20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe
Size

1.3MB
MD5

7687110c47d45ef0c1054f93dabc37cf
SHA1

4c429aa0a081197836074a5fccc536bec9eef686
SHA256

20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749
SHA512

b40e7e3d01410c6bd7e4f5b8a0a7543be05093f33916e0c51988f4a939b68959d5f5915feef70f0dde734c4bfaa3d6a9ab0daa00ad3a17795de32e65762f0eb9
SSDEEP

24576:oyS46GWcOuHkjDPAc+3euokOgrK7gBhmIjhB8IGzA/EM3kiUP3gPKOemIy8L:vp6yHkvgnNOgEg1jHGzA/EU1aQPm

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az642208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az642208.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	co870526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	co870526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	co870526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	co870526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az642208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az642208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az642208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az642208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	co870526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	co870526.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ft359364.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge033714.exe

Executes dropped EXE 14 IoCs

pid	Process
1524	ki431117.exe
4716	ki309546.exe
4504	ki198084.exe
1104	ki223132.exe
3140	az642208.exe
2396	bu073974.exe
3824	co870526.exe
2188	dyN28t04.exe
3756	ft359364.exe
1276	oneetx.exe
3620	ge033714.exe
3424	oneetx.exe
3708	oneetx.exe
1440	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
5000	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az642208.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	co870526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	co870526.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki431117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki431117.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki309546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki309546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ki198084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ki223132.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki198084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki223132.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1780	2396	WerFault.exe	91
5088	3824	WerFault.exe	94
3732	2188	WerFault.exe	98
1708	3620	WerFault.exe	107
440	3620	WerFault.exe	107
1744	3620	WerFault.exe	107
5036	3620	WerFault.exe	107
1336	3620	WerFault.exe	107
1392	3620	WerFault.exe	107
3388	3620	WerFault.exe	107
4700	3620	WerFault.exe	107
2960	3620	WerFault.exe	107
456	3620	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3140	az642208.exe
3140	az642208.exe
2396	bu073974.exe
2396	bu073974.exe
3824	co870526.exe
3824	co870526.exe
2188	dyN28t04.exe
2188	dyN28t04.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	az642208.exe
Token: SeDebugPrivilege	2396	bu073974.exe
Token: SeDebugPrivilege	3824	co870526.exe
Token: SeDebugPrivilege	2188	dyN28t04.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3756	ft359364.exe
3620	ge033714.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1524	1320	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe	83
PID 1320 wrote to memory of 1524	1320	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe	83
