423100da5251a70d1ea1fb1ee5c83eb45e9812a83b3f440063d1c8c83f8cd7c0

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b7b01480949534c066aac80f8aba6a.exe
Size

255KB
MD5

17b7b01480949534c066aac80f8aba6a
SHA1

b1213e9a18a4ef8c07d1021511f52284d5b74e6d
SHA256

423100da5251a70d1ea1fb1ee5c83eb45e9812a83b3f440063d1c8c83f8cd7c0
SHA512

e9588fb0ac8424831c5981784b0841b29cdf65983dc51801259a9f7c477b91017433012fcddc50524532dfc5101ce9423f30ae8c28a615cbf4524940e0d1f1c6
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpjO:ZY7xh6SZI4z7FSVpS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	woofjapc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wmuxhpgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wbeja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wohkkjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wtkbvnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wrbfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wpefm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wswvt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wvnplne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wldkfpjd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wtxmmvh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wmdc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wkufsniik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	whhfn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	17b7b01480949534c066aac80f8aba6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wtaxni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wudskw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wbubnysm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wjdjve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	waurt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wrakxks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wfukcm.exe

Executes dropped EXE 24 IoCs

pid	Process
5096	wvnplne.exe
1860	wldkfpjd.exe
2900	wtxmmvh.exe
4660	wrakxks.exe
5048	woofjapc.exe
1400	wmuxhpgs.exe
1860	wbeja.exe
3048	wtaxni.exe
1616	wudskw.exe
4360	wmdc.exe
4308	wfukcm.exe
1184	wbubnysm.exe
1540	wla.exe
3476	wkufsniik.exe
764	wohkkjo.exe
1980	wtkbvnf.exe
4752	whhfn.exe
3752	wjdjve.exe
1860	wswvt.exe
1912	waurt.exe
2988	wrbfa.exe
1308	wpefm.exe
2496	wqs.exe
3404	wbgu.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\waurt.exe	wswvt.exe
File created	C:\Windows\SysWOW64\wqs.exe	wpefm.exe
File created	C:\Windows\SysWOW64\wpiqsfe.exe	wbgu.exe
File opened for modification	C:\Windows\SysWOW64\wudskw.exe	wtaxni.exe
File opened for modification	C:\Windows\SysWOW64\whhfn.exe	wtkbvnf.exe
File created	C:\Windows\SysWOW64\wjdjve.exe	whhfn.exe
File created	C:\Windows\SysWOW64\wmdc.exe	wudskw.exe
File created	C:\Windows\SysWOW64\wtkbvnf.exe	wohkkjo.exe
