laplas | bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
Size

350KB
MD5

9fa170afc99df066666bb4d27194f0ac
SHA1

81cdfbda458697d448f89e096ec892568b84ebf2
SHA256

bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb
SHA512

8aa62a8210beba2273763310c80295c415fed50f9cf59688d5b897e04139e002f75b4566e8fb76fac983620a732033e52dd7e01579fcfdf613416df5b31b2147
SSDEEP

6144:Nstzeqmtfc35nNhadekaqwztvU62VCV+:NsReqMc35nNIdekUztJsCV

Score

10^/10

laplas redline smokeloader vidar 1379752987 e749025c61b2caca10aa829a9e1a65a1 sprg backdoor clipper discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

redline

Botnet

1379752987

107.167.69.80:28253

Attributes

auth_value
94039ae8b5b0b9ec5346501cc0139461

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	F67C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Pyftpsushffsruhxwfdkstart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	DB22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	46005620020735819470.exe

Executes dropped EXE 9 IoCs

pid	Process
4752	DB22.exe
4924	EFF3.exe
4120	F67C.exe
1168	Pyftpsushffsruhxwfdkstart.exe
1836	46005620020735819470.exe
2788	95784411716075134833.exe
2656	svcservice.exe
3668	EFF3.exe
452	uuddbuu

Loads dropped DLL 2 IoCs

pid	Process
4752	DB22.exe
4752	DB22.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000002317b-347.dat	upx
behavioral1/files/0x000600000002317b-350.dat	upx
behavioral1/files/0x000600000002317b-351.dat	upx
behavioral1/memory/2788-358-0x0000000000240000-0x00000000010A3000-memory.dmp	upx
behavioral1/memory/2788-359-0x0000000000240000-0x00000000010A3000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	46005620020735819470.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1836	46005620020735819470.exe
1836	46005620020735819470.exe
2656	svcservice.exe
2656	svcservice.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 3176	4120	F67C.exe	99
PID 4924 set thread context of 3668	4924	EFF3.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	4752	WerFault.exe	91

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuddbuu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuddbuu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuddbuu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DB22.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DB22.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4756	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3744	bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
3744	bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3160	Process not Found

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
3744	bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
452	uuddbuu

