laplas | 98e2adbab29c57b143ce56eebfa10e13b3f9624b98320a4168760eb46ca22209

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2023 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bde5778f160ff8a1a646b7c465d2298.exe
Size

274KB
MD5

8bde5778f160ff8a1a646b7c465d2298
SHA1

5b7d72da8df173c20b836f45e6456aed093bc787
SHA256

98e2adbab29c57b143ce56eebfa10e13b3f9624b98320a4168760eb46ca22209
SHA512

4f73eccc1fda675ce2c499eaac60171132107f52d4a650d1c9babe1789b53ae433af2a6c99b36eed4ae24495921d67aa8ec12456d794017fbab93922532bb5f4
SSDEEP

3072:j6G/gFIuLRu5dscEHbmIYOrNCtQUnBTshvOkZEHvr:WGI9LRKdX3gC9+dXW

Score

10^/10

laplas redline smokeloader 01 backdoor clipper discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/

rc4.i32

Extracted

Family

redline

45.15.157.131:36457

37.220.87.13:40676

Attributes

auth_value
ce706d047c7ff3fee4b0ebac927e421d

Extracted

Family

redline

Botnet

167.235.133.96:43849

Attributes

auth_value
a158e35a6caac69f2614dc12bb02fdf2

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2808-134-0x0000000002D50000-0x0000000002D59000-memory.dmp	family_smokeloader

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

beeG20jq66.execter90el04.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cter90el04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cter90el04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	beeG20jq66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	cter90el04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cter90el04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cter90el04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cter90el04.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4936-243-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-242-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-245-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-247-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-249-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-251-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-253-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-255-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-261-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-265-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-264-0x0000000004C80000-0x0000000004C90000-memory.dmp	family_redline
behavioral2/memory/4936-267-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-257-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-269-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/4936-271-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral2/memory/2700-905-0x0000000000940000-0x0000000000962000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

5023.exe55C2.exeptEA7352yD.exeptgS8340HJ.exebeeG20jq66.exe5AF3.exe61CA.exe6CA8.exe78FE.execter90el04.exentlhost.exehk96Oz70Mi12.exe

pid	process
1232	5023.exe
3996	55C2.exe
3296	ptEA7352yD.exe
4844	ptgS8340HJ.exe
3048	beeG20jq66.exe
2608	5AF3.exe
4692	61CA.exe
4936	6CA8.exe
1332	78FE.exe
1620	cter90el04.exe
3896	ntlhost.exe
3768	hk96Oz70Mi12.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

beeG20jq66.execter90el04.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	beeG20jq66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	cter90el04.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

55C2.exeptEA7352yD.exeptgS8340HJ.exe61CA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	55C2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptEA7352yD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ptEA7352yD.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptgS8340HJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ptgS8340HJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	61CA.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	55C2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

5023.exe5AF3.exe78FE.exe

description	pid	process	target process
PID 1232 set thread context of 628	1232	5023.exe	RegSvcs.exe
PID 2608 set thread context of 740	2608	5AF3.exe	vbc.exe
PID 1332 set thread context of 4792	1332	78FE.exe	AppLaunch.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3736	1232	WerFault.exe	5023.exe
1736	3048	WerFault.exe	beeG20jq66.exe
2148	4692	WerFault.exe	61CA.exe
2364	4936	WerFault.exe	6CA8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8bde5778f160ff8a1a646b7c465d2298.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8bde5778f160ff8a1a646b7c465d2298.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8bde5778f160ff8a1a646b7c465d2298.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8bde5778f160ff8a1a646b7c465d2298.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 141 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	141	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8bde5778f160ff8a1a646b7c465d2298.exe

pid	process
2808	8bde5778f160ff8a1a646b7c465d2298.exe
2808	8bde5778f160ff8a1a646b7c465d2298.exe
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3124
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