File opened for modification	C:\Windows\SysWOW64\wvnplne.exe	17b7b01480949534c066aac80f8aba6a.exe
File created	C:\Windows\SysWOW64\wrakxks.exe	wtxmmvh.exe
File opened for modification	C:\Windows\SysWOW64\wswvt.exe	wjdjve.exe
File created	C:\Windows\SysWOW64\wbgu.exe	wqs.exe
File created	C:\Windows\SysWOW64\whhfn.exe	wtkbvnf.exe
File opened for modification	C:\Windows\SysWOW64\wkufsniik.exe	wla.exe
File opened for modification	C:\Windows\SysWOW64\wjdjve.exe	whhfn.exe
File opened for modification	C:\Windows\SysWOW64\wrbfa.exe	waurt.exe
File created	C:\Windows\SysWOW64\wvnplne.exe	17b7b01480949534c066aac80f8aba6a.exe
File created	C:\Windows\SysWOW64\wbubnysm.exe	wfukcm.exe
File created	C:\Windows\SysWOW64\wkufsniik.exe	wla.exe
File created	C:\Windows\SysWOW64\wtaxni.exe	wbeja.exe
File opened for modification	C:\Windows\SysWOW64\wmdc.exe	wudskw.exe
File opened for modification	C:\Windows\SysWOW64\wohkkjo.exe	wkufsniik.exe
File opened for modification	C:\Windows\SysWOW64\wbgu.exe	wqs.exe
File opened for modification	C:\Windows\SysWOW64\wbeja.exe	wmuxhpgs.exe
File created	C:\Windows\SysWOW64\wudskw.exe	wtaxni.exe
File created	C:\Windows\SysWOW64\wfukcm.exe	wmdc.exe
File created	C:\Windows\SysWOW64\wla.exe	wbubnysm.exe
File created	C:\Windows\SysWOW64\wtxmmvh.exe	wldkfpjd.exe
File created	C:\Windows\SysWOW64\woofjapc.exe	wrakxks.exe
File created	C:\Windows\SysWOW64\wbeja.exe	wmuxhpgs.exe
File created	C:\Windows\SysWOW64\wrbfa.exe	waurt.exe
File opened for modification	C:\Windows\SysWOW64\wpefm.exe	wrbfa.exe
File created	C:\Windows\SysWOW64\wswvt.exe	wjdjve.exe
File opened for modification	C:\Windows\SysWOW64\wldkfpjd.exe	wvnplne.exe
File opened for modification	C:\Windows\SysWOW64\wtaxni.exe	wbeja.exe
File created	C:\Windows\SysWOW64\wohkkjo.exe	wkufsniik.exe
File opened for modification	C:\Windows\SysWOW64\wfukcm.exe	wmdc.exe
File opened for modification	C:\Windows\SysWOW64\wla.exe	wbubnysm.exe
File opened for modification	C:\Windows\SysWOW64\woofjapc.exe	wrakxks.exe
File opened for modification	C:\Windows\SysWOW64\wmuxhpgs.exe	woofjapc.exe
File opened for modification	C:\Windows\SysWOW64\wtkbvnf.exe	wohkkjo.exe
File created	C:\Windows\SysWOW64\waurt.exe	wswvt.exe
File opened for modification	C:\Windows\SysWOW64\wtxmmvh.exe	wldkfpjd.exe
File opened for modification	C:\Windows\SysWOW64\wrakxks.exe	wtxmmvh.exe
File created	C:\Windows\SysWOW64\wmuxhpgs.exe	woofjapc.exe
File created	C:\Windows\SysWOW64\wldkfpjd.exe	wvnplne.exe
File opened for modification	C:\Windows\SysWOW64\wbubnysm.exe	wfukcm.exe
File created	C:\Windows\SysWOW64\wpefm.exe	wrbfa.exe
File opened for modification	C:\Windows\SysWOW64\wqs.exe	wpefm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
400	5096	WerFault.exe	94
4080	1912	WerFault.exe	164

