98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a

Analysis

max time kernel
109s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 13:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe
Size

1.3MB
MD5

13127cb9392ac44b8a6b3fba1c162b4d
SHA1

4ec270ef736481ef2d7769b01130125d26df6f86
SHA256

98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a
SHA512

1bad92306b544a9e9c53ef225e4fa588fbfae43a3cf8139b8009928eff86189892b1db63d94725af6c0978a0ea66f8e6a6e60defda4c378626be5efdceb18d28
SSDEEP

24576:rywky7RX0zzUJJCePV2eveeRT5uTbzBkTIOdoZkovMAeCv2is:ewky7RyuHPV2mdRT5COTINZ

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az768302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az768302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	co011245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	co011245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	co011245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	co011245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az768302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az768302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az768302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az768302.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	co011245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	co011245.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ft324794.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ge047455.exe

Executes dropped EXE 13 IoCs

pid	Process
3976	ki433636.exe
1616	ki339373.exe
3012	ki810012.exe
216	ki926070.exe
860	az768302.exe
3780	bu034757.exe
2220	co011245.exe
3672	dZk09t01.exe
3900	ft324794.exe
872	oneetx.exe
4768	ge047455.exe
1604	oneetx.exe
1160	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
996	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	co011245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az768302.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	co011245.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki433636.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki433636.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki810012.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki926070.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki339373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki339373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ki810012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ki926070.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3676	3780	WerFault.exe	89
4176	2220	WerFault.exe	93
3772	3672	WerFault.exe	96
3064	4768	WerFault.exe	101
1532	4768	WerFault.exe	101
1908	4768	WerFault.exe	101
5016	4768	WerFault.exe	101
1612	4768	WerFault.exe	101
4400	4768	WerFault.exe	101
748	4768	WerFault.exe	101
2228	4768	WerFault.exe	101
4280	4768	WerFault.exe	101
2676	4768	WerFault.exe	101
5028	4768	WerFault.exe	101

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
860	az768302.exe
860	az768302.exe
3780	bu034757.exe
3780	bu034757.exe
2220	co011245.exe
2220	co011245.exe
3672	dZk09t01.exe
3672	dZk09t01.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	az768302.exe
Token: SeDebugPrivilege	3780	bu034757.exe
Token: SeDebugPrivilege	2220	co011245.exe
Token: SeDebugPrivilege	3672	dZk09t01.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3900	ft324794.exe
4768	ge047455.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3976	2032	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe	84
PID 2032 wrote to memory of 3976	2032	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe	84
PID 2032 wrote to memory of 3976	2032	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe	84
PID 3976 wrote to memory of 1616	3976	ki433636.exe	85
PID 3976 wrote to memory of 1616	3976	ki433636.exe	85
PID 3976 wrote to memory of 1616	3976	ki433636.exe	85
PID 1616 wrote to memory of 3012	1616	ki339373.exe	86
PID 1616 wrote to memory of 3012	1616	ki339373.exe	86
PID 1616 wrote to memory of 3012	1616	ki339373.exe	86
PID 3012 wrote to memory of 216	3012	ki810012.exe	87
PID 3012 wrote to memory of 216	3012	ki810012.exe	87
PID 3012 wrote to memory of 216	3012	ki810012.exe	87
PID 216 wrote to memory of 860	216	ki926070.exe	88
PID 216 wrote to memory of 860	216	ki926070.exe	88
PID 216 wrote to memory of 3780	216	ki926070.exe	89
PID 216 wrote to memory of 3780	216	ki926070.exe	89
PID 216 wrote to memory of 3780	216	ki926070.exe	89
PID 3012 wrote to memory of 2220	3012	ki810012.exe	93
PID 3012 wrote to memory of 2220	3012	ki810012.exe	93
PID 3012 wrote to memory of 2220	3012	ki810012.exe	93
PID 1616 wrote to memory of 3672	1616	ki339373.exe	96
PID 1616 wrote to memory of 3672	1616	ki339373.exe	96
PID 1616 wrote to memory of 3672	1616	ki339373.exe	96
PID 3976 wrote to memory of 3900	3976	ki433636.exe	99
PID 3976 wrote to memory of 3900	3976	ki433636.exe	99
PID 3976 wrote to memory of 3900	3976	ki433636.exe	99
PID 3900 wrote to memory of 872	3900	ft324794.exe	100
PID 3900 wrote to memory of 872	3900	ft324794.exe	100
PID 3900 wrote to memory of 872	3900	ft324794.exe	100
PID 2032 wrote to memory of 4768	2032	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe	101
PID 2032 wrote to memory of 4768	2032	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe	101
PID 2032 wrote to memory of 4768	2032	98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe	101
PID 872 wrote to memory of 4868	872	oneetx.exe	102
PID 872 wrote to memory of 4868	872	oneetx.exe	102
PID 872 wrote to memory of 4868	872	oneetx.exe	102
PID 872 wrote to memory of 1676	872	oneetx.exe	104
PID 872 wrote to memory of 1676	872	oneetx.exe	104
PID 872 wrote to memory of 1676	872	oneetx.exe	104
PID 1676 wrote to memory of 5112	1676	cmd.exe	106
PID 1676 wrote to memory of 5112	1676	cmd.exe	106
PID 1676 wrote to memory of 5112	1676	cmd.exe	106
PID 1676 wrote to memory of 4272	1676	cmd.exe	107
PID 1676 wrote to memory of 4272	1676	cmd.exe	107
PID 1676 wrote to memory of 4272	1676	cmd.exe	107
PID 1676 wrote to memory of 4388	1676	cmd.exe	108
PID 1676 wrote to memory of 4388	1676	cmd.exe	108
PID 1676 wrote to memory of 4388	1676	cmd.exe	108
PID 1676 wrote to memory of 3624	1676	cmd.exe	110
PID 1676 wrote to memory of 3624	1676	cmd.exe	110
PID 1676 wrote to memory of 3624	1676	cmd.exe	110
PID 1676 wrote to memory of 3228	1676	cmd.exe	111
PID 1676 wrote to memory of 3228	1676	cmd.exe	111
PID 1676 wrote to memory of 3228	1676	cmd.exe	111
PID 1676 wrote to memory of 436	1676	cmd.exe	113
PID 1676 wrote to memory of 436	1676	cmd.exe	113
PID 1676 wrote to memory of 436	1676	cmd.exe	113
PID 4768 wrote to memory of 1604	4768	ge047455.exe	132
PID 4768 wrote to memory of 1604	4768	ge047455.exe	132
PID 4768 wrote to memory of 1604	4768	ge047455.exe	132
PID 872 wrote to memory of 996	872	oneetx.exe	136
PID 872 wrote to memory of 996	872	oneetx.exe	136
PID 872 wrote to memory of 996	872	oneetx.exe	136