PID 1320 wrote to memory of 1524	1320	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe	83
PID 1524 wrote to memory of 4716	1524	ki431117.exe	84
PID 1524 wrote to memory of 4716	1524	ki431117.exe	84
PID 1524 wrote to memory of 4716	1524	ki431117.exe	84
PID 4716 wrote to memory of 4504	4716	ki309546.exe	85
PID 4716 wrote to memory of 4504	4716	ki309546.exe	85
PID 4716 wrote to memory of 4504	4716	ki309546.exe	85
PID 4504 wrote to memory of 1104	4504	ki198084.exe	86
PID 4504 wrote to memory of 1104	4504	ki198084.exe	86
PID 4504 wrote to memory of 1104	4504	ki198084.exe	86
PID 1104 wrote to memory of 3140	1104	ki223132.exe	87
PID 1104 wrote to memory of 3140	1104	ki223132.exe	87
PID 1104 wrote to memory of 2396	1104	ki223132.exe	91
PID 1104 wrote to memory of 2396	1104	ki223132.exe	91
PID 1104 wrote to memory of 2396	1104	ki223132.exe	91
PID 4504 wrote to memory of 3824	4504	ki198084.exe	94
PID 4504 wrote to memory of 3824	4504	ki198084.exe	94
PID 4504 wrote to memory of 3824	4504	ki198084.exe	94
PID 4716 wrote to memory of 2188	4716	ki309546.exe	98
PID 4716 wrote to memory of 2188	4716	ki309546.exe	98
PID 4716 wrote to memory of 2188	4716	ki309546.exe	98
PID 1524 wrote to memory of 3756	1524	ki431117.exe	104
PID 1524 wrote to memory of 3756	1524	ki431117.exe	104
PID 1524 wrote to memory of 3756	1524	ki431117.exe	104
PID 3756 wrote to memory of 1276	3756	ft359364.exe	106
PID 3756 wrote to memory of 1276	3756	ft359364.exe	106
PID 3756 wrote to memory of 1276	3756	ft359364.exe	106
PID 1320 wrote to memory of 3620	1320	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe	107
PID 1320 wrote to memory of 3620	1320	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe	107
PID 1320 wrote to memory of 3620	1320	20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe	107
PID 1276 wrote to memory of 4080	1276	oneetx.exe	108
PID 1276 wrote to memory of 4080	1276	oneetx.exe	108
PID 1276 wrote to memory of 4080	1276	oneetx.exe	108
PID 1276 wrote to memory of 4168	1276	oneetx.exe	110
PID 1276 wrote to memory of 4168	1276	oneetx.exe	110
PID 1276 wrote to memory of 4168	1276	oneetx.exe	110
PID 4168 wrote to memory of 4988	4168	cmd.exe	112
PID 4168 wrote to memory of 4988	4168	cmd.exe	112
PID 4168 wrote to memory of 4988	4168	cmd.exe	112
PID 4168 wrote to memory of 4248	4168	cmd.exe	113
PID 4168 wrote to memory of 4248	4168	cmd.exe	113
PID 4168 wrote to memory of 4248	4168	cmd.exe	113
PID 4168 wrote to memory of 1796	4168	cmd.exe	114
PID 4168 wrote to memory of 1796	4168	cmd.exe	114
PID 4168 wrote to memory of 1796	4168	cmd.exe	114
PID 4168 wrote to memory of 2244	4168	cmd.exe	116
PID 4168 wrote to memory of 2244	4168	cmd.exe	116
PID 4168 wrote to memory of 2244	4168	cmd.exe	116
PID 4168 wrote to memory of 4144	4168	cmd.exe	117
PID 4168 wrote to memory of 4144	4168	cmd.exe	117
PID 4168 wrote to memory of 4144	4168	cmd.exe	117
PID 4168 wrote to memory of 4324	4168	cmd.exe	119
PID 4168 wrote to memory of 4324	4168	cmd.exe	119
PID 4168 wrote to memory of 4324	4168	cmd.exe	119
PID 3620 wrote to memory of 3424	3620	ge033714.exe	136
PID 3620 wrote to memory of 3424	3620	ge033714.exe	136
PID 3620 wrote to memory of 3424	3620	ge033714.exe	136
PID 1276 wrote to memory of 5000	1276	oneetx.exe	140
PID 1276 wrote to memory of 5000	1276	oneetx.exe	140
PID 1276 wrote to memory of 5000	1276	oneetx.exe	140