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 5096	572	17b7b01480949534c066aac80f8aba6a.exe	94
PID 572 wrote to memory of 5096	572	17b7b01480949534c066aac80f8aba6a.exe	94
PID 572 wrote to memory of 5096	572	17b7b01480949534c066aac80f8aba6a.exe	94
PID 572 wrote to memory of 5104	572	17b7b01480949534c066aac80f8aba6a.exe	96
PID 572 wrote to memory of 5104	572	17b7b01480949534c066aac80f8aba6a.exe	96
PID 572 wrote to memory of 5104	572	17b7b01480949534c066aac80f8aba6a.exe	96
PID 5096 wrote to memory of 1860	5096	wvnplne.exe	100
PID 5096 wrote to memory of 1860	5096	wvnplne.exe	100
PID 5096 wrote to memory of 1860	5096	wvnplne.exe	100
PID 5096 wrote to memory of 3592	5096	wvnplne.exe	101
PID 5096 wrote to memory of 3592	5096	wvnplne.exe	101
PID 5096 wrote to memory of 3592	5096	wvnplne.exe	101
PID 1860 wrote to memory of 2900	1860	wldkfpjd.exe	106
PID 1860 wrote to memory of 2900	1860	wldkfpjd.exe	106
PID 1860 wrote to memory of 2900	1860	wldkfpjd.exe	106
PID 1860 wrote to memory of 3052	1860	wldkfpjd.exe	107
PID 1860 wrote to memory of 3052	1860	wldkfpjd.exe	107
PID 1860 wrote to memory of 3052	1860	wldkfpjd.exe	107
PID 2900 wrote to memory of 4660	2900	wtxmmvh.exe	112
PID 2900 wrote to memory of 4660	2900	wtxmmvh.exe	112
PID 2900 wrote to memory of 4660	2900	wtxmmvh.exe	112
PID 2900 wrote to memory of 844	2900	wtxmmvh.exe	113
PID 2900 wrote to memory of 844	2900	wtxmmvh.exe	113
PID 2900 wrote to memory of 844	2900	wtxmmvh.exe	113
PID 4660 wrote to memory of 5048	4660	wrakxks.exe	116
PID 4660 wrote to memory of 5048	4660	wrakxks.exe	116
PID 4660 wrote to memory of 5048	4660	wrakxks.exe	116
PID 4660 wrote to memory of 1148	4660	wrakxks.exe	117
PID 4660 wrote to memory of 1148	4660	wrakxks.exe	117
PID 4660 wrote to memory of 1148	4660	wrakxks.exe	117
PID 5048 wrote to memory of 1400	5048	woofjapc.exe	120
PID 5048 wrote to memory of 1400	5048	woofjapc.exe	120
PID 5048 wrote to memory of 1400	5048	woofjapc.exe	120
PID 5048 wrote to memory of 1604	5048	woofjapc.exe	121
PID 5048 wrote to memory of 1604	5048	woofjapc.exe	121
PID 5048 wrote to memory of 1604	5048	woofjapc.exe	121
PID 1400 wrote to memory of 1860	1400	wmuxhpgs.exe	124
PID 1400 wrote to memory of 1860	1400	wmuxhpgs.exe	124
PID 1400 wrote to memory of 1860	1400	wmuxhpgs.exe	124
PID 1400 wrote to memory of 1128	1400	wmuxhpgs.exe	125
PID 1400 wrote to memory of 1128	1400	wmuxhpgs.exe	125
PID 1400 wrote to memory of 1128	1400	wmuxhpgs.exe	125
PID 1860 wrote to memory of 3048	1860	wbeja.exe	127
PID 1860 wrote to memory of 3048	1860	wbeja.exe	127
PID 1860 wrote to memory of 3048	1860	wbeja.exe	127
PID 1860 wrote to memory of 4084	1860	wbeja.exe	128
PID 1860 wrote to memory of 4084	1860	wbeja.exe	128
PID 1860 wrote to memory of 4084	1860	wbeja.exe	128
PID 3048 wrote to memory of 1616	3048	wtaxni.exe	130
PID 3048 wrote to memory of 1616	3048	wtaxni.exe	130
PID 3048 wrote to memory of 1616	3048	wtaxni.exe	130
PID 3048 wrote to memory of 3476	3048	wtaxni.exe	131
PID 3048 wrote to memory of 3476	3048	wtaxni.exe	131
PID 3048 wrote to memory of 3476	3048	wtaxni.exe	131
PID 1616 wrote to memory of 4360	1616	wudskw.exe	133
PID 1616 wrote to memory of 4360	1616	wudskw.exe	133
PID 1616 wrote to memory of 4360	1616	wudskw.exe	133
PID 1616 wrote to memory of 1548	1616	wudskw.exe	134
PID 1616 wrote to memory of 1548	1616	wudskw.exe	134
PID 1616 wrote to memory of 1548	1616	wudskw.exe	134
PID 4360 wrote to memory of 4308	4360	wmdc.exe	137
PID 4360 wrote to memory of 4308	4360	wmdc.exe	137
PID 4360 wrote to memory of 4308	4360	wmdc.exe	137
PID 4360 wrote to memory of 5108	4360	wmdc.exe	138