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeDebugPrivilege	4120	F67C.exe
Token: SeDebugPrivilege	3560	svchost.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4752	3160	Process not Found	91
PID 3160 wrote to memory of 4752	3160	Process not Found	91
PID 3160 wrote to memory of 4752	3160	Process not Found	91
PID 3160 wrote to memory of 4924	3160	Process not Found	93
PID 3160 wrote to memory of 4924	3160	Process not Found	93
PID 3160 wrote to memory of 4924	3160	Process not Found	93
PID 3160 wrote to memory of 4120	3160	Process not Found	94
PID 3160 wrote to memory of 4120	3160	Process not Found	94
PID 3160 wrote to memory of 4120	3160	Process not Found	94
PID 3160 wrote to memory of 2320	3160	Process not Found	95
PID 3160 wrote to memory of 2320	3160	Process not Found	95
PID 3160 wrote to memory of 2320	3160	Process not Found	95
PID 3160 wrote to memory of 2320	3160	Process not Found	95
PID 3160 wrote to memory of 4944	3160	Process not Found	96
PID 3160 wrote to memory of 4944	3160	Process not Found	96
PID 3160 wrote to memory of 4944	3160	Process not Found	96
PID 4120 wrote to memory of 1168	4120	F67C.exe	97
PID 4120 wrote to memory of 1168	4120	F67C.exe	97
PID 4120 wrote to memory of 4600	4120	F67C.exe	98
PID 4120 wrote to memory of 4600	4120	F67C.exe	98
PID 4120 wrote to memory of 4600	4120	F67C.exe	98
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 4120 wrote to memory of 3176	4120	F67C.exe	99
PID 1168 wrote to memory of 3560	1168	Pyftpsushffsruhxwfdkstart.exe	117
PID 1168 wrote to memory of 3560	1168	Pyftpsushffsruhxwfdkstart.exe	117
PID 3176 wrote to memory of 5072	3176	RegAsm.exe	101
PID 3176 wrote to memory of 5072	3176	RegAsm.exe	101
PID 3176 wrote to memory of 5072	3176	RegAsm.exe	101
PID 3160 wrote to memory of 2740	3160	Process not Found	104
PID 3160 wrote to memory of 2740	3160	Process not Found	104
PID 3160 wrote to memory of 2740	3160	Process not Found	104
PID 3160 wrote to memory of 2740	3160	Process not Found	104
PID 3160 wrote to memory of 4704	3160	Process not Found	105
PID 3160 wrote to memory of 4704	3160	Process not Found	105
PID 3160 wrote to memory of 4704	3160	Process not Found	105
PID 3160 wrote to memory of 4536	3160	Process not Found	106
PID 3160 wrote to memory of 4536	3160	Process not Found	106
PID 3160 wrote to memory of 4536	3160	Process not Found	106
PID 3160 wrote to memory of 4536	3160	Process not Found	106
PID 3160 wrote to memory of 2720	3160	Process not Found	107
PID 3160 wrote to memory of 2720	3160	Process not Found	107
PID 3160 wrote to memory of 2720	3160	Process not Found	107
PID 3160 wrote to memory of 2720	3160	Process not Found	107
PID 4752 wrote to memory of 1836	4752	DB22.exe	108
PID 4752 wrote to memory of 1836	4752	DB22.exe	108
PID 4752 wrote to memory of 1836	4752	DB22.exe	108
PID 3160 wrote to memory of 5044	3160	Process not Found	110
PID 3160 wrote to memory of 5044	3160	Process not Found	110
PID 3160 wrote to memory of 5044	3160	Process not Found	110
PID 3160 wrote to memory of 5044	3160	Process not Found	110
PID 3160 wrote to memory of 1292	3160	Process not Found	111
PID 3160 wrote to memory of 1292	3160	Process not Found	111
PID 3160 wrote to memory of 1292	3160	Process not Found	111
PID 3160 wrote to memory of 4128	3160	Process not Found	112
PID 3160 wrote to memory of 4128	3160	Process not Found	112
PID 3160 wrote to memory of 4128	3160	Process not Found	112
PID 3160 wrote to memory of 4128	3160	Process not Found	112
PID 4752 wrote to memory of 2788	4752	DB22.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe
"C:\Users\Admin\AppData\Local\Temp\bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3744

C:\Users\Admin\AppData\Local\Temp\DB22.exe
C:\Users\Admin\AppData\Local\Temp\DB22.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4752
- C:\ProgramData\46005620020735819470.exe
  "C:\ProgramData\46005620020735819470.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1836
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2656
- C:\ProgramData\95784411716075134833.exe
  "C:\ProgramData\95784411716075134833.exe"
  2⤵
  - Executes dropped EXE
  PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\95784411716075134833.exe
    3⤵
    PID:4952
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DB22.exe" & exit
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1904
  2⤵
  - Program crash
  PID:4660

C:\Users\Admin\AppData\Local\Temp\EFF3.exe
C:\Users\Admin\AppData\Local\Temp\EFF3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4924
- C:\Users\Admin\AppData\Local\Temp\EFF3.exe
  "C:\Users\Admin\AppData\Local\Temp\EFF3.exe"
  2⤵
  - Executes dropped EXE
  PID:3668

