laplas | 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c

Analysis

max time kernel
279s
max time network
294s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-06-2023 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Size

1.7MB
MD5

a4aab901f5f4662d75a66bdb08971148
SHA1

9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
SHA256

8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
SHA512

a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
SSDEEP

24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq

Score

10^/10

laplas redline xmrig 090623_11_red clipper evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

090623_11_red

goodlogs.neverever.ug:11615

Attributes

auth_value
ca62706abf6895102883ab0c8a86ddff

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1684 created 1256	1684	mtaskhost.exe	13
PID 1684 created 1256	1684	mtaskhost.exe	13
PID 1684 created 1256	1684	mtaskhost.exe	13
PID 1684 created 1256	1684	mtaskhost.exe	13
PID 1684 created 1256	1684	mtaskhost.exe	13
PID 900 created 1256	900	updater.exe	13
PID 900 created 1256	900	updater.exe	13
PID 900 created 1256	900	updater.exe	13
PID 900 created 1256	900	updater.exe	13
PID 900 created 1256	900	updater.exe	13
PID 900 created 1256	900	updater.exe	13

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mtaskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cltaskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/900-181-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	xmrig
behavioral1/memory/556-185-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/556-189-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe
File created	C:\Windows\System32\drivers\etc\hosts	mtaskhost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cltaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mtaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mtaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cltaskhost.exe

Executes dropped EXE 4 IoCs

pid	Process
1684	mtaskhost.exe
1736	cltaskhost.exe
1380	ntlhost.exe
900	updater.exe

Loads dropped DLL 4 IoCs

pid	Process
268	jsc.exe
268	jsc.exe
1736	cltaskhost.exe
836	taskeng.exe

Themida packer 31 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00090000000122ef-67.dat	themida
behavioral1/files/0x00090000000122ef-69.dat	themida
behavioral1/memory/1684-71-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-72-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-73-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-75-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-77-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-81-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-82-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-91-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-109-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-118-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/memory/1684-136-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/files/0x00090000000122ef-138.dat	themida
behavioral1/memory/1684-140-0x000000013F440000-0x000000014023B000-memory.dmp	themida
behavioral1/files/0x00080000000122fd-142.dat	themida
behavioral1/files/0x00080000000122fd-143.dat	themida
behavioral1/files/0x00080000000122fd-141.dat	themida
behavioral1/memory/900-147-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-148-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-149-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-150-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-151-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-152-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-153-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-155-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-161-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-169-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/memory/900-175-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida
behavioral1/files/0x00080000000122fd-179.dat	themida
behavioral1/memory/900-181-0x000000013F1F0000-0x000000013FFEB000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	cltaskhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtaskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cltaskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1684	mtaskhost.exe
1736	cltaskhost.exe
1380	ntlhost.exe
900	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 900 set thread context of 1488	900	updater.exe	73
PID 900 set thread context of 556	900	updater.exe	74

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	mtaskhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
1200	sc.exe
924	sc.exe
1560	sc.exe
1092	sc.exe
1360	sc.exe
1696	sc.exe
1652	sc.exe
1320	sc.exe
1008	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1552	schtasks.exe
548	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1081a14e209cd901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
268	jsc.exe
268	jsc.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
1668	powershell.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
1540	powershell.exe
1684	mtaskhost.exe
1684	mtaskhost.exe
900	updater.exe
900	updater.exe
1376	powershell.exe
900	updater.exe
900	updater.exe
900	updater.exe
900	updater.exe
900	updater.exe
900	updater.exe
944	powershell.exe
900	updater.exe
900	updater.exe
900	updater.exe
900	updater.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Token: SeDebugPrivilege	268	jsc.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeShutdownPrivilege	1200	powercfg.exe
Token: SeShutdownPrivilege	696	powercfg.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeShutdownPrivilege	1284	powercfg.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeShutdownPrivilege	1252	powercfg.exe
Token: SeShutdownPrivilege	912	powercfg.exe
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeShutdownPrivilege	988	powercfg.exe
Token: SeDebugPrivilege	900	updater.exe
Token: SeLockMemoryPrivilege	556	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 924 wrote to memory of 268	924	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 268 wrote to memory of 1684	268	jsc.exe	30
PID 268 wrote to memory of 1684	268	jsc.exe	30
PID 268 wrote to memory of 1684	268	jsc.exe	30
PID 268 wrote to memory of 1684	268	jsc.exe	30
PID 268 wrote to memory of 1736	268	jsc.exe	31
PID 268 wrote to memory of 1736	268	jsc.exe	31
PID 268 wrote to memory of 1736	268	jsc.exe	31
PID 268 wrote to memory of 1736	268	jsc.exe	31
PID 1736 wrote to memory of 1380	1736	cltaskhost.exe	34
PID 1736 wrote to memory of 1380	1736	cltaskhost.exe	34
PID 1736 wrote to memory of 1380	1736	cltaskhost.exe	34
PID 908 wrote to memory of 1696	908	cmd.exe	37
PID 908 wrote to memory of 1696	908	cmd.exe	37
PID 908 wrote to memory of 1696	908	cmd.exe	37
PID 908 wrote to memory of 1652	908	cmd.exe	38
PID 908 wrote to memory of 1652	908	cmd.exe	38
PID 908 wrote to memory of 1652	908	cmd.exe	38
PID 908 wrote to memory of 924	908	cmd.exe	39
PID 908 wrote to memory of 924	908	cmd.exe	39
PID 908 wrote to memory of 924	908	cmd.exe	39
PID 908 wrote to memory of 1320	908	cmd.exe	40
PID 908 wrote to memory of 1320	908	cmd.exe	40
PID 908 wrote to memory of 1320	908	cmd.exe	40
PID 908 wrote to memory of 1560	908	cmd.exe	41
PID 908 wrote to memory of 1560	908	cmd.exe	41
PID 908 wrote to memory of 1560	908	cmd.exe	41
PID 952 wrote to memory of 1200	952	cmd.exe	46
PID 952 wrote to memory of 1200	952	cmd.exe	46
PID 952 wrote to memory of 1200	952	cmd.exe	46
PID 952 wrote to memory of 696	952	cmd.exe	49
PID 952 wrote to memory of 696	952	cmd.exe	49
PID 952 wrote to memory of 696	952	cmd.exe	49
PID 952 wrote to memory of 1688	952	cmd.exe	48
PID 952 wrote to memory of 1688	952	cmd.exe	48
PID 952 wrote to memory of 1688	952	cmd.exe	48
PID 952 wrote to memory of 1284	952	cmd.exe	47
PID 952 wrote to memory of 1284	952	cmd.exe	47
PID 952 wrote to memory of 1284	952	cmd.exe	47
PID 1540 wrote to memory of 548	1540	powershell.exe	50
PID 1540 wrote to memory of 548	1540	powershell.exe	50
PID 1540 wrote to memory of 548	1540	powershell.exe	50
PID 836 wrote to memory of 900	836	taskeng.exe	54
PID 836 wrote to memory of 900	836	taskeng.exe	54
PID 836 wrote to memory of 900	836	taskeng.exe	54
PID 1508 wrote to memory of 1092	1508	cmd.exe	59
PID 1508 wrote to memory of 1092	1508	cmd.exe	59
PID 1508 wrote to memory of 1092	1508	cmd.exe	59
PID 1508 wrote to memory of 1360	1508	cmd.exe	60
PID 1508 wrote to memory of 1360	1508	cmd.exe	60
PID 1508 wrote to memory of 1360	1508	cmd.exe	60
PID 1508 wrote to memory of 1516	1508	cmd.exe	61
PID 1508 wrote to memory of 1516	1508	cmd.exe	61
PID 1508 wrote to memory of 1516	1508	cmd.exe	61
PID 1508 wrote to memory of 1008	1508	cmd.exe	62
PID 1508 wrote to memory of 1008	1508	cmd.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
  "C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1696
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1652
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:924
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1320
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1560
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:548
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1092
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1360
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1008
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1552
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:564
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1488
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556