C:\Users\Admin\AppData\Local\Temp\17b7b01480949534c066aac80f8aba6a.exe
"C:\Users\Admin\AppData\Local\Temp\17b7b01480949534c066aac80f8aba6a.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\wvnplne.exe
  "C:\Windows\system32\wvnplne.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\wldkfpjd.exe
    "C:\Windows\system32\wldkfpjd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\wtxmmvh.exe
      "C:\Windows\system32\wtxmmvh.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\wrakxks.exe
        
        "C:\Windows\system32\wrakxks.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\SysWOW64\woofjapc.exe
        
        "C:\Windows\system32\woofjapc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\wmuxhpgs.exe
        
        "C:\Windows\system32\wmuxhpgs.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\wbeja.exe
        
        "C:\Windows\system32\wbeja.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\wtaxni.exe
        
        "C:\Windows\system32\wtaxni.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\wudskw.exe
        
        "C:\Windows\system32\wudskw.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\wmdc.exe
        
        "C:\Windows\system32\wmdc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\wfukcm.exe
        
        "C:\Windows\system32\wfukcm.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\wbubnysm.exe
        
        "C:\Windows\system32\wbubnysm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\wla.exe
        
        "C:\Windows\system32\wla.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\wkufsniik.exe
        
        "C:\Windows\system32\wkufsniik.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\wohkkjo.exe
        
        "C:\Windows\system32\wohkkjo.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\wtkbvnf.exe
        
        "C:\Windows\system32\wtkbvnf.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkbvnf.exe"
        18⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\whhfn.exe
        
        "C:\Windows\system32\whhfn.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\wjdjve.exe
        
        "C:\Windows\system32\wjdjve.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\wswvt.exe
        
        "C:\Windows\system32\wswvt.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\waurt.exe
        
        "C:\Windows\system32\waurt.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\wrbfa.exe
        
        "C:\Windows\system32\wrbfa.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\wpefm.exe
        
        "C:\Windows\system32\wpefm.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\wqs.exe
        
        "C:\Windows\system32\wqs.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\wbgu.exe
        
        "C:\Windows\system32\wbgu.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqs.exe"
        25⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpefm.exe"
        24⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbfa.exe"
        23⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waurt.exe"
        22⤵
        
        PID:712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1676
        22⤵
        Program crash
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswvt.exe"
        21⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdjve.exe"
        20⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhfn.exe"
        19⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohkkjo.exe"
        17⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkufsniik.exe"
        16⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wla.exe"
        15⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbubnysm.exe"
        14⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfukcm.exe"
        13⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdc.exe"
        12⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudskw.exe"
        11⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtaxni.exe"
        10⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbeja.exe"
        9⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmuxhpgs.exe"
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woofjapc.exe"
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrakxks.exe"
        6⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxmmvh.exe"
        5⤵
        
        PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldkfpjd.exe"
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnplne.exe"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1680
    3⤵
    - Program crash
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\17b7b01480949534c066aac80f8aba6a.exe"
  2⤵
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 5096
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1912 -ip 1912
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waurt.exe

Filesize
255KB

MD5
639da419bb893f4eb4cc438b30b07c21

SHA1
fb5628b8d5a7465fcfa79184b543b2836f78d7a5

SHA256
cef91c89ddd29d8b1911daee29bb288b834290e5e2cf28b9b94b9e2c3ba21053

SHA512
21dbf6ff4a5b558b9ead274e3a52b44646df5be4dcdc7a06cd365d215ca715bb99c34470b75322901b7f0b391783eb0b62bdcae7dd28364eb653826d2eb037d5

Download Submit
C:\Windows\SysWOW64\waurt.exe

Filesize
241KB

MD5
803a4f3f37d7ce075e2de1a03b70b1c2

SHA1
5302b640548ca47f0d4ec61ea1fd4031fc5ea74d

SHA256
3ab4fe03d29c7bab41afcfbe9c7dfbf1a05cfa06cfb224f10c65b04767fb41e4

SHA512
f9066d025e20e2e4b4a07f6fdfa7c7e8d520b7e717a3f35e3262e90c57fa50aadd92575940692146bfd4cfce27379b6677adbccd91c938210e1d022f03c62ac3

Download Submit
C:\Windows\SysWOW64\wbeja.exe

Filesize
255KB

MD5
4eba421a2d822979c983319f4bef9221

SHA1
d32c53f7f5fc599478da8668a0edfd0f5bb0fd55

SHA256
50485a6625e6cd7c2568dd41d970a58a9e1a69cb179da899893e839a402b4188

SHA512
2f5b1ba502623ef3cfc4834af7a09679fee4d27489cf4eebea86a50d2321b2e301c4d620834614f7d28a29d712e54c5f56e4ea0735aa98f27ac8bb634942a5cc

Download Submit
C:\Windows\SysWOW64\wbgu.exe

Filesize
255KB

MD5
c9636c7fed606f52e338276b467ad836

SHA1
cb46ad00076f8e92f22232fff6c9ffa8e3c01483

SHA256
633d5fb2fba8b8872b81cfcec67f03435d6bc041c16eeb76373d5f392f5417e8

SHA512
9a279c2336054baf81cb02c7f43afe41c1aca4fc3b91c625e2c81b3287b92a3c616151dfeab1348f3749ede2e978626a4eb7c3bd5b6f6ef63c7495ff5b8481ae

