 1248 wrote to memory of 3984	1248	y5591870.exe	90
PID 1248 wrote to memory of 3984	1248	y5591870.exe	90
PID 1464 wrote to memory of 740	1464	y1705132.exe	94
PID 1464 wrote to memory of 740	1464	y1705132.exe	94
PID 1464 wrote to memory of 740	1464	y1705132.exe	94
PID 740 wrote to memory of 4432	740	l9947857.exe	113
PID 740 wrote to memory of 4432	740	l9947857.exe	113
PID 740 wrote to memory of 4432	740	l9947857.exe	113
PID 4536 wrote to memory of 4964	4536	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe	118
PID 4536 wrote to memory of 4964	4536	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe	118
PID 4536 wrote to memory of 4964	4536	8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe	118
PID 4432 wrote to memory of 1496	4432	oneetx.exe	132
PID 4432 wrote to memory of 1496	4432	oneetx.exe	132
PID 4432 wrote to memory of 1496	4432	oneetx.exe	132
PID 4432 wrote to memory of 2404	4432	oneetx.exe	138
PID 4432 wrote to memory of 2404	4432	oneetx.exe	138
PID 4432 wrote to memory of 2404	4432	oneetx.exe	138
PID 2404 wrote to memory of 3692	2404	cmd.exe	143
PID 2404 wrote to memory of 3692	2404	cmd.exe	143
PID 2404 wrote to memory of 3692	2404	cmd.exe	143
PID 2404 wrote to memory of 3672	2404	cmd.exe	142
PID 2404 wrote to memory of 3672	2404	cmd.exe	142
PID 2404 wrote to memory of 3672	2404	cmd.exe	142
PID 2404 wrote to memory of 3240	2404	cmd.exe	144
PID 2404 wrote to memory of 3240	2404	cmd.exe	144
PID 2404 wrote to memory of 3240	2404	cmd.exe	144
PID 2404 wrote to memory of 4844	2404	cmd.exe	145
PID 2404 wrote to memory of 4844	2404	cmd.exe	145
PID 2404 wrote to memory of 4844	2404	cmd.exe	145
PID 2404 wrote to memory of 1508	2404	cmd.exe	146
PID 2404 wrote to memory of 1508	2404	cmd.exe	146
PID 2404 wrote to memory of 1508	2404	cmd.exe	146
PID 2404 wrote to memory of 4516	2404	cmd.exe	147
PID 2404 wrote to memory of 4516	2404	cmd.exe	147
PID 2404 wrote to memory of 4516	2404	cmd.exe	147
PID 4964 wrote to memory of 4780	4964	m7538151.exe	156
PID 4964 wrote to memory of 4780	4964	m7538151.exe	156
PID 4964 wrote to memory of 4780	4964	m7538151.exe	156
PID 4432 wrote to memory of 4620	4432	oneetx.exe	166
PID 4432 wrote to memory of 4620	4432	oneetx.exe	166
PID 4432 wrote to memory of 4620	4432	oneetx.exe	166

C:\Users\Admin\AppData\Local\Temp\8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe
"C:\Users\Admin\AppData\Local\Temp\8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 696
      4⤵
      Program crash
      PID:1344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 772
      4⤵
      Program crash
      PID:3608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 812
      4⤵
      Program crash
      PID:904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 968
      4⤵
      Program crash
      PID:2864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 984
      4⤵
      Program crash
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 984
      4⤵
      Program crash
      PID:4620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1196
      4⤵
      Program crash
      PID:2044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1232
      4⤵
      Program crash
      PID:4144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1316
      4⤵
      Program crash
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 692
        5⤵
        Program crash
        
        PID:4596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1004
        5⤵
        Program crash
        
        PID:1516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1088
        5⤵
        Program crash
        
        PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1080
        5⤵
        Program crash
        
        PID:3644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1000
        5⤵
        Program crash
        
        PID:3964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1144
        5⤵
        Program crash
        
        PID:692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1184
        5⤵
        Program crash
        
        PID:4212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 992
        5⤵
        Program crash
        
        PID:4880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 776
        5⤵
        Program crash
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:3672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3692
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:3240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4844
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        6⤵
        
        PID:1508
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        6⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 992
        5⤵
        Program crash
        
        PID:4152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 744
        5⤵
        Program crash
        
        PID:4684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1292
        5⤵
        Program crash
        
        PID:4940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1308
        5⤵
        Program crash
        
        PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1476
        5⤵
        Program crash
        