C:\Users\Admin\AppData\Local\Temp\20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe
"C:\Users\Admin\AppData\Local\Temp\20676098f60a302605c14cc773509641a21be2b8836237ff6084aa50bb302749.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki431117.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki431117.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki309546.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki309546.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki198084.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki198084.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki223132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki223132.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az642208.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az642208.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu073974.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu073974.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1856
        7⤵
        Program crash
        
        PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co870526.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co870526.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1088
        6⤵
        Program crash
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyN28t04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyN28t04.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1304
        5⤵
        Program crash
        
        PID:3732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft359364.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft359364.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4988
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:4248
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:1796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2244
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        6⤵
        
        PID:4144
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        6⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033714.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033714.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 696
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 796
    3⤵
    - Program crash
    PID:440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 868
    3⤵
    - Program crash
    PID:1744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 980
    3⤵
    - Program crash
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1008
    3⤵
    - Program crash
    PID:1336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1008
    3⤵
    - Program crash
    PID:1392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1212
    3⤵
    - Program crash
    PID:3388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1236
    3⤵
    - Program crash
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1248
    3⤵
    - Program crash
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Executes dropped EXE
    PID:3424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1356
    3⤵
    - Program crash
    PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2396 -ip 2396
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3824 -ip 3824
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2188 -ip 2188
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3620 -ip 3620
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3620 -ip 3620
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3620 -ip 3620
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3620 -ip 3620
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3620 -ip 3620
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3620 -ip 3620
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3620 -ip 3620
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3620 -ip 3620
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3620 -ip 3620
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3620 -ip 3620
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033714.exe

Filesize
256KB

MD5
65bc30e75cf7e74471ba4aca88a748ad

SHA1
66a902b2a178306cc1758bc1c5801189c7b6a645

SHA256
d915599d1d6b55d3cc2bc4e463114fda4144cb144efc0a0b8f2b5e08534465b7

SHA512
3d0d4d1a72969c337780d16c9d176d93ae5dc314faf3d0553a43979a90b978a23d72229a6658008782924f80f3b3945e01dad3a74b823e312584629d60b589de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033714.exe

Filesize
256KB

MD5
65bc30e75cf7e74471ba4aca88a748ad

SHA1
66a902b2a178306cc1758bc1c5801189c7b6a645

SHA256
d915599d1d6b55d3cc2bc4e463114fda4144cb144efc0a0b8f2b5e08534465b7

SHA512
3d0d4d1a72969c337780d16c9d176d93ae5dc314faf3d0553a43979a90b978a23d72229a6658008782924f80f3b3945e01dad3a74b823e312584629d60b589de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki431117.exe

Filesize
1.0MB

MD5
3f82c0de61d7dd94695e808892e01128

SHA1
555d9503c56ea75bfe4a5cfc77443603751f261f

SHA256
ac77e9b8a9f50ac66cd6b73e4ccc52a57840eb399bfa7a4012195eafe86b19e5

SHA512
0a762fed3861ae31fc4a45ca394e5c6e1769f359dd883b28a8e6d0798f805b91eb59a38c65fa5765d10c7df8b73dff4781bb1114a25820f6a532c24c14703e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki431117.exe

Filesize
1.0MB

MD5
3f82c0de61d7dd94695e808892e01128

SHA1
555d9503c56ea75bfe4a5cfc77443603751f261f

SHA256
ac77e9b8a9f50ac66cd6b73e4ccc52a57840eb399bfa7a4012195eafe86b19e5

SHA512
0a762fed3861ae31fc4a45ca394e5c6e1769f359dd883b28a8e6d0798f805b91eb59a38c65fa5765d10c7df8b73dff4781bb1114a25820f6a532c24c14703e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft359364.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft359364.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki309546.exe

Filesize
882KB

MD5
932e16ca9b39cf92598519dcc6a78549

SHA1
111d4451da05577dd59f351b92ae2be26597d2cf

SHA256
89c87d48682c52b7f47fe670b4598b2400eb2334f844173bfe92a8215c52b6b3

SHA512
4b56c0ffecc315d399fb3e1a623f2a0d41b107513039f1e69af139e91c2cb5ade6b6244806c64b6577f9bf2e04ed0abf796e06550419b4c39826f065645bd95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki309546.exe

Filesize
882KB

MD5
932e16ca9b39cf92598519dcc6a78549

SHA1
111d4451da05577dd59f351b92ae2be26597d2cf

SHA256
89c87d48682c52b7f47fe670b4598b2400eb2334f844173bfe92a8215c52b6b3

SHA512
4b56c0ffecc315d399fb3e1a623f2a0d41b107513039f1e69af139e91c2cb5ade6b6244806c64b6577f9bf2e04ed0abf796e06550419b4c39826f065645bd95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyN28t04.exe