Download Submit
C:\Windows\SysWOW64\wbubnysm.exe

Filesize
255KB

MD5
29d29185bf20f0001d355db8ad48f0fd

SHA1
f5a44e48736e0bcbe52c2dc4c524f7c9bd985f90

SHA256
dcfb8b16a819a7a255f7d06ff42b2dab664d2193499ccec496b4e0b73c093d65

SHA512
3b87a5ab2fafda413522109285eff649816603e3c32da845a77843e8cf02a3c6f36022ba4b51c75baaa40a8201096834ee9cf2689fbff9b4432017c0bc9ae293

Download Submit
C:\Windows\SysWOW64\wfukcm.exe

Filesize
255KB

MD5
b0d19efc7f6e8113caec09144064374f

SHA1
3ff6118c8655862f8e5dd2e8e0513e842f165e38

SHA256
9ccc6cd5183b7247aec4c23487874048a995f866b971e5f6fcda12a96f1708a0

SHA512
3e8b40722d06433fb04cf47bad182e4cbabda0e49816188fa78fb5ee251785f374844f8e6d6046d6dae5877dea32b552c9ceccc8ffbc07810c6b31210cfe3a32

Download Submit
C:\Windows\SysWOW64\whhfn.exe

Filesize
88KB

MD5
cb5b7c247d401e866d1b42f4267bedb3

SHA1
c33d8b59449e2342fd73f1c8c4140589ec10a71f

SHA256
beed8f04555fc766fcac166b28f103f9a4a7e247db88bc3bcb9a8104fd987bbc

SHA512
d2cf2c46bd175bef18b3ab7d35d7f9c73a20afcb9518b9984238545b4536175704a7a195cdd8ace9001deb1074654e1bb434d23f71835ea7176ba563049db8ce

Download Submit
C:\Windows\SysWOW64\whhfn.exe

Filesize
57KB

MD5
e408505140c355477b03063a8c317f02

SHA1
66240dd6c278639041486ef6e1ec95cf75e76eac

SHA256
0ae1a821ec664f06bc48d79f8d9fffcd79aa092c2dcc6a31b625fe45a1b635a7

SHA512
a37308d20fefe9fda8dfe50cf18eec49c77cb1513347d34f02d34ca70d4df91b6ba1913a05d2e5c52dc632c479623ddc0eed83b2123897dba82910c7baa6ace3

Download Submit
C:\Windows\SysWOW64\wjdjve.exe

Filesize
255KB

MD5
0d94923f6a0c04815ddfff2e6791d6d5

SHA1
f22e5e3b1d4722629805aac6dbc37233914d1226

SHA256
2fb351db63bdf5c5b7c68ee012a3e8f261d4fb450c9558189b1b4f61be741988

SHA512
c2aa45533d81befa94778ec0bcdca955b194bf8e83c9c56c4f5b790d2167efc81d19259ade4362e9b07f62dc42d16fce0ed944ff39e076d3942b75b446889d80

Download Submit
C:\Windows\SysWOW64\wkufsniik.exe

Filesize
255KB

MD5
a8667146423be323ac176264846271b4

SHA1
590287b52c9721570be5f404a8a10310636a9465

SHA256
25881964bcf01fb3fb3ad28338b26ffd74cd110fe68b0b406cefabdec4d37263

SHA512
d36fc92bfd87b1c76a4d0902ad61e3fa9670378f02d6f68dbbff45121ccfc1924d5fcdf8494078431f451eca0970b6618d67126afd090d233d6a460412193ea0

Download Submit
C:\Windows\SysWOW64\wla.exe

Filesize
255KB

MD5
fea45fb691979632d20b1ad5ed893a35

SHA1
9c60e3edab9c654f80e950ee31ab9881283ffa25

SHA256
216d909b1521a8efc8f342a4f4b738595bf71cb66866d2cecd699a8d8bbaeeb9

SHA512
3b282f2f5b2b4c01ee8b04a1627c18ebdee4cd00cb436daebe45ca622752d12bc227ff0d959c058fa3332cce34a670cfda1b5764f41348cb10d64c9b3aa70d7b