C:\Users\Admin\AppData\Local\Temp\F67C.exe
C:\Users\Admin\AppData\Local\Temp\F67C.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe
  "C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\windowspowershell\v1.0\powershell.exe
    "C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwAyADQAMgA4ADAAOQA0AGEALQA5AGQAZgA2AC0ANABlAGIAMAAtADkANQAzADQALQA0AGIAMgA0AGEAZgAwADEANAA4ADQAZQAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAFAAeQBmAHQAcABzAHUAcwBoAGYAZgBzAHIAdQBoAHgAdwBmAGQAawBzAHQAYQByAHQALgBlAHgAZQAnADsAdAByAHkAIAB7AA0ACgAgACAAJABuAHUAbABsACAAPQAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAEYAaQBsAGUAKAAkAHkAKQAgAA0ACgAgACAALgAgACgAWwBfADMAMgAuAF8AOAA4AF0AOgA6AF8ANwA0ACgAJAB4ACkAKQANAAoAIAAgAGUAeABpAHQAIAAkAEwAQQBTAFQARQBYAEkAVABDAE8ARABFAA0ACgB9ACAADQAKAGMAYQB0AGMAaAAgAFsATgBvAHQAUwB1AHAAcABvAHIAdABlAGQARQB4AGMAZQBwAHQAaQBvAG4AXQANAAoAewANAAoAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnAEEAcABwAGwAaQBjAGEAdABpAG8AbgAgAGwAbwBjAGEAdABpAG8AbgAgAGkAcwAgAHUAbgB0AHIAdQBzAHQAZQBkAC4AIABDAG8AcAB5ACAAZgBpAGwAZQAgAHQAbwAgAGEAIABsAG8AYwBhAGwAIABkAHIAaQB2AGUALAAgAGEAbgBkACAAdAByAHkAIABhAGcAYQBpAG4ALgAnACAALQBGAG8AcgBlAGcAcgBvAHUAbgBkAEMAbwBsAG8AcgAgAFIAZQBkAA0ACgB9AA0ACgBjAGEAdABjAGgAIAANAAoAewANAAoAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAoACIARQByAHIAbwByADoAIAAiACAAKwAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACAALQBGAG8AcgBlACAAUgBlAGQAIAANAAoAfQA=
    3⤵
    PID:3560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:4600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\windowspowershell\v1.0\powershell.exe
    "C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA2ADMANgA1AGUAYQAwAGIALQAxADkAYwAyAC0ANABhADYAOAAtADkAOAA1AGQALQA4ADkANABmAGQAOQA1ADUAOQBmAGEAYQAnADsAJAB5AD0AJwBDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrAFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAFIAZQBnAEEAcwBtAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABGAGkAbABlACgAJAB5ACkAIAANAAoAIAAgAC4AIAAoAFsAXwAzADIALgBfADgAOABdADoAOgBfADcANAAoACQAeAApACkADQAKACAAIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQANAAoAfQAgAA0ACgBjAGEAdABjAGgAIABbAE4AbwB0AFMAdQBwAHAAbwByAHQAZQBkAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABsAG8AYwBhAHQAaQBvAG4AIABpAHMAIAB1AG4AdAByAHUAcwB0AGUAZAAuACAAQwBvAHAAeQAgAGYAaQBsAGUAIAB0AG8AIABhACAAbABvAGMAYQBsACAAZAByAGkAdgBlACwAIABhAG4AZAAgAHQAcgB5ACAAYQBnAGEAaQBuAC4AJwAgAC0ARgBvAHIAZQBnAHIAbwB1AG4AZABDAG8AbABvAHIAIABSAGUAZAANAAoAfQANAAoAYwBhAHQAYwBoACAADQAKAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2320

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2740

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2720

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4752 -ip 4752
  2⤵
  PID:3196

C:\Users\Admin\AppData\Roaming\uuddbuu
C:\Users\Admin\AppData\Roaming\uuddbuu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\46005620020735819470.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\46005620020735819470.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\46005620020735819470.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\95784411716075134833.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\95784411716075134833.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\95784411716075134833.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EFF3.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
2c6bc2f29c5a3f1ee0b4df73979a1e47

SHA1
e03915adde3e435f3e5e083ef17c8a47a4e5ab38

SHA256
bce4988e02dda0ebfddff64e6cf2830cd2cc5d4de91970bf1972843a68be8cd4

SHA512
6a17aad97d44fdbeaa8037cdb06a8ade9a398bbc5d20b6e2cff58cc22d6db1269725e214c978086ad92cac4fb089bf3f7a2ed9da043964df602546b406a15305