C:\Users\Admin\AppData\Local\Temp\98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe
"C:\Users\Admin\AppData\Local\Temp\98bbe7f24f036092b1efc04bf3c80d291744c2201d53a6696d60f0fb15c2413a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki433636.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki433636.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki339373.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki339373.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki810012.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki810012.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki926070.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki926070.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az768302.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az768302.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu034757.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu034757.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 2032
        7⤵
        Program crash
        
        PID:3676
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co011245.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co011245.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1064
        6⤵
        Program crash
        
        PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZk09t01.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZk09t01.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1320
        5⤵
        Program crash
        
        PID:3772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft324794.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft324794.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:5112
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:4272
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:4388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3624
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        6⤵
        
        PID:3228
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        6⤵
        
        PID:436
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047455.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047455.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 708
    3⤵
    - Program crash
    PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 792
    3⤵
    - Program crash
    PID:1532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 808
    3⤵
    - Program crash
    PID:1908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 960
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 960
    3⤵
    - Program crash
    PID:1612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 960
    3⤵
    - Program crash
    PID:4400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1268
    3⤵
    - Program crash
    PID:748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1324
    3⤵
    - Program crash
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1300
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1376
    3⤵
    - Program crash
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 816
    3⤵
    - Program crash
    PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3780 -ip 3780
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2220 -ip 2220
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3672 -ip 3672
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4768 -ip 4768
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4768 -ip 4768
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4768 -ip 4768
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4768 -ip 4768
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4768 -ip 4768
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4768 -ip 4768
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4768 -ip 4768
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4768 -ip 4768
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4768 -ip 4768
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4768 -ip 4768
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4768 -ip 4768
1⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047455.exe

Filesize
256KB

MD5
ef86e9d42f1fb5e03e861b1f6fd7ec52

SHA1
220bb211786a7fd82eef69208b3cef1abe57c854

SHA256
9d90c30300cda03b882709ae2ec34daeef4df8c21d7e4c1a91eb401a3c666b60

SHA512
cef3fb55b95a4b97bad33b3c49c9c6414bb684ee3306d13e8447948b9a5bd0a30d03415cd2db410a194cbd6041e5ac3fbb12d8baf960e40ccf390685e19bf8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047455.exe

Filesize
256KB

MD5
ef86e9d42f1fb5e03e861b1f6fd7ec52

SHA1
220bb211786a7fd82eef69208b3cef1abe57c854

SHA256
9d90c30300cda03b882709ae2ec34daeef4df8c21d7e4c1a91eb401a3c666b60

SHA512
cef3fb55b95a4b97bad33b3c49c9c6414bb684ee3306d13e8447948b9a5bd0a30d03415cd2db410a194cbd6041e5ac3fbb12d8baf960e40ccf390685e19bf8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki433636.exe