8bde5778f160ff8a1a646b7c465d2298.exe

pid process

2808 8bde5778f160ff8a1a646b7c465d2298.exe
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124
3124

pid	process
3124

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

beeG20jq66.exe6CA8.exevbc.exeRegSvcs.exeAppLaunch.execter90el04.exe

description	pid	process
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeDebugPrivilege	3048	beeG20jq66.exe
Token: SeDebugPrivilege	4936	6CA8.exe
Token: SeDebugPrivilege	740	vbc.exe
Token: SeDebugPrivilege	628	RegSvcs.exe
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeDebugPrivilege	4792	AppLaunch.exe
Token: SeDebugPrivilege	1620	cter90el04.exe
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124
Token: SeShutdownPrivilege	3124
Token: SeCreatePagefilePrivilege	3124

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5023.exe55C2.exeptEA7352yD.exeptgS8340HJ.exe5AF3.exe78FE.exe

description	pid	process	target process
PID 3124 wrote to memory of 1232	3124		5023.exe
PID 3124 wrote to memory of 1232	3124		5023.exe
PID 3124 wrote to memory of 1232	3124		5023.exe
PID 1232 wrote to memory of 628	1232	5023.exe	RegSvcs.exe
PID 1232 wrote to memory of 628	1232	5023.exe	RegSvcs.exe
PID 1232 wrote to memory of 628	1232	5023.exe	RegSvcs.exe
PID 1232 wrote to memory of 628	1232	5023.exe	RegSvcs.exe
PID 1232 wrote to memory of 628	1232	5023.exe	RegSvcs.exe
PID 3124 wrote to memory of 3996	3124		55C2.exe
PID 3124 wrote to memory of 3996	3124		55C2.exe
PID 3124 wrote to memory of 3996	3124		55C2.exe
PID 3996 wrote to memory of 3296	3996	55C2.exe	ptEA7352yD.exe
PID 3996 wrote to memory of 3296	3996	55C2.exe	ptEA7352yD.exe
PID 3996 wrote to memory of 3296	3996	55C2.exe	ptEA7352yD.exe
PID 3296 wrote to memory of 4844	3296	ptEA7352yD.exe	ptgS8340HJ.exe
PID 3296 wrote to memory of 4844	3296	ptEA7352yD.exe	ptgS8340HJ.exe
PID 3296 wrote to memory of 4844	3296	ptEA7352yD.exe	ptgS8340HJ.exe
PID 4844 wrote to memory of 3048	4844	ptgS8340HJ.exe	beeG20jq66.exe
PID 4844 wrote to memory of 3048	4844	ptgS8340HJ.exe	beeG20jq66.exe
PID 4844 wrote to memory of 3048	4844	ptgS8340HJ.exe	beeG20jq66.exe
PID 3124 wrote to memory of 2608	3124		5AF3.exe
PID 3124 wrote to memory of 2608	3124		5AF3.exe
PID 3124 wrote to memory of 2608	3124		5AF3.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 2608 wrote to memory of 740	2608	5AF3.exe	vbc.exe
PID 3124 wrote to memory of 4692	3124		61CA.exe
PID 3124 wrote to memory of 4692	3124		61CA.exe
PID 3124 wrote to memory of 4692	3124		61CA.exe
PID 3124 wrote to memory of 4936	3124		6CA8.exe
PID 3124 wrote to memory of 4936	3124		6CA8.exe
PID 3124 wrote to memory of 4936	3124		6CA8.exe
PID 3124 wrote to memory of 1332	3124		78FE.exe
PID 3124 wrote to memory of 1332	3124		78FE.exe
PID 3124 wrote to memory of 1332	3124		78FE.exe
PID 3124 wrote to memory of 472	3124		explorer.exe
PID 3124 wrote to memory of 472	3124		explorer.exe
PID 3124 wrote to memory of 472	3124		explorer.exe
PID 3124 wrote to memory of 472	3124		explorer.exe
PID 1332 wrote to memory of 4792	1332	78FE.exe	AppLaunch.exe
PID 1332 wrote to memory of 4792	1332	78FE.exe	AppLaunch.exe
PID 1332 wrote to memory of 4792	1332	78FE.exe	AppLaunch.exe
PID 1332 wrote to memory of 4792	1332	78FE.exe	AppLaunch.exe
PID 1332 wrote to memory of 4792	1332	78FE.exe	AppLaunch.exe
PID 3124 wrote to memory of 1780	3124		explorer.exe
PID 3124 wrote to memory of 1780	3124		explorer.exe
PID 3124 wrote to memory of 1780	3124		explorer.exe
PID 3124 wrote to memory of 2144	3124		explorer.exe
PID 3124 wrote to memory of 2144	3124		explorer.exe
PID 3124 wrote to memory of 2144	3124		explorer.exe
PID 3124 wrote to memory of 2144	3124		explorer.exe
PID 3124 wrote to memory of 780	3124		explorer.exe
PID 3124 wrote to memory of 780	3124		explorer.exe
PID 3124 wrote to memory of 780	3124		explorer.exe
PID 3124 wrote to memory of 2700	3124		explorer.exe
PID 3124 wrote to memory of 2700	3124		explorer.exe
PID 3124 wrote to memory of 2700	3124		explorer.exe
PID 3124 wrote to memory of 2700	3124		explorer.exe
PID 3124 wrote to memory of 3324	3124		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8bde5778f160ff8a1a646b7c465d2298.exe
"C:\Users\Admin\AppData\Local\Temp\8bde5778f160ff8a1a646b7c465d2298.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2808

