ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
Size

8.7MB
MD5

6a38b46d48afeae349b698a429ae1e1c
SHA1

891c831af6e60cfded62268276e4ffffd203f27e
SHA256

ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5
SHA512

470ae81eb635aa4b50b3213544ce85de16b87eaba8cf0fa46ca00989df2fa88fcadb1d834c58a5a7d84b3718515f6fd359a9a946035222b944b3df3e7b87bdf5
SSDEEP

196608:kxKMARSuV2XJXf6hzsy07g1vse0yEn2ii+Iv5tUOX:/FRSJXlf6Z8gWnyiqxtN

Score

10^/10

evasion persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 1544 created 1288	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	15
PID 1544 created 1288	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	15
PID 1544 created 1288	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	15
PID 1544 created 1288	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	15
PID 1544 created 1288	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	15
PID 1544 created 1288	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	15
PID 396 created 1288	396	OneDrive.exe	15
PID 396 created 1288	396	OneDrive.exe	15
PID 396 created 1288	396	OneDrive.exe	15
PID 396 created 1288	396	OneDrive.exe	15
PID 396 created 1288	396	OneDrive.exe	15
PID 396 created 1288	396	OneDrive.exe	15

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Roaming\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDrive.exe

Executes dropped EXE 1 IoCs

pid	Process
396	OneDrive.exe

Loads dropped DLL 1 IoCs

pid	Process
1892	taskeng.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 948	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	40
PID 396 set thread context of 700	396	OneDrive.exe	66
PID 396 set thread context of 1296	396	OneDrive.exe	70