Filesize
1.0MB

MD5
07ac78b25b228483b30d4a8fc62528c1

SHA1
1ce466d035ac673eaf016d71781973e2301a52ed

SHA256
06cca46dd63a719bdaabb78d469e25ed9a2ddc26b018f6911db4c95c5e2ecaf4

SHA512
04672c65722a9d2f0eda210268ac7b29e43f2e4d88c7526003b7f48b96d2097f82de794e8f5e1879fa5a11bc1c97a889a04359bfecaf256582215a4751bf6809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki433636.exe

Filesize
1.0MB

MD5
07ac78b25b228483b30d4a8fc62528c1

SHA1
1ce466d035ac673eaf016d71781973e2301a52ed

SHA256
06cca46dd63a719bdaabb78d469e25ed9a2ddc26b018f6911db4c95c5e2ecaf4

SHA512
04672c65722a9d2f0eda210268ac7b29e43f2e4d88c7526003b7f48b96d2097f82de794e8f5e1879fa5a11bc1c97a889a04359bfecaf256582215a4751bf6809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft324794.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft324794.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki339373.exe

Filesize
895KB

MD5
0eeb8a52ea143b4758cfc96dad4b1935

SHA1
52b13c859cc90146540d21772a3bb3502dd7e8aa

SHA256
a0fd82aa902ba8cfbf5d5130ff9c97f6f865cd80935a263d925fe5451b2bb5a1

SHA512
aa61887aab4222a811e14ad56e61f3f9c8d7ae50c66edaa98c6f62ea323a0d5649003e748a92d88524c44cad6311e124b73513dde62447271383de941bc32887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki339373.exe

Filesize
895KB

MD5
0eeb8a52ea143b4758cfc96dad4b1935

SHA1
52b13c859cc90146540d21772a3bb3502dd7e8aa

SHA256
a0fd82aa902ba8cfbf5d5130ff9c97f6f865cd80935a263d925fe5451b2bb5a1

SHA512
aa61887aab4222a811e14ad56e61f3f9c8d7ae50c66edaa98c6f62ea323a0d5649003e748a92d88524c44cad6311e124b73513dde62447271383de941bc32887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZk09t01.exe

Filesize
360KB

MD5
371dab0adbf858cce524a7e0a106ab7e

SHA1
d59d009c2bf6ab0f8fe492b7f44eadccf0456e63

SHA256
18ca8cdd8d7fda6f644c8a5e412147e48dd696fac966ea64c298a74b21d1ca5f

SHA512
5bed4dbe55a3df13110c0a3d1532bb834e4ec3d166183a896db80e153881e4321d85d2d0aafc027dd0605386ccbb829d8bc86993b6be50ef13edc3390408b96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZk09t01.exe

Filesize
360KB

MD5
371dab0adbf858cce524a7e0a106ab7e

SHA1
d59d009c2bf6ab0f8fe492b7f44eadccf0456e63

SHA256
18ca8cdd8d7fda6f644c8a5e412147e48dd696fac966ea64c298a74b21d1ca5f

SHA512
5bed4dbe55a3df13110c0a3d1532bb834e4ec3d166183a896db80e153881e4321d85d2d0aafc027dd0605386ccbb829d8bc86993b6be50ef13edc3390408b96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki810012.exe

Filesize
695KB

MD5
0aa13839f2cf4e0cc97a9f83eb28432d

SHA1
2b05ef0658961a671373f0933f35b3795ad53644

SHA256
c1e79a56296c4c0fd279d6689b9d5cea0011ae224226d974d7aba386f0567427

SHA512
75b98991c6b846f441306717ec07b3c5946cc61d972aadbb914de4288aabe1302af1d2bc15dba763d43c76d2b7e921943fecca62fdeeebb26ed3946446d70266

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki810012.exe

Filesize
695KB

MD5
0aa13839f2cf4e0cc97a9f83eb28432d

SHA1
2b05ef0658961a671373f0933f35b3795ad53644

SHA256
c1e79a56296c4c0fd279d6689b9d5cea0011ae224226d974d7aba386f0567427

SHA512
75b98991c6b846f441306717ec07b3c5946cc61d972aadbb914de4288aabe1302af1d2bc15dba763d43c76d2b7e921943fecca62fdeeebb26ed3946446d70266

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co011245.exe

Filesize
277KB

MD5
712fd55fdf7b0ce0b07ebffd6b43b711

SHA1
15f2db9d6473e1a0bdd13adcbae5a959e7bfd5dd

SHA256
c11176b61a6408d641e4526a4c86437054ee5cdde2629a8af2e338f0aa054224

SHA512
a249873b1f7575454efcecfb2326370ec78dd6a038940d7ba808c5974aa4fa56edbb4ce6e7ee65b0de618f4b4e9dd9c1665d468c9b5995156cf800f5b803173b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co011245.exe