Filesize
360KB

MD5
7b712bac53f00da5fa62a150698e8e76

SHA1
c8ac10812db089b57da366ebafc7de753183c41b

SHA256
d8aaef540fc8bbfcd084ca690071e5c0b13e424a0176f9ba622ef99c72c6b793

SHA512
8e8fa84ee86710fb50c4f8f1cc87f272e89807652d08796b898dc91c4bf8f0211374791c2d90d0182507edf0f02bb198ded3fa7e63966374b43ccac25d4d8fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyN28t04.exe

Filesize
360KB

MD5
7b712bac53f00da5fa62a150698e8e76

SHA1
c8ac10812db089b57da366ebafc7de753183c41b

SHA256
d8aaef540fc8bbfcd084ca690071e5c0b13e424a0176f9ba622ef99c72c6b793

SHA512
8e8fa84ee86710fb50c4f8f1cc87f272e89807652d08796b898dc91c4bf8f0211374791c2d90d0182507edf0f02bb198ded3fa7e63966374b43ccac25d4d8fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki198084.exe

Filesize
695KB

MD5
64df2895debd0ea2ad1eeac8c2141263

SHA1
4aa073bbf0cb03ea3f787c9d0c4ef2d0dbf7aaa0

SHA256
a5933fcbe8ba4a341b8a182e33b05e45909d87fd35aa5a2f3757c54b4b4a7cf3

SHA512
f2b43bfc89a80901379c7adccac67abd255af491a493546d24ab219e3dd2d8a9d9443fd2af4866376a373be14be0ec6db7f720bcdca3b55de39686053b6c1150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki198084.exe

Filesize
695KB

MD5
64df2895debd0ea2ad1eeac8c2141263

SHA1
4aa073bbf0cb03ea3f787c9d0c4ef2d0dbf7aaa0

SHA256
a5933fcbe8ba4a341b8a182e33b05e45909d87fd35aa5a2f3757c54b4b4a7cf3

SHA512
f2b43bfc89a80901379c7adccac67abd255af491a493546d24ab219e3dd2d8a9d9443fd2af4866376a373be14be0ec6db7f720bcdca3b55de39686053b6c1150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co870526.exe

Filesize
278KB

MD5
d13acf9306d3b1723ef6da218c3d9b2d

SHA1
e55b90d2e3e05c213aa7996c4b7e5125c7e04e4e

SHA256
fdd11abfb38d1ed5207200ef2bf90a109bfeaf2056e6d62538f23514185a07ad

SHA512
ecdcf8e825c0f1e73c4cc7c79e901ab382a0c945a5fdb0294659e8b7dcdacd40298aba59c7ccfa1052d880ebd5360ed2b21b228e16fe1633d5774f7ea32c2148

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co870526.exe

Filesize
278KB

MD5
d13acf9306d3b1723ef6da218c3d9b2d

SHA1
e55b90d2e3e05c213aa7996c4b7e5125c7e04e4e

SHA256
fdd11abfb38d1ed5207200ef2bf90a109bfeaf2056e6d62538f23514185a07ad

SHA512
ecdcf8e825c0f1e73c4cc7c79e901ab382a0c945a5fdb0294659e8b7dcdacd40298aba59c7ccfa1052d880ebd5360ed2b21b228e16fe1633d5774f7ea32c2148

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki223132.exe

Filesize
415KB

MD5
f1f3d22bec513a11c8bbdd15e2e70454

SHA1
87ab2863cef62d0f22de52e7cc1211c8ae888955

SHA256
bdc84b6f6eb64643fc8a3234fab4d113b244ef272b60bc21b94881bb627b6b36

SHA512
125541f495cc83c25ee5096623be724ac2399f4d93475baa1775b0fc0456dc4f5d5a44c283fc83bf6901ba09f8cb1af69dc9946bdc01d2c1b4d7f50d8abb63c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki223132.exe