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1644	sc.exe
1684	sc.exe
536	sc.exe
1824	sc.exe
552	sc.exe
1756	sc.exe
1080	sc.exe
1540	sc.exe
1600	sc.exe
1472	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1532	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1484	powershell.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1612	powershell.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
396	OneDrive.exe
396	OneDrive.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
1580	powershell.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
396	OneDrive.exe
396	OneDrive.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
396	OneDrive.exe
396	OneDrive.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe
948	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1288	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1948	powercfg.exe
Token: SeDebugPrivilege	948	dialer.exe
Token: SeShutdownPrivilege	1308	powercfg.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeShutdownPrivilege	572	powercfg.exe
Token: SeShutdownPrivilege	800	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeDebugPrivilege	700	dialer.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeLockMemoryPrivilege	1296	dialer.exe
Token: SeLockMemoryPrivilege	1296	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1296	dialer.exe
1296	dialer.exe
1288	Explorer.EXE
1288	Explorer.EXE
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
1296	dialer.exe
1296	dialer.exe
1288	Explorer.EXE
1288	Explorer.EXE
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe
1296	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1824	816	cmd.exe	32
PID 816 wrote to memory of 1824	816	cmd.exe	32
PID 816 wrote to memory of 1824	816	cmd.exe	32
PID 816 wrote to memory of 552	816	cmd.exe	33
PID 816 wrote to memory of 552	816	cmd.exe	33
PID 816 wrote to memory of 552	816	cmd.exe	33
PID 816 wrote to memory of 1756	816	cmd.exe	34
PID 816 wrote to memory of 1756	816	cmd.exe	34
PID 816 wrote to memory of 1756	816	cmd.exe	34
PID 816 wrote to memory of 1644	816	cmd.exe	35
PID 816 wrote to memory of 1644	816	cmd.exe	35
PID 816 wrote to memory of 1644	816	cmd.exe	35
PID 816 wrote to memory of 1684	816	cmd.exe	36
PID 816 wrote to memory of 1684	816	cmd.exe	36
PID 816 wrote to memory of 1684	816	cmd.exe	36
PID 1544 wrote to memory of 948	1544	ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe	40
PID 108 wrote to memory of 1904	108	cmd.exe	42
PID 108 wrote to memory of 1904	108	cmd.exe	42
PID 108 wrote to memory of 1904	108	cmd.exe	42
PID 108 wrote to memory of 1948	108	cmd.exe	43
PID 108 wrote to memory of 1948	108	cmd.exe	43
PID 108 wrote to memory of 1948	108	cmd.exe	43
PID 108 wrote to memory of 1308	108	cmd.exe	44
PID 108 wrote to memory of 1308	108	cmd.exe	44
PID 108 wrote to memory of 1308	108	cmd.exe	44
PID 108 wrote to memory of 1540	108	cmd.exe	45
PID 108 wrote to memory of 1540	108	cmd.exe	45
PID 108 wrote to memory of 1540	108	cmd.exe	45
PID 948 wrote to memory of 420	948	dialer.exe	3
PID 948 wrote to memory of 464	948	dialer.exe	2
PID 1612 wrote to memory of 1532	1612	powershell.exe	46
PID 1612 wrote to memory of 1532	1612	powershell.exe	46
PID 1612 wrote to memory of 1532	1612	powershell.exe	46
PID 948 wrote to memory of 480	948	dialer.exe	1
PID 948 wrote to memory of 488	948	dialer.exe	8
PID 948 wrote to memory of 600	948	dialer.exe	26
PID 1892 wrote to memory of 396	1892	taskeng.exe	50
PID 1892 wrote to memory of 396	1892	taskeng.exe	50
PID 1892 wrote to memory of 396	1892	taskeng.exe	50
PID 948 wrote to memory of 680	948	dialer.exe	25
PID 948 wrote to memory of 768	948	dialer.exe	24
PID 948 wrote to memory of 820	948	dialer.exe	23
PID 948 wrote to memory of 856	948	dialer.exe	22
PID 948 wrote to memory of 968	948	dialer.exe	21
PID 948 wrote to memory of 272	948	dialer.exe	20
PID 948 wrote to memory of 328	948	dialer.exe	19
PID 948 wrote to memory of 1052	948	dialer.exe	18
PID 948 wrote to memory of 1152	948	dialer.exe	17
PID 948 wrote to memory of 1252	948	dialer.exe	16
PID 948 wrote to memory of 1288	948	dialer.exe	15
PID 948 wrote to memory of 288	948	dialer.exe	14
PID 948 wrote to memory of 1100	948	dialer.exe	13
PID 948 wrote to memory of 1980	948	dialer.exe	12
PID 948 wrote to memory of 1892	948	dialer.exe	49
PID 948 wrote to memory of 396	948	dialer.exe	50
PID 948 wrote to memory of 756	948	dialer.exe	52
PID 1716 wrote to memory of 536	1716	cmd.exe	55
PID 1716 wrote to memory of 536	1716	cmd.exe	55
PID 1716 wrote to memory of 536	1716	cmd.exe	55
PID 1716 wrote to memory of 1080	1716	cmd.exe	56
PID 1716 wrote to memory of 1080	1716	cmd.exe	56
PID 1716 wrote to memory of 1080	1716	cmd.exe	56
PID 1716 wrote to memory of 1540	1716	cmd.exe	57
PID 1716 wrote to memory of 1540	1716	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:464
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1100
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:288
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1152
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1052
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {F045195A-1C0F-4A10-964C-D241C9C5B272} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
      C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks BIOS information in registry
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:396
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:768
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:608

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1980

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288
- C:\Users\Admin\AppData\Local\Temp\ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe
  "C:\Users\Admin\AppData\Local\Temp\ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1824
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:552
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1756
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1644
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1684
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yramilr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
    3⤵
    - Creates scheduled task(s)
    PID:1532
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:948
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
  2⤵
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:536
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1080
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1540
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1600
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1472
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1180
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yramilr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
    3⤵
    - Creates scheduled task(s)
    PID:1700
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1296