Download Submit
C:\Windows\SysWOW64\wldkfpjd.exe

Filesize
255KB

MD5
b4adbf87d900384e4c7f49142ca6790f

SHA1
16391f180a8b5d95354cf0ce0bf7900e96bd31ac

SHA256
71f03a34878ea662728eee58f3a4c78b9a398ca716b5b7d292be5d2c4549e65d

SHA512
abd8ec355b77bbbb066809e80cd8d2d9bc5ae50aec08ed070e55e72c117b2c886bf1d2cf2c9a650ed483b1a47eb588d7ed15c858e69e2fdedfaa70bb283d7023

Download Submit
C:\Windows\SysWOW64\wmdc.exe

Filesize
255KB

MD5
4266f1f133cfd6bba88bd9afec5c985c

SHA1
583e4faa1e5fb3ac7694ec7a560db27664cdccb6

SHA256
f34813c6cdfdeee402df98343d5c5e92cacbf9a368ed451d6a8a2386f626b642

SHA512
ac47d6fdd9a63b4f4d8da13ef346b75c37af30a12ae51bfdbb05a58eec0137220af2fbeffabb980d97e06ead9fd26bef52402dd8906cd1e3a196ce7faa52e8eb

Download Submit
C:\Windows\SysWOW64\wmuxhpgs.exe

Filesize
255KB

MD5
052386011798fd5cd29ce1e7483bd2b8

SHA1
3f6bccb6efc0fbd705568434d44ad62a6a64abed

SHA256
b92d840f0adb847a9f43417f1f453976d750131794d1e4b18d6acffc9434036b

SHA512
e97b89f40bd6ba1bc6c7fa2c7236527af462190ebaaaf6c4855edd6f1f944cc43ac5cdd48bacece3355d6785f648b025522b5d0132120fe2b8394b21a42681c2

Download Submit
C:\Windows\SysWOW64\wohkkjo.exe

Filesize
190KB

MD5
b58eeeaeaf460ea9431a0e1358301395

SHA1
7def02fe15e0ff91d63bda5bbbabd94f19818229

SHA256
58411d04a3d5950dea2f75d819eac6d46ede22dfe72676823134af84869f49db

SHA512
c9d3bf7fd5e85be7ceee2d69bd7af647b84d229903c9c726f45d6f70b111b12f279708252c18fe3461f2e9fbd1e1b0a40b48ce32d9b0c566bdc8246aa715fcbf

Download Submit
C:\Windows\SysWOW64\wohkkjo.exe

Filesize
149KB

MD5
074197de5f0e5a40db4a211b728dc01d

SHA1
f85d61efaf9b48f69d6e673fd40b5dc75cdae714

SHA256
dadf1224f087d5535635554c165d01b9e19725c22a3a7ceb241e0bb6bce57d67

SHA512
41915a354d37738a76ca78f4200bd0873be9b9e1afddf34e8911c67abd860188229e7aa7ec94e2e785c8a96ad052343da4f1b435b60baa7e9c6b0d31c80a8c2c

Download Submit
C:\Windows\SysWOW64\woofjapc.exe

Filesize
255KB

MD5
bfc0cfcb868a55a2f02fb64c5df8b193

SHA1
618ec6e3e966aa89d3b42afcc7d14f3390df9542

SHA256
aad53cd22f43359996e04055c3deaf9f254b2f7ebbe09be7e6224ade70506747

SHA512
18eb991fdee6af1b6a95cfcbf76fde78300cdef3186f8aca41b391851a4b614b859a81be6044e32049f64ef5e201e1f08b5d7d37c71e859b889e1383ecae2ef8

Download Submit
C:\Windows\SysWOW64\wpefm.exe

Filesize
165KB

MD5
35e7865f04fe37657be1bdbfa357ee87

SHA1
7c54d4e57a22b07e92752e4711e867ca0085b368

SHA256
59055fba9c796a35a1d78792db33cc6f53b0bf24af1f8d4be4710d7a7c18ad72

SHA512
fb719a0f6bf91563814ee6d7395598df2749498783987b56418330955c5e121801fd59a74bf52011d43f462a0109400d7a035a5a757319ef83818994ee9c6375