Filesize
277KB

MD5
712fd55fdf7b0ce0b07ebffd6b43b711

SHA1
15f2db9d6473e1a0bdd13adcbae5a959e7bfd5dd

SHA256
c11176b61a6408d641e4526a4c86437054ee5cdde2629a8af2e338f0aa054224

SHA512
a249873b1f7575454efcecfb2326370ec78dd6a038940d7ba808c5974aa4fa56edbb4ce6e7ee65b0de618f4b4e9dd9c1665d468c9b5995156cf800f5b803173b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki926070.exe

Filesize
415KB

MD5
da0a0b8cd0e4d6584a1351ea51e8ae72

SHA1
ca8d71b6f72137ffa0ca2e79700670a6be1375db

SHA256
4c24194c6ebde5d75fc1a81edcfe1c529db39d1524b56188a49dff0901c24240

SHA512
73537a07ced263d2a2e0d4c0576c10a8b7daa9ba5482a14ae3b38755085215ad8e245c0c61336111a90770c95bb3cf32ffa3655d6d01d1f99307d7f35a4885d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki926070.exe

Filesize
415KB

MD5
da0a0b8cd0e4d6584a1351ea51e8ae72

SHA1
ca8d71b6f72137ffa0ca2e79700670a6be1375db

SHA256
4c24194c6ebde5d75fc1a81edcfe1c529db39d1524b56188a49dff0901c24240

SHA512
73537a07ced263d2a2e0d4c0576c10a8b7daa9ba5482a14ae3b38755085215ad8e245c0c61336111a90770c95bb3cf32ffa3655d6d01d1f99307d7f35a4885d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az768302.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az768302.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu034757.exe

Filesize
360KB

MD5
bf5537de06ae05fc42f003f2faff5ddb

SHA1
4b62743d36e8c54fa71eda7472b79a5fd4235898

SHA256
93c85ff6d9671f2233aadbffcf0deb8514416eba286237c71a99e3dff21afa45

SHA512
41bc5e910a4827f499a0364eb5c353ebd7262dbdb4f13eac3c12921a9fa2619506758868bcc3918e527811bdb1d71ae9b02327e1647866072a60815ea983599b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu034757.exe

Filesize
360KB

MD5
bf5537de06ae05fc42f003f2faff5ddb

SHA1
4b62743d36e8c54fa71eda7472b79a5fd4235898

SHA256
93c85ff6d9671f2233aadbffcf0deb8514416eba286237c71a99e3dff21afa45

SHA512
41bc5e910a4827f499a0364eb5c353ebd7262dbdb4f13eac3c12921a9fa2619506758868bcc3918e527811bdb1d71ae9b02327e1647866072a60815ea983599b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/860-168-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2220-1026-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2220-1025-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2220-1024-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2220-1020-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2220-1019-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2220-1018-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2220-1017-0x0000000002D10000-0x0000000002D3D000-memory.dmp

Filesize
180KB

Download
memory/3672-1031-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/3672-1034-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/3672-1035-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/3672-1826-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/3780-188-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-218-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-230-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-232-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-234-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-236-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-238-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-240-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-969-0x0000000009DC0000-0x000000000A3D8000-memory.dmp

Filesize
6.1MB

Download
memory/3780-970-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/3780-971-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

Filesize
1.0MB

Download
memory/3780-972-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/3780-973-0x0000000007400000-0x000000000743C000-memory.dmp

Filesize
240KB

Download
memory/3780-974-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/3780-975-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/3780-976-0x000000000AFE0000-0x000000000B030000-memory.dmp

Filesize
320KB

Download
memory/3780-977-0x000000000B030000-0x000000000B0A6000-memory.dmp

Filesize
472KB

Download
memory/3780-979-0x000000000B0F0000-0x000000000B10E000-memory.dmp

Filesize
120KB

Download
memory/3780-980-0x000000000B1F0000-0x000000000B3B2000-memory.dmp

Filesize
1.8MB

Download
memory/3780-981-0x000000000B3C0000-0x000000000B8EC000-memory.dmp

Filesize
5.2MB

Download
memory/3780-983-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/3780-226-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-224-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-222-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-220-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-228-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-216-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-214-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-212-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-210-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-208-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-206-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-204-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-202-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-200-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-198-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-196-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-194-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-192-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-190-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-186-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-184-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-182-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-174-0x0000000002C80000-0x0000000002CC6000-memory.dmp

Filesize
280KB

Download
memory/3780-180-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-178-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-177-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/3780-176-0x0000000007490000-0x0000000007A34000-memory.dmp

Filesize
5.6MB

Download
memory/3780-175-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/4768-1846-0x0000000002CF0000-0x0000000002D25000-memory.dmp

Filesize
212KB

Download