C:\Users\Admin\AppData\Local\Temp\5023.exe
C:\Users\Admin\AppData\Local\Temp\5023.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 240
2⤵
- Program crash
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1232 -ip 1232
1⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\55C2.exe
C:\Users\Admin\AppData\Local\Temp\55C2.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptEA7352yD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptEA7352yD.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptgS8340HJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptgS8340HJ.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beeG20jq66.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beeG20jq66.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1044
5⤵
- Program crash
PID:1736

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cter90el04.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cter90el04.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk96Oz70Mi12.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk96Oz70Mi12.exe
3⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\AppData\Local\Temp\5AF3.exe
C:\Users\Admin\AppData\Local\Temp\5AF3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Local\Temp\61CA.exe
C:\Users\Admin\AppData\Local\Temp\61CA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4692

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 528
2⤵
- Program crash
PID:2148

C:\Users\Admin\AppData\Local\Temp\6CA8.exe
C:\Users\Admin\AppData\Local\Temp\6CA8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1220
2⤵
- Program crash
PID:2364

C:\Users\Admin\AppData\Local\Temp\78FE.exe
C:\Users\Admin\AppData\Local\Temp\78FE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2144

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3048 -ip 3048
1⤵
PID:5040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1832

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4692 -ip 4692
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4936 -ip 4936
1⤵
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5023.exe
Filesize
1.2MB

MD5
4b2a0a48979e0bae17f8e589b131007e

SHA1
ff994dcd1262a5cfcf52a5843de7cf593cc2e598

SHA256
2162457d02414247cb59cf69c8140cfa0948e1f7b9727a77f8271f4efa1b5517

SHA512
102a5d8c230ea259467c1ac3ce4e593023f50b3c55e07971f3e4fb27dae3687103a69e520919c0125869ec1998a1317bcf8183d590d9e1291d4b75f54c011ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5023.exe
Filesize
1.2MB

MD5
4b2a0a48979e0bae17f8e589b131007e

SHA1
ff994dcd1262a5cfcf52a5843de7cf593cc2e598

SHA256
2162457d02414247cb59cf69c8140cfa0948e1f7b9727a77f8271f4efa1b5517

SHA512
102a5d8c230ea259467c1ac3ce4e593023f50b3c55e07971f3e4fb27dae3687103a69e520919c0125869ec1998a1317bcf8183d590d9e1291d4b75f54c011ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\55C2.exe
Filesize
857KB