Filesize
415KB

MD5
f1f3d22bec513a11c8bbdd15e2e70454

SHA1
87ab2863cef62d0f22de52e7cc1211c8ae888955

SHA256
bdc84b6f6eb64643fc8a3234fab4d113b244ef272b60bc21b94881bb627b6b36

SHA512
125541f495cc83c25ee5096623be724ac2399f4d93475baa1775b0fc0456dc4f5d5a44c283fc83bf6901ba09f8cb1af69dc9946bdc01d2c1b4d7f50d8abb63c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az642208.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az642208.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu073974.exe

Filesize
360KB

MD5
b8ce74f06d4831623a0818dff9a1d6db

SHA1
173243405e991cae7f726da9f18a9de039f07268

SHA256
6b3cc51b1549e6b8f49d99a6fc79d88bc0b48ffd8ded6e0392a7964e2c46b67e

SHA512
91f0412d8cc941f17a24cd39e9c70f158890b16246e8873b5463bf2750163918771c665b42b4a8c2e3541a4d78d3f65d26497b1b06664a516c3e004f82063fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu073974.exe

Filesize
360KB

MD5
b8ce74f06d4831623a0818dff9a1d6db

SHA1
173243405e991cae7f726da9f18a9de039f07268

SHA256
6b3cc51b1549e6b8f49d99a6fc79d88bc0b48ffd8ded6e0392a7964e2c46b67e

SHA512
91f0412d8cc941f17a24cd39e9c70f158890b16246e8873b5463bf2750163918771c665b42b4a8c2e3541a4d78d3f65d26497b1b06664a516c3e004f82063fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
204KB

MD5
d2622752e39ebe03e48351887e7ba2c7

SHA1
8377db1a7994b5101d4285126cbb2e8e7e4e82e3

SHA256
c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0

SHA512
f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2188-1822-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2188-1197-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2188-1200-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2188-1196-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2396-225-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-978-0x000000000B0C0000-0x000000000B0DE000-memory.dmp

Filesize
120KB

Download
memory/2396-209-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-211-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-213-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-215-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-217-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-219-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-221-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-223-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-205-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-227-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-229-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-231-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-233-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-235-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-237-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-239-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-241-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-970-0x0000000009D90000-0x000000000A3A8000-memory.dmp

Filesize
6.1MB

Download
memory/2396-971-0x000000000A450000-0x000000000A462000-memory.dmp

Filesize
72KB

Download
memory/2396-972-0x000000000A470000-0x000000000A57A000-memory.dmp

Filesize
1.0MB

Download
memory/2396-973-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/2396-974-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/2396-975-0x000000000A890000-0x000000000A8F6000-memory.dmp

Filesize
408KB

Download
memory/2396-976-0x000000000AF60000-0x000000000AFF2000-memory.dmp

Filesize
584KB

Download
memory/2396-977-0x000000000B020000-0x000000000B096000-memory.dmp

Filesize
472KB

Download
memory/2396-207-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-979-0x000000000B180000-0x000000000B1D0000-memory.dmp

Filesize
320KB

Download
memory/2396-980-0x000000000B2F0000-0x000000000B4B2000-memory.dmp

Filesize
1.8MB

Download
memory/2396-981-0x000000000B4C0000-0x000000000B9EC000-memory.dmp

Filesize
5.2MB

Download
memory/2396-984-0x00000000045C0000-0x0000000004606000-memory.dmp

Filesize
280KB

Download
memory/2396-174-0x00000000045C0000-0x0000000004606000-memory.dmp

Filesize
280KB

Download
memory/2396-175-0x0000000007320000-0x00000000078C4000-memory.dmp

Filesize
5.6MB

Download
memory/2396-203-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-201-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-199-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-197-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-195-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-194-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/2396-192-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/2396-191-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-189-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-187-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-185-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-176-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-183-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-181-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-179-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/2396-177-0x00000000072B0000-0x00000000072E5000-memory.dmp

Filesize
212KB

Download
memory/3140-168-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/3620-1842-0x0000000004560000-0x0000000004595000-memory.dmp

Filesize
212KB

Download
memory/3824-1017-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/3824-1018-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/3824-1019-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download