Download Submit
C:\Windows\SysWOW64\wpefm.exe

Filesize
255KB

MD5
b9479afdfb032c84c2bfa7aee3beb549

SHA1
5e51499e2a275257b435b79028d6524a1f650f3a

SHA256
4d87ea7ad1200ac73e73c7427b7b6d3db7229fa49e3176ce4ee617f8f9d4c66e

SHA512
a3ae7bd6e665ec40e7479ca71adbdc7c2d9a073b34223d97c9a437d147328555adcac1ba77443c90f66b56b3158e0d0d70d24a35d05d0f6062bf4c8f9c6e6258

Download Submit
C:\Windows\SysWOW64\wqs.exe

Filesize
255KB

MD5
63f514b65ec10d2a75008208d6dc2164

SHA1
7e8303824151352f98453ee3bd3063eaa7bd83c2

SHA256
4607d24310fbbb209dfe0ed502c13f06f327689e527805d7c66c062cfd884b77

SHA512
c3249c18af2fb08116319b183933fb09bc8d5050cd12026419ed1b61797039c82e0323241d4c6ecf53a0d1d8afedf5b6bfbd7c39fd6b7166763e8f53f2b32e50

Download Submit
C:\Windows\SysWOW64\wqs.exe

Filesize
147KB

MD5
b18dd2e775dcd2e66cfac4f462a67f58

SHA1
ff49781fbf5d805765b50eda2e9aa404f90f9e55

SHA256
55078edae164445e47fe0a8458b8b7b5ad343c567d1d84efbf9f4a32dee8d0a2

SHA512
2d85a4b264a66785c1ecc2112498b0f70a1b1e6da17c6081ca748a9417c4a83a53bf6219aa837938ca027e55f4d02491abb2d485feeaac4727fbf2700434082c

Download Submit
C:\Windows\SysWOW64\wrakxks.exe

Filesize
77KB

MD5
89cfeb80ef616a21534ce3b28001f75c

SHA1
a1198528449cd8311012dd6eeeb7bc689b729c49

SHA256
d4cbd3058578f4651160211c530058fbd803bd27223c07444ab25909bedc41c8

SHA512
b43deb516b20d97ea25a7bb0db9a334ba0edc7422eb3025aaf69338076ad0593fc4a9f872dd3a99cf62371489e8aacf624ccdb44e5a705796dac81c500447903

Download Submit
C:\Windows\SysWOW64\wrakxks.exe

Filesize
110KB

MD5
ae22cb6e78461bd213ca46762e914f88

SHA1
a9a84c519f224e0ae2b88cf0bf63c0e8c692fe6d

SHA256
4875f59bc885c496154c99300df8a6997814ec967171242d0647c5fcfde6b0a0

SHA512
8718613fa6f97030971cdd971ebd44cbf0abb71ddd383866eb754572eb6068a1c2340c9a284740dd1143c7e470fda6bd0c24e5ca219df375b7791bef198d78a1

Download Submit
C:\Windows\SysWOW64\wrbfa.exe

Filesize
255KB

MD5
99cbc16683f791c92bbb5716929f2a09

SHA1
3c97e18d366809cacf123daf4cf4499f70719ff8

SHA256
d2e3db6044937eaa6817134f51f5e2df5f5a5782968723db96e73b1f2adcafce

SHA512
ae1fe0d1c26ada88fb9b3eee8573e1b7e31f98fefc84693b6844d6e79dc9e06c3f437ef324891ec7cbc1932857cd46aee852a1d1395858e81a3f85d87262e7ae

Download Submit
C:\Windows\SysWOW64\wrbfa.exe

Filesize
206KB

MD5
e361bfffb6f381cb1fd8fc43f491fedb

SHA1
a5dea3f76f64443e97dbe126c06a886c6c589a67

SHA256
d4f1610c9ef966e322d4941a0a4ca99b4ae8347b28a5d078be0eee5d5f5df9e2

SHA512
bc1582b3b1cd9391869b479becf063463669eeacfd50bed527c405ff9c96098cbdaf700020ba6fa4c28b8dcf7b8039c3209bd7ab3d9a64d43beb1eda926f6e19