MD5
67783b7f8f8d5b1814ca45dd6fe4dcfa

SHA1
5170ab45a52a061e914a121181986033972b3309

SHA256
4b934f4eeae089b8364101ee5bcdfa765777c07e35218b010a7e41dad9aa7c55

SHA512
bf7ee4aa229449b72c12658e7f83e6b079ef23e8932e4e3d06ac0aab9f53f6df55dbf33aaffd83938fb34e5dd17a697bb0771c86d84de59e892689d3df129752

Download Submit
C:\Users\Admin\AppData\Local\Temp\55C2.exe
Filesize
857KB

MD5
67783b7f8f8d5b1814ca45dd6fe4dcfa

SHA1
5170ab45a52a061e914a121181986033972b3309

SHA256
4b934f4eeae089b8364101ee5bcdfa765777c07e35218b010a7e41dad9aa7c55

SHA512
bf7ee4aa229449b72c12658e7f83e6b079ef23e8932e4e3d06ac0aab9f53f6df55dbf33aaffd83938fb34e5dd17a697bb0771c86d84de59e892689d3df129752

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AF3.exe
Filesize
923KB

MD5
a45c43930c0f16d07b871c6bcb61d422

SHA1
7a93b86d0a14c079b494c2aa1dd1f8126ae19724

SHA256
9c430f2b59e25fd2dae2b584dd05355fc2db39c6dedd0ec4d8425d5d752c0ad4

SHA512
bb098211f56bf6e0fb34418997e6dd6b6148cc40b5c56879c3a2f31d2ea3ad7883196b0af5c2c31fa12d370801bc9fa18a675f1e713f0d5c567f024d580e09a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AF3.exe
Filesize
923KB

MD5
a45c43930c0f16d07b871c6bcb61d422

SHA1
7a93b86d0a14c079b494c2aa1dd1f8126ae19724

SHA256
9c430f2b59e25fd2dae2b584dd05355fc2db39c6dedd0ec4d8425d5d752c0ad4

SHA512
bb098211f56bf6e0fb34418997e6dd6b6148cc40b5c56879c3a2f31d2ea3ad7883196b0af5c2c31fa12d370801bc9fa18a675f1e713f0d5c567f024d580e09a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\61CA.exe
Filesize
1.9MB

MD5
18f4187feeb585981ef0d9d8169367ae

SHA1
7ec93fccfde4cab7cb5c0a364621e788c861e33f

SHA256
081d0c30f38adce3f0a41d0a93b7a421031284c467df1eb65b66c6867ac9a7ce

SHA512
78c60381f461a5259d512f3df1730072879148ad67a5029c6cc1a53eb1ac7dc840ed414c0cfeebdc557316742a02bbfbed0d9e8ed77a07c6d1a0bc877a44eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\61CA.exe
Filesize
1.9MB

MD5
18f4187feeb585981ef0d9d8169367ae

SHA1
7ec93fccfde4cab7cb5c0a364621e788c861e33f

SHA256
081d0c30f38adce3f0a41d0a93b7a421031284c467df1eb65b66c6867ac9a7ce

SHA512
78c60381f461a5259d512f3df1730072879148ad67a5029c6cc1a53eb1ac7dc840ed414c0cfeebdc557316742a02bbfbed0d9e8ed77a07c6d1a0bc877a44eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CA8.exe
Filesize
376KB

MD5
e365e99ff97bba40ea4204fa4dab7fd7

SHA1
d0af5665696f0fac1fb8451836dcc3932fb07bda

SHA256
6ae76ed26d0944dc522e7dcc38ea11f976fe753c8ca40daf50f6b6e707601fb2

SHA512
12aefeb82ba2eb37ff251f5c29e8c505cf314941ad61c34811828db492003071e5f8f22a2c55c9abbbef2e56e8a8ac9e815eaf8b480a8547b00c0988042d428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CA8.exe
Filesize
376KB

MD5
e365e99ff97bba40ea4204fa4dab7fd7

SHA1
d0af5665696f0fac1fb8451836dcc3932fb07bda

SHA256
6ae76ed26d0944dc522e7dcc38ea11f976fe753c8ca40daf50f6b6e707601fb2

SHA512
12aefeb82ba2eb37ff251f5c29e8c505cf314941ad61c34811828db492003071e5f8f22a2c55c9abbbef2e56e8a8ac9e815eaf8b480a8547b00c0988042d428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\78FE.exe
Filesize
290KB