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "720787984-72106867474654626991753074968666716976304999-630301482-1612607737"
1⤵
PID:756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1163116055-1005637880112183784-1210579913-1790766172-1387358176-597930934-1070810164"
1⤵
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1220541013-1817205616-12193343761003502801115961555-405457445-1956852630885357206"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "679894414-17257104491027471997-447241530-1728317811-1215181388-13842250381299782200"
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8cb40f34f0f54e9c3acc54881aa54264

SHA1
5bcf32161990f0ff3d00027715f419a706aa4f16

SHA256
f478f9f25c4f839aec73e08ec5331c1d85ad68801a8c2dc0ccd53e0b7b3f7e52

SHA512
0d8e77b24f40cedb83eb138bf6a2c1567b1f3ef29baa2e267bb658f863784d6477c1be9b7bd80a58c2093da44e1ee1b5cd01cbcd9bad5364eb1aaae239b317cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8cb40f34f0f54e9c3acc54881aa54264

SHA1
5bcf32161990f0ff3d00027715f419a706aa4f16

SHA256
f478f9f25c4f839aec73e08ec5331c1d85ad68801a8c2dc0ccd53e0b7b3f7e52

SHA512
0d8e77b24f40cedb83eb138bf6a2c1567b1f3ef29baa2e267bb658f863784d6477c1be9b7bd80a58c2093da44e1ee1b5cd01cbcd9bad5364eb1aaae239b317cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8cb40f34f0f54e9c3acc54881aa54264

SHA1
5bcf32161990f0ff3d00027715f419a706aa4f16

SHA256
f478f9f25c4f839aec73e08ec5331c1d85ad68801a8c2dc0ccd53e0b7b3f7e52

SHA512
0d8e77b24f40cedb83eb138bf6a2c1567b1f3ef29baa2e267bb658f863784d6477c1be9b7bd80a58c2093da44e1ee1b5cd01cbcd9bad5364eb1aaae239b317cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FZYD0NGCYZ9V95QG4A1H.temp

Filesize
7KB

MD5
8cb40f34f0f54e9c3acc54881aa54264

SHA1
5bcf32161990f0ff3d00027715f419a706aa4f16

SHA256
f478f9f25c4f839aec73e08ec5331c1d85ad68801a8c2dc0ccd53e0b7b3f7e52

SHA512
0d8e77b24f40cedb83eb138bf6a2c1567b1f3ef29baa2e267bb658f863784d6477c1be9b7bd80a58c2093da44e1ee1b5cd01cbcd9bad5364eb1aaae239b317cf

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.7MB

MD5
6a38b46d48afeae349b698a429ae1e1c

SHA1
891c831af6e60cfded62268276e4ffffd203f27e

SHA256
ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5

SHA512
470ae81eb635aa4b50b3213544ce85de16b87eaba8cf0fa46ca00989df2fa88fcadb1d834c58a5a7d84b3718515f6fd359a9a946035222b944b3df3e7b87bdf5

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.7MB

MD5
6a38b46d48afeae349b698a429ae1e1c

SHA1
891c831af6e60cfded62268276e4ffffd203f27e

SHA256
ce9bd1a5c1fc599b0c8f877d229482ffa413d8dd7f51eda86c1d3a59de6280b5

SHA512
470ae81eb635aa4b50b3213544ce85de16b87eaba8cf0fa46ca00989df2fa88fcadb1d834c58a5a7d84b3718515f6fd359a9a946035222b944b3df3e7b87bdf5

Download Submit
memory/272-223-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/288-243-0x0000000000960000-0x0000000000987000-memory.dmp

Filesize
156KB

Download
memory/328-228-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/328-226-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/396-215-0x000000013F430000-0x000000014038D000-memory.dmp

Filesize
15.4MB

Download
memory/396-254-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/420-380-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/420-76-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/420-75-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/420-103-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/420-80-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/420-79-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/420-78-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/464-84-0x00000000000B0000-0x00000000000D7000-memory.dmp

Filesize
156KB

Download
memory/464-388-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/464-85-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/464-89-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/464-104-0x00000000000B0000-0x00000000000D7000-memory.dmp