        PID:2396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1224
        5⤵
        Program crash
        
        PID:4296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1660
        5⤵
        Program crash
        
        PID:520
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1476
        5⤵
        Program crash
        
        PID:2276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1668
        5⤵
        Program crash
        
        PID:4464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1360
      4⤵
      Program crash
      PID:1676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Temp\1.exe
    "C:\Windows\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1380
    3⤵
    - Program crash
    PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 740 -ip 740
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 740 -ip 740
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 740 -ip 740
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 740 -ip 740
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 740 -ip 740
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 740 -ip 740
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 740 -ip 740
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 740 -ip 740
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 740 -ip 740
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 740 -ip 740
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4432 -ip 4432
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4432 -ip 4432
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4432 -ip 4432
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4432 -ip 4432
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4432 -ip 4432
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4432 -ip 4432
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4432 -ip 4432
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4432 -ip 4432
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4432 -ip 4432
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4432 -ip 4432
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4432 -ip 4432
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4432 -ip 4432
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4432 -ip 4432
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4432 -ip 4432
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4964 -ip 4964
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 312
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4972 -ip 4972
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4432 -ip 4432
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 4432
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4432 -ip 4432
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 320
  2⤵
  - Program crash
  PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3660 -ip 3660
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe

Filesize
547KB

MD5
cfed234ec7fde986e4e952843d8083b1

SHA1
b1ced36683e941b2ef6f49f415304d8a6ceffa03

SHA256
ceefa48e6bbf97b99512aa3a3e6464dbc70a18a00710b058b3764dbd1100b2cf

SHA512
19bb198720a997a31799bc744ba88c854d09942c8ca459c3bdeae4d9692d0d9604c2d90d96534f60b857e759475984f7e59e46a9d23a6c80ba14068788ecfdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe

Filesize
547KB

MD5
cfed234ec7fde986e4e952843d8083b1

SHA1
b1ced36683e941b2ef6f49f415304d8a6ceffa03

SHA256
ceefa48e6bbf97b99512aa3a3e6464dbc70a18a00710b058b3764dbd1100b2cf

SHA512
19bb198720a997a31799bc744ba88c854d09942c8ca459c3bdeae4d9692d0d9604c2d90d96534f60b857e759475984f7e59e46a9d23a6c80ba14068788ecfdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe

Filesize
600KB

MD5
e36e8744b99f68835fa684e1d461b323

SHA1
492f64006580e3ab6bd56cb31c874986bcb61f41

SHA256
1da95d3311672a9670d12176523cf4faf4270bb74b05f87d55cb2bac1033b760

SHA512
6a81879452e34950b93918438f986993b8cc68004da3b0ace14ba19a701971ca544f1611241e65a04f5d5802a5d1e1f454c3afc436fde81867f43f136bb5f3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe

Filesize
600KB

MD5
e36e8744b99f68835fa684e1d461b323

SHA1
492f64006580e3ab6bd56cb31c874986bcb61f41

SHA256
1da95d3311672a9670d12176523cf4faf4270bb74b05f87d55cb2bac1033b760

SHA512
6a81879452e34950b93918438f986993b8cc68004da3b0ace14ba19a701971ca544f1611241e65a04f5d5802a5d1e1f454c3afc436fde81867f43f136bb5f3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe

Filesize
307KB

MD5
b1fe4ae40617ac9fdfd767d9b065fce6

SHA1
9cfe6b1439ff003e20dcd14e92f58f051447c327

SHA256
5774fa835fcc3910f568c8c4781f7779b02c0ba25869fa1a2140daa081a689fd

SHA512
17b2c2ab84f7cae2746b70671f4aa854fa7695005da419142db717ad6bfa6d0f421c1ace8ac3561d8aa579f7d60fe8c0df030f6e7382ce10600a51dc5da53e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe

Filesize
307KB

MD5
b1fe4ae40617ac9fdfd767d9b065fce6

SHA1
9cfe6b1439ff003e20dcd14e92f58f051447c327

SHA256
5774fa835fcc3910f568c8c4781f7779b02c0ba25869fa1a2140daa081a689fd

SHA512
17b2c2ab84f7cae2746b70671f4aa854fa7695005da419142db717ad6bfa6d0f421c1ace8ac3561d8aa579f7d60fe8c0df030f6e7382ce10600a51dc5da53e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe

Filesize
136KB

MD5
0abd2f8bf0c91db73fd56d76e3cb3759

SHA1
b5fc3068efe1f46d2ea6c1e53c96fc6f3ded2a32

SHA256
a791c3387f411ea542ff9922f13f052bb95dd80c1db23c60408598b5f26c8d56

SHA512
6344e4d2b09b608949084d9816d6da89d11cf22fdf9f03f47b4d6380ac38d464fa95bcfe960f4cfc0815a87857d60920c2965232105607f741464026201e1514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe

Filesize
136KB

MD5
0abd2f8bf0c91db73fd56d76e3cb3759

SHA1
b5fc3068efe1f46d2ea6c1e53c96fc6f3ded2a32

SHA256
a791c3387f411ea542ff9922f13f052bb95dd80c1db23c60408598b5f26c8d56

SHA512
6344e4d2b09b608949084d9816d6da89d11cf22fdf9f03f47b4d6380ac38d464fa95bcfe960f4cfc0815a87857d60920c2965232105607f741464026201e1514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe

Filesize
175KB

MD5
e95816e8d023dbe6b7434688bc310f69

SHA1
97a31cc9ab3d2d49ed9a99bb4409be07f56b9988

SHA256
624e1f00116c35c1119a5aded16cf1cd3b599fd68e13bc365c69103b4d6cf2d4

SHA512
06b0b57021e972ef0451a55cf720b8baaa51e10ef8c1a49e82b65d28de5643f876c692cc666a671bba7504fd892aea4e696ac20f7b2d3995587817fe21eed8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe

Filesize
175KB

MD5
e95816e8d023dbe6b7434688bc310f69

SHA1
97a31cc9ab3d2d49ed9a99bb4409be07f56b9988

SHA256
624e1f00116c35c1119a5aded16cf1cd3b599fd68e13bc365c69103b4d6cf2d4

SHA512
06b0b57021e972ef0451a55cf720b8baaa51e10ef8c1a49e82b65d28de5643f876c692cc666a671bba7504fd892aea4e696ac20f7b2d3995587817fe21eed8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
memory/740-208-0x0000000000770000-0x00000000007A5000-memory.dmp

Filesize
212KB

Download
memory/740-223-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1812-165-0x0000000008E20000-0x0000000008FE2000-memory.dmp

Filesize
1.8MB

Download
memory/1812-155-0x0000000007830000-0x0000000007E48000-memory.dmp

Filesize
6.1MB

Download
memory/1812-159-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1812-166-0x0000000009520000-0x0000000009A4C000-memory.dmp

Filesize
5.2MB

Download
memory/1812-161-0x0000000008220000-0x00000000082B2000-memory.dmp

Filesize
584KB

Download
memory/1812-158-0x0000000007330000-0x000000000736C000-memory.dmp

Filesize
240KB

Download
memory/1812-154-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/1812-164-0x0000000008400000-0x0000000008476000-memory.dmp

Filesize
472KB

Download
memory/1812-167-0x0000000008620000-0x000000000863E000-memory.dmp

Filesize
120KB

Download
memory/1812-163-0x0000000008310000-0x0000000008360000-memory.dmp

Filesize
320KB

Download
memory/1812-162-0x0000000008870000-0x0000000008E14000-memory.dmp

Filesize
5.6MB

Download
memory/1812-156-0x00000000072C0000-0x00000000072D2000-memory.dmp

Filesize
72KB

Download
memory/1812-160-0x0000000007680000-0x00000000076E6000-memory.dmp

Filesize
408KB

Download
memory/1812-157-0x00000000073F0000-0x00000000074FA000-memory.dmp

Filesize
1.0MB

Download
memory/3984-187-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-173-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-201-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3984-200-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3984-199-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-197-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-195-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-193-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-191-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-189-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-172-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-202-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3984-175-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-177-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-179-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-181-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-185-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/3984-183-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4780-2430-0x0000000000510000-0x0000000000538000-memory.dmp

Filesize
160KB

Download
memory/4780-2434-0x00000000075C0000-0x00000000075D0000-memory.dmp

Filesize
64KB

Download
memory/4964-231-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-246-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4964-248-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4964-251-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-253-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-255-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-257-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-259-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-261-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-263-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-265-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-249-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-245-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-244-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4964-242-0x00000000023C0000-0x000000000241C000-memory.dmp

Filesize
368KB

Download
memory/4964-2432-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4964-2431-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4964-241-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-239-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-237-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-235-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-233-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-229-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download
memory/4964-228-0x0000000005440000-0x00000000054A1000-memory.dmp

Filesize
388KB

Download