MD5
1f8576f1ff579f83231f1447fd97d5e6

SHA1
7495c77e61fad7fc56aa963e7780c9e59336a90d

SHA256
90f50f0b283619618873b1b8297076a7e730a3e4b10bad3ea214d359a81ed352

SHA512
0ce9b87bad0ca9a00a304c9299260fa394ed1ba88050c85e0afc66a9b994a6eb480ce77061361c9af990fbdd554e72f0371509af9d0623907c038fa9d8a49efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\78FE.exe
Filesize
290KB

MD5
1f8576f1ff579f83231f1447fd97d5e6

SHA1
7495c77e61fad7fc56aa963e7780c9e59336a90d

SHA256
90f50f0b283619618873b1b8297076a7e730a3e4b10bad3ea214d359a81ed352

SHA512
0ce9b87bad0ca9a00a304c9299260fa394ed1ba88050c85e0afc66a9b994a6eb480ce77061361c9af990fbdd554e72f0371509af9d0623907c038fa9d8a49efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptEA7352yD.exe
Filesize
670KB

MD5
82ca5acd7601458fb7b170d4facfb0cf

SHA1
c48ac86fb0755d3bec42602035722a83ae999f82

SHA256
e406d45523252a38bf861942cf6601d5a1cbe01f060261c1fb5fcfedad61bd47

SHA512
60cb3a8c80bf815bc94343bb7c35a5cb2e0d15efb4b716efcddb5ffa2c58e56c90dc3ba749a91290e646b2e303230699d71fc1f60ff5859e4b247ef8e3de31b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptEA7352yD.exe
Filesize
670KB

MD5
82ca5acd7601458fb7b170d4facfb0cf

SHA1
c48ac86fb0755d3bec42602035722a83ae999f82

SHA256
e406d45523252a38bf861942cf6601d5a1cbe01f060261c1fb5fcfedad61bd47

SHA512
60cb3a8c80bf815bc94343bb7c35a5cb2e0d15efb4b716efcddb5ffa2c58e56c90dc3ba749a91290e646b2e303230699d71fc1f60ff5859e4b247ef8e3de31b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk96Oz70Mi12.exe
Filesize
309KB

MD5
284f5cacca006d191a474f8c3eada4c1

SHA1
05ccc7b3be213f8543b80cd95e4cbd1aac6190dd

SHA256
52e7f367705bf1ad2aed8f9ac8dde3a1c3cd7fc0bd64ae3a3d5a44be416c1341

SHA512
26887be6f3f12322ca653e2ba5ee592d5dba31c09312c27d5d29b1d9832f84e42f19a4588787894792d26068dc029ab6abca08a02cc2651e3c8dfe75c41fe4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk96Oz70Mi12.exe
Filesize
309KB

MD5
284f5cacca006d191a474f8c3eada4c1

SHA1
05ccc7b3be213f8543b80cd95e4cbd1aac6190dd

SHA256
52e7f367705bf1ad2aed8f9ac8dde3a1c3cd7fc0bd64ae3a3d5a44be416c1341

SHA512
26887be6f3f12322ca653e2ba5ee592d5dba31c09312c27d5d29b1d9832f84e42f19a4588787894792d26068dc029ab6abca08a02cc2651e3c8dfe75c41fe4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptgS8340HJ.exe
Filesize
335KB

MD5
e1038d1623f1f8e8d7fffadd09ef770e

SHA1
fdf904a8b6696281b37d265a06e24addc6df2514

SHA256
95f915ff67f87dd0cf6ea90bd0422194ca485a030de4349b42cd97c83c0dee54

SHA512
e3ccb21035bc4413aa3be1dec71361761e9cf880c3798acce3133a77640692ace2256ff8ed32ee7ceecfcf0e62ea7a910580a84407cfe3b4ff64e26da630ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptgS8340HJ.exe
Filesize
335KB