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB22.exe

Filesize
471KB

MD5
603e0b4083560a933494a6a844ecac4c

SHA1
604063cfe175b37c6e7b21b6c7173ecddd9227ba

SHA256
2b999d539dab833c70b1575a767273eafcc880cc95114707215a10b05d4c26d7

SHA512
9f8a45140c8343ff0772d76036aaf6ccc51e09dc22a37c6174422a06c37fe19a12e48b116be1654d22e7e21334e7cfa781953a4bed62dfe7b4c321bf5dbac9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB22.exe

Filesize
471KB

MD5
603e0b4083560a933494a6a844ecac4c

SHA1
604063cfe175b37c6e7b21b6c7173ecddd9227ba

SHA256
2b999d539dab833c70b1575a767273eafcc880cc95114707215a10b05d4c26d7

SHA512
9f8a45140c8343ff0772d76036aaf6ccc51e09dc22a37c6174422a06c37fe19a12e48b116be1654d22e7e21334e7cfa781953a4bed62dfe7b4c321bf5dbac9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF3.exe

Filesize
553KB

MD5
e0888920ecf5282f98cc62836905ecdd

SHA1
3e954e4030869d99ecbaf6503acafd1ef4a81dbf

SHA256
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2

SHA512
ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF3.exe

Filesize
553KB

MD5
e0888920ecf5282f98cc62836905ecdd

SHA1
3e954e4030869d99ecbaf6503acafd1ef4a81dbf

SHA256
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2

SHA512
ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF3.exe

Filesize
553KB

MD5
e0888920ecf5282f98cc62836905ecdd

SHA1
3e954e4030869d99ecbaf6503acafd1ef4a81dbf

SHA256
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2

SHA512
ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67C.exe

Filesize
1.9MB

MD5
3df74698e0964dc8c5363d39a0537d74

SHA1
070eb983cff0a83c77c3da4ff133ca37c0ade304

SHA256
50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493

SHA512
987b0c3a71b2e204a7d13b9472db00140e8789b739e1460df2c2ff2f449a958786677ab86452d1ec55a4dfa83ccfac10ee6586f6523670474eee41b9c9590719

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67C.exe

Filesize
1.9MB

MD5
3df74698e0964dc8c5363d39a0537d74

SHA1
070eb983cff0a83c77c3da4ff133ca37c0ade304

SHA256
50ed2d8e8d8d0509b7eb41eb7dd0b510b1d74d0fd283eccca2764a79c4e55493

SHA512
987b0c3a71b2e204a7d13b9472db00140e8789b739e1460df2c2ff2f449a958786677ab86452d1ec55a4dfa83ccfac10ee6586f6523670474eee41b9c9590719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe

Filesize
280KB

MD5
23f26fded7194243117b1e1049db7f38

SHA1
ab89459d07718a805648b13c330d1a19cc736c27

SHA256
38bb71fca724bde72220190ebfe9a14bde8332ed68fea6a30cbb0bb9d11bc46d

SHA512
ac281f152ce3befbf811193e7eb1bea7ec510abb807c3e94a531a73dbb7987fecd4dba3515534414ecb38d0e612226350352b87cddba8a9b58fd9cff96384dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe

Filesize
280KB

MD5
23f26fded7194243117b1e1049db7f38

SHA1
ab89459d07718a805648b13c330d1a19cc736c27

SHA256
38bb71fca724bde72220190ebfe9a14bde8332ed68fea6a30cbb0bb9d11bc46d

SHA512
ac281f152ce3befbf811193e7eb1bea7ec510abb807c3e94a531a73dbb7987fecd4dba3515534414ecb38d0e612226350352b87cddba8a9b58fd9cff96384dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyftpsushffsruhxwfdkstart.exe

Filesize
280KB

MD5
23f26fded7194243117b1e1049db7f38

SHA1
ab89459d07718a805648b13c330d1a19cc736c27

SHA256
38bb71fca724bde72220190ebfe9a14bde8332ed68fea6a30cbb0bb9d11bc46d

SHA512
ac281f152ce3befbf811193e7eb1bea7ec510abb807c3e94a531a73dbb7987fecd4dba3515534414ecb38d0e612226350352b87cddba8a9b58fd9cff96384dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sc0zb43.mmy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
800.2MB

MD5
e9b62dce460ab7c7828989c17aaf1fa4

SHA1
095558a4b5268bb0ad75f4599043c646a0cc2aee

SHA256
d8b44945a4049a49848b9d6dbb6b784ed39a72b9440c6cafdb2a029f3085dee8

SHA512
18cd4ee25d89d8cd58753ebc2d473ecd7a872ba6fa1b1aecdf4df82eef42815d463ac34e3cd7d8ff1ab6031265d0d06bc57c3c39bccc83c04bd0523090f36369

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
800.2MB

MD5
e9b62dce460ab7c7828989c17aaf1fa4

SHA1
095558a4b5268bb0ad75f4599043c646a0cc2aee

SHA256
d8b44945a4049a49848b9d6dbb6b784ed39a72b9440c6cafdb2a029f3085dee8

SHA512
18cd4ee25d89d8cd58753ebc2d473ecd7a872ba6fa1b1aecdf4df82eef42815d463ac34e3cd7d8ff1ab6031265d0d06bc57c3c39bccc83c04bd0523090f36369

Download Submit
C:\Users\Admin\AppData\Roaming\uuddbuu

Filesize
350KB

MD5
9fa170afc99df066666bb4d27194f0ac

SHA1
81cdfbda458697d448f89e096ec892568b84ebf2

SHA256
bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb

SHA512
8aa62a8210beba2273763310c80295c415fed50f9cf59688d5b897e04139e002f75b4566e8fb76fac983620a732033e52dd7e01579fcfdf613416df5b31b2147

Download Submit
C:\Users\Admin\AppData\Roaming\uuddbuu

Filesize
350KB

MD5
9fa170afc99df066666bb4d27194f0ac

SHA1
81cdfbda458697d448f89e096ec892568b84ebf2

SHA256
bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb

SHA512
8aa62a8210beba2273763310c80295c415fed50f9cf59688d5b897e04139e002f75b4566e8fb76fac983620a732033e52dd7e01579fcfdf613416df5b31b2147

Download Submit
memory/452-408-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/1168-262-0x0000000000B10000-0x0000000000B5C000-memory.dmp

Filesize
304KB

Download
memory/1292-377-0x00000000006B0000-0x00000000006BB000-memory.dmp

Filesize
44KB

Download
memory/1292-339-0x0000000000EE0000-0x0000000000EED000-memory.dmp

Filesize
52KB

Download
memory/1292-340-0x00000000006B0000-0x00000000006BB000-memory.dmp

Filesize
44KB

Download
memory/1292-341-0x0000000000EE0000-0x0000000000EED000-memory.dmp

Filesize
52KB

Download
memory/1836-352-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1836-354-0x0000000000FA0000-0x0000000001ADA000-memory.dmp

Filesize
11.2MB

Download
memory/1836-353-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2320-248-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2320-362-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2320-249-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/2320-245-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/2656-382-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/2656-384-0x0000000000A60000-0x000000000159A000-memory.dmp

Filesize
11.2MB

Download
memory/2656-383-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/2720-317-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2720-332-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2720-333-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2720-375-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2740-280-0x0000000001410000-0x0000000001419000-memory.dmp

Filesize
36KB

Download
memory/2740-297-0x0000000001410000-0x0000000001419000-memory.dmp

Filesize
36KB

Download
memory/2788-359-0x0000000000240000-0x00000000010A3000-memory.dmp

Filesize
14.4MB

Download
memory/2788-358-0x0000000000240000-0x00000000010A3000-memory.dmp

Filesize
14.4MB

Download
memory/3160-135-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/3160-405-0x0000000003010000-0x0000000003026000-memory.dmp