Filesize
156KB

Download
memory/480-90-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/480-91-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/480-93-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/480-392-0x0000000000A00000-0x0000000000A27000-memory.dmp

Filesize
156KB

Download
memory/480-105-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/488-122-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/488-396-0x00000000007B0000-0x00000000007D7000-memory.dmp

Filesize
156KB

Download
memory/488-116-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/488-141-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/488-121-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/600-123-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/600-120-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/600-118-0x0000000000550000-0x0000000000577000-memory.dmp

Filesize
156KB

Download
memory/600-142-0x0000000000550000-0x0000000000577000-memory.dmp

Filesize
156KB

Download
memory/680-145-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/680-130-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/680-127-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/680-132-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/756-256-0x0000000001A20000-0x0000000001A47000-memory.dmp

Filesize
156KB

Download
memory/768-133-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/768-136-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/768-131-0x0000000000900000-0x0000000000927000-memory.dmp

Filesize
156KB

Download
memory/768-147-0x0000000000900000-0x0000000000927000-memory.dmp

Filesize
156KB

Download
memory/788-383-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/800-324-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/800-325-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/800-323-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/820-150-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/820-140-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/856-149-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/856-153-0x000007FEBF9C0000-0x000007FEBF9D0000-memory.dmp

Filesize
64KB

Download
memory/948-95-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/948-66-0x00000000778F0000-0x0000000077A99000-memory.dmp

Filesize
1.7MB

Download
memory/948-67-0x00000000776D0000-0x00000000777EF000-memory.dmp

Filesize
1.1MB

Download
memory/968-218-0x0000000000980000-0x00000000009A7000-memory.dmp

Filesize
156KB

Download
memory/968-220-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1032-282-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1032-281-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1052-230-0x0000000000950000-0x0000000000977000-memory.dmp

Filesize
156KB

Download
memory/1052-231-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1100-244-0x0000000000A60000-0x0000000000A87000-memory.dmp

Filesize
156KB

Download
memory/1100-250-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1152-232-0x0000000001E30000-0x0000000001E57000-memory.dmp

Filesize
156KB

Download
memory/1152-233-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1180-318-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1252-234-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1252-235-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1284-322-0x0000000001930000-0x0000000001957000-memory.dmp

Filesize
156KB

Download
memory/1288-236-0x00000000029A0000-0x00000000029C7000-memory.dmp

Filesize
156KB

Download
memory/1288-238-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1472-291-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1472-290-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1484-59-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download
memory/1484-60-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/1484-61-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/1484-62-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/1484-63-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/1484-64-0x000000000271B000-0x0000000002752000-memory.dmp

Filesize
220KB

Download
memory/1544-96-0x000000013F7F0000-0x000000014074D000-memory.dmp

Filesize
15.4MB

Download
memory/1544-87-0x000000013F7F0000-0x000000014074D000-memory.dmp

Filesize
15.4MB

Download
memory/1544-54-0x000000013F7F0000-0x000000014074D000-memory.dmp

Filesize
15.4MB

Download
memory/1544-99-0x000000013F7F0000-0x000000014074D000-memory.dmp

Filesize
15.4MB

Download
memory/1544-108-0x000000013F7F0000-0x000000014074D000-memory.dmp

Filesize
15.4MB

Download
memory/1580-258-0x00000000026DB000-0x0000000002712000-memory.dmp

Filesize
220KB

Download
memory/1580-257-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1612-98-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1612-101-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1612-102-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1612-74-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/1612-73-0x000000001B060000-0x000000001B342000-memory.dmp

Filesize
2.9MB

Download
memory/1612-100-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1632-338-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/1716-283-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1716-280-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1892-378-0x000000013F430000-0x000000014038D000-memory.dmp

Filesize
15.4MB

Download
memory/1892-279-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1892-139-0x000000013F430000-0x000000014038D000-memory.dmp

Filesize
15.4MB

Download
memory/1892-252-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1980-247-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download