MD5
e1038d1623f1f8e8d7fffadd09ef770e

SHA1
fdf904a8b6696281b37d265a06e24addc6df2514

SHA256
95f915ff67f87dd0cf6ea90bd0422194ca485a030de4349b42cd97c83c0dee54

SHA512
e3ccb21035bc4413aa3be1dec71361761e9cf880c3798acce3133a77640692ace2256ff8ed32ee7ceecfcf0e62ea7a910580a84407cfe3b4ff64e26da630ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beeG20jq66.exe
Filesize
250KB

MD5
452980bfe4732aaef2162c53c88f7ea4

SHA1
31b4e28e7ffdf36023ea859f0c343036dfb0470e

SHA256
855df086e7969ec6904fde9c5920ab3c6c364ebbc240aa266f78a3103b59d06d

SHA512
7ad12f0badc78bb1d42743e8776bece49a55e25244a9b7681c17c345f212bd2d28077e7fe495903de160d43aa7b3d57a419f0895ae3420a3b945d830d1d58707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beeG20jq66.exe
Filesize
250KB

MD5
452980bfe4732aaef2162c53c88f7ea4

SHA1
31b4e28e7ffdf36023ea859f0c343036dfb0470e

SHA256
855df086e7969ec6904fde9c5920ab3c6c364ebbc240aa266f78a3103b59d06d

SHA512
7ad12f0badc78bb1d42743e8776bece49a55e25244a9b7681c17c345f212bd2d28077e7fe495903de160d43aa7b3d57a419f0895ae3420a3b945d830d1d58707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cter90el04.exe
Filesize
13KB

MD5
3fbf1ff2eb7adf9ed319604a57a1e252

SHA1
c9ece7b47f6c681a23d03532374525de9ed396b9

SHA256
4452b61eed8a45579f90bc9bb172aeb52730c391cc491f38fc7467a311e216ae

SHA512
79b3c233bf3c3c5f182ede4f33c85e646fe20ea905f34091384573cf7c12d7fe979b2300286e4cf7bf64a5b166223a0ba44ed042637eed671a383717d976f9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cter90el04.exe
Filesize
13KB

MD5
3fbf1ff2eb7adf9ed319604a57a1e252

SHA1
c9ece7b47f6c681a23d03532374525de9ed396b9

SHA256
4452b61eed8a45579f90bc9bb172aeb52730c391cc491f38fc7467a311e216ae

SHA512
79b3c233bf3c3c5f182ede4f33c85e646fe20ea905f34091384573cf7c12d7fe979b2300286e4cf7bf64a5b166223a0ba44ed042637eed671a383717d976f9c2

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
571.5MB

MD5
cc3e86c60d1780a1f48567083f650aeb

SHA1
1089969b5951e8bc2a1913b70fc37d0c1d0f8425

SHA256
041e0268cd9ccd72e07d9f2538b0e505a623175ddd0d526e299d8d89d129e22c

SHA512
54fb90bea55576ed024b96995b01e0fec04310fb12dcee9dba5444e5501ac0622dcd697b33aa681e3d753cee4976a4a9c636599ba97abc41e27e68e9f4161b1a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
568.9MB

MD5
c66c16da4a8b390750b6215f92b30546

SHA1
069d29c20412b23f55275b60cedfac1e539df928

SHA256
bac5b7b1d165b8f47e97b2e26c8bf366636e506562e072f9543ac937450d3857

SHA512
34382d665f1b2ec4c1dedd372412eefd807a0d388ec47b07e0de8b6b38786ecf9c9e324a7066c7822293bd5121a9e366e2a5e1bb7e4c25744031114d8350025f

Download Submit
memory/472-514-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/472-1213-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/472-516-0x0000000000380000-0x000000000038B000-memory.dmp

Filesize
44KB

Download
memory/628-154-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/628-156-0x00000000030E0000-0x00000000030F2000-memory.dmp

Filesize
72KB

Download
memory/628-155-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/628-157-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/628-159-0x0000000005760000-0x000000000579C000-memory.dmp