Filesize
88KB

Download
memory/3176-263-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3560-296-0x000001F23CF00000-0x000001F23CF10000-memory.dmp

Filesize
64KB

Download
memory/3560-293-0x000001F23CF00000-0x000001F23CF10000-memory.dmp

Filesize
64KB

Download
memory/3560-292-0x000001F23CF00000-0x000001F23CF10000-memory.dmp

Filesize
64KB

Download
memory/3560-279-0x000001F256E70000-0x000001F256EBC000-memory.dmp

Filesize
304KB

Download
memory/3560-300-0x000001F256C80000-0x000001F256DCE000-memory.dmp

Filesize
1.3MB

Download
memory/3560-267-0x000001F256B30000-0x000001F256B52000-memory.dmp

Filesize
136KB

Download
memory/3668-390-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3668-395-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/3668-396-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/3668-394-0x0000000005D70000-0x0000000006388000-memory.dmp

Filesize
6.1MB

Download
memory/3668-397-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/3668-409-0x0000000005B90000-0x0000000005C06000-memory.dmp

Filesize
472KB

Download
memory/3668-398-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/3668-399-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/3744-136-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/3744-134-0x0000000002530000-0x0000000002539000-memory.dmp

Filesize
36KB

Download
memory/4120-246-0x0000000005140000-0x0000000005162000-memory.dmp

Filesize
136KB

Download
memory/4120-243-0x0000000000280000-0x0000000000474000-memory.dmp

Filesize
2.0MB

Download
memory/4120-247-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4128-349-0x0000000000A00000-0x0000000000A0B000-memory.dmp

Filesize
44KB

Download
memory/4128-357-0x0000000000A00000-0x0000000000A0B000-memory.dmp

Filesize
44KB

Download
memory/4536-315-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/4536-314-0x0000000000BE0000-0x0000000000C07000-memory.dmp

Filesize
156KB

Download
memory/4536-374-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/4536-316-0x0000000000BE0000-0x0000000000C07000-memory.dmp

Filesize
156KB

Download
memory/4704-303-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/4704-312-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/4704-311-0x0000000001410000-0x0000000001419000-memory.dmp

Filesize
36KB

Download
memory/4704-373-0x0000000001410000-0x0000000001419000-memory.dmp

Filesize
36KB

Download
memory/4752-361-0x0000000000400000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download
memory/4752-164-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4752-310-0x0000000000400000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download
memory/4752-150-0x0000000002430000-0x0000000002487000-memory.dmp

Filesize
348KB

Download
memory/4924-389-0x00000000069C0000-0x0000000006A5C000-memory.dmp

Filesize
624KB

Download
memory/4924-360-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

Filesize
64KB

Download
memory/4924-207-0x0000000005A50000-0x0000000005A5A000-memory.dmp

Filesize
40KB

Download
memory/4924-185-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/4924-181-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/4924-223-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

Filesize
64KB

Download
memory/4924-172-0x0000000000FF0000-0x0000000001080000-memory.dmp

Filesize
576KB

Download
memory/4944-265-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/4944-266-0x0000000000CA0000-0x0000000000CAF000-memory.dmp

Filesize
60KB

Download
memory/4944-364-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/4944-251-0x0000000000CA0000-0x0000000000CAF000-memory.dmp

Filesize
60KB

Download
memory/5044-334-0x00000000006B0000-0x00000000006BB000-memory.dmp

Filesize
44KB

Download
memory/5044-376-0x00000000006B0000-0x00000000006BB000-memory.dmp

Filesize
44KB

Download
memory/5044-342-0x0000000000EE0000-0x0000000000EED000-memory.dmp

Filesize
52KB

Download
memory/5072-281-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/5072-273-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/5072-278-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/5072-295-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/5072-287-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/5072-302-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/5072-313-0x0000000006290000-0x00000000062A2000-memory.dmp

Filesize
72KB

Download
memory/5072-327-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/5072-328-0x0000000006480000-0x000000000649A000-memory.dmp

Filesize
104KB

Download
memory/5072-294-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/5072-329-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download