Download Submit
C:\Windows\SysWOW64\wswvt.exe

Filesize
193KB

MD5
4c14d36a97d1336db57c6375d23fe6c9

SHA1
dc3052c467892114ba5155a76abde57d8ebacd11

SHA256
dac7082963a19e05a2621cbc508ad3dd7c1e0e4f5852c7d565f494afda45cc8d

SHA512
9d44b621bcc0c93c98541545a54a896e31e5c98ffb55dd50c643c58c189014f13f1f307daf1bb99fb236f17b4728f4e5ceff8356da5d247ceed114b6e5bffb38

Download Submit
C:\Windows\SysWOW64\wswvt.exe

Filesize
194KB

MD5
049234ecae13c2b3237f3125b2a39981

SHA1
6a33b4fd8755183924780a2dba047bca70edffc9

SHA256
7d3be6afc9c0536707f6843a0638ff410666ba9f29ff9adb4e082919b224e527

SHA512
dff60254ae9b3407d70a3bea4be1d14b49f524c849dbd9894f9ceb18d94bcdda0fff6bbf573c146b50ec79b4d49f9ab3e72bf91f98ec6cbc088330bca8aab207

Download Submit
C:\Windows\SysWOW64\wtaxni.exe

Filesize
255KB

MD5
8ec40f0cc0b518414d144b3a53bd8d0f

SHA1
78e9ee6dc563d91c989940e0f43c03db38393538

SHA256
0ea516457e12c1a0dac0b8a220bc97f5f147e0829297ba46fcd7f8d950ab11e9

SHA512
3122e884585bf61c1324f85ee097d59916642a7141c6079730ae413c4aa6704c561372086f15441d98ced2cb4ca03b015b7b8f8233a6dc2d3c2aa85b2983c4ec

Download Submit
C:\Windows\SysWOW64\wtkbvnf.exe

Filesize
255KB

MD5
47b1da62e87ad9537ee4b237fdfbd38b

SHA1
8dfcc49becb2a47141e8c8a007b1e65328827a38

SHA256
3af51928b3ee028977decbfbb5a8a1bd24034df92b797273a6aedec2a17a79f3

SHA512
cd55b41f412fbe97bc1edede75e7cb86291fd9e9a42b06c00bbc613bfc1ae14fdba5893b6432ecc2ab6b9a36411953b06ab139044b229ad8d60e4954f047d0a4

Download Submit
C:\Windows\SysWOW64\wtxmmvh.exe

Filesize
255KB

MD5
9e9d773ec0f16827f989128692c82884

SHA1
c5243412cd1159dbe8f996e62735a28bb9a5ad6d

SHA256
f31bc8a6d3fdb8d8b9d06cfbe741d255e0b7ecf0666cba0b23f24760a951f243

SHA512
e370d71fe8a36a690323710ba5893fe7417a682792dd09a55a830d50b9a2f293a0f59eff542b429e5985504f34492676e6667f6cbc5ac8aac5b54db18ffa00b7

Download Submit
C:\Windows\SysWOW64\wudskw.exe

Filesize
255KB

MD5
71dfe6c78b54afe3077e4e631b003682

SHA1
d9fdf2de366c349520adb7dda1b412b147743da8

SHA256
25460a296b00471c5a5e3f94e26128c8298ed9db235bc317543b08808dfd4915

SHA512
e7e6e7010f461c590167f1f10aee399edaed90cbb1ef0aa90904a5a09079267d9e00946ba727ad09ccd8306cb039247ffc9222dd9f51fb17cd94deee21a9b906

Download Submit
C:\Windows\SysWOW64\wvnplne.exe

Filesize
255KB

MD5
5bf6828c96c6ad48e31f67d299889715

SHA1
f760c66410908abc50e92f1d8b5a31ec57468946

SHA256
efb716779eecba415bc9e3cd5674af0b05aced072e983d8672921e7de88bf235

SHA512
0ca5e8baaaa8813ae7bcc99281c39b972e27e94dc76fabda79958310a680ea8409efc63fa52f4d635efec69b25fb5e152cb4b2e3ca0748e0db95bb58c12c7eea

Download Submit
memory/572-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/572-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/572-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/764-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1184-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1184-123-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1308-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1400-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1540-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2496-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2900-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2900-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2988-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2988-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3048-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3404-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3476-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3752-194-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4308-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4308-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4360-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4660-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4752-184-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5048-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download