Filesize
240KB

Download
memory/628-149-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/740-220-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/740-191-0x0000000000F90000-0x0000000000FD6000-memory.dmp

Filesize
280KB

Download
memory/740-234-0x00000000070F0000-0x00000000072B2000-memory.dmp

Filesize
1.8MB

Download
memory/740-233-0x0000000006E90000-0x0000000006F06000-memory.dmp

Filesize
472KB

Download
memory/740-236-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

Filesize
120KB

Download
memory/740-231-0x00000000063D0000-0x0000000006462000-memory.dmp

Filesize
584KB

Download
memory/740-235-0x0000000007E70000-0x000000000839C000-memory.dmp

Filesize
5.2MB

Download
memory/744-1207-0x0000000001400000-0x000000000140B000-memory.dmp

Filesize
44KB

Download
memory/744-1211-0x0000000001410000-0x0000000001418000-memory.dmp

Filesize
32KB

Download
memory/780-769-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/780-770-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/1620-1197-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1684-1312-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

Filesize
28KB

Download
memory/1684-1206-0x0000000000C90000-0x0000000000C9D000-memory.dmp

Filesize
52KB

Download
memory/1684-1204-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

Filesize
28KB

Download
memory/1780-1219-0x0000000001030000-0x0000000001039000-memory.dmp

Filesize
36KB

Download
memory/1780-605-0x0000000001020000-0x000000000102F000-memory.dmp

Filesize
60KB

Download
memory/1780-603-0x0000000001030000-0x0000000001039000-memory.dmp

Filesize
36KB

Download
memory/1832-1201-0x0000000000B10000-0x0000000000B1B000-memory.dmp

Filesize
44KB

Download
memory/1832-1311-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/1832-1200-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/2144-765-0x0000000000790000-0x0000000000795000-memory.dmp

Filesize
20KB

Download
memory/2144-1222-0x0000000000790000-0x0000000000795000-memory.dmp

Filesize
20KB

Download
memory/2144-767-0x0000000000780000-0x0000000000789000-memory.dmp

Filesize
36KB

Download
memory/2608-189-0x0000000000010000-0x00000000000FC000-memory.dmp

Filesize
944KB

Download
memory/2608-902-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2608-199-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2700-1230-0x0000000000940000-0x0000000000962000-memory.dmp

Filesize
136KB

Download
memory/2700-907-0x0000000000910000-0x0000000000937000-memory.dmp

Filesize
156KB

Download
memory/2700-905-0x0000000000940000-0x0000000000962000-memory.dmp

Filesize
136KB

Download
memory/2808-137-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/2808-134-0x0000000002D50000-0x0000000002D59000-memory.dmp

Filesize
36KB

Download
memory/3048-201-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3048-197-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/3048-208-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-206-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-205-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3048-202-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-203-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3048-212-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-214-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-198-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-216-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-210-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-195-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-218-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-193-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-192-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-190-0x0000000004C70000-0x0000000005214000-memory.dmp

Filesize
5.6MB

Download
memory/3048-221-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-223-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3048-903-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3048-225-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/3124-135-0x0000000002E20000-0x0000000002E36000-memory.dmp

Filesize
88KB

Download
memory/3324-1159-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/3324-1160-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/3324-1273-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/3768-1271-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/3768-1231-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download
memory/3768-1235-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/3768-1233-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4692-232-0x0000000004B70000-0x0000000004F40000-memory.dmp

Filesize
3.8MB

Download
memory/4792-602-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4792-511-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/4792-1203-0x00000000068C0000-0x0000000006910000-memory.dmp

Filesize
320KB

Download
memory/4936-260-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-249-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-262-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-1208-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-1209-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-1210-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-265-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-258-0x00000000046F0000-0x000000000473B000-memory.dmp

Filesize
300KB

Download
memory/4936-255-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-253-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-251-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-261-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-247-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-245-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-242-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-1199-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-264-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4936-267-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-257-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-269-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-243-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4936-271-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download