C:\Windows\system32\taskeng.exe
taskeng.exe {9459B896-84CD-4709-816A-13CA3D7436F2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe

Filesize
3.4MB

MD5
50859caa45e9d02823ae55b69fd7b645

SHA1
aec25ed88cd00fd12a18ca2714d68e33c7fd57c3

SHA256
8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

SHA512
78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe

Filesize
3.4MB

MD5
50859caa45e9d02823ae55b69fd7b645

SHA1
aec25ed88cd00fd12a18ca2714d68e33c7fd57c3

SHA256
8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

SHA512
78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
98c63d8d2c890e8f6164653ee5da53a5

SHA1
6a3ce1ae18c298f8a5e6e8d551ee44c5ecac6f13

SHA256
a4f99ec1126bc09977b5d6b61646b3446facf113f9a1d895657e50ef7380b95d

SHA512
651a3f0d44b475cc7109f48c226107e5aa04f85694805358d6c5369bf8194be4c763963f0d8459396b15bb19dc01d6e4b98f71ab70cf38928e1a8a40b907ebde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4YK7W9Q2UC0K6PRZ7RZ.temp

Filesize
7KB

MD5
98c63d8d2c890e8f6164653ee5da53a5

SHA1
6a3ce1ae18c298f8a5e6e8d551ee44c5ecac6f13

SHA256
a4f99ec1126bc09977b5d6b61646b3446facf113f9a1d895657e50ef7380b95d

SHA512
651a3f0d44b475cc7109f48c226107e5aa04f85694805358d6c5369bf8194be4c763963f0d8459396b15bb19dc01d6e4b98f71ab70cf38928e1a8a40b907ebde

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
732.4MB

MD5
0c0a3b597f7113259c78651ba57e1542

SHA1
accf839839078e0cfae08e118a59a78b815afdf4

SHA256
85a0cd0bd1859fdd87bfbe488332d3109dbb0616caa0b975e6cd77ba4051d28d

SHA512
a5f23f48230a99e37a050e9893858ff8018bedf9e49115c4d4f345a0211519be67d0f17bce8f928b0f5fb433f5b5660e578b3e2959cbdd97290921faebd5182f

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
732.4MB

MD5
0c0a3b597f7113259c78651ba57e1542

SHA1
accf839839078e0cfae08e118a59a78b815afdf4

SHA256
85a0cd0bd1859fdd87bfbe488332d3109dbb0616caa0b975e6cd77ba4051d28d

SHA512
a5f23f48230a99e37a050e9893858ff8018bedf9e49115c4d4f345a0211519be67d0f17bce8f928b0f5fb433f5b5660e578b3e2959cbdd97290921faebd5182f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
\Users\Admin\AppData\Local\Temp\cltaskhost.exe

Filesize
3.4MB

MD5
50859caa45e9d02823ae55b69fd7b645

SHA1
aec25ed88cd00fd12a18ca2714d68e33c7fd57c3

SHA256
8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

SHA512
78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767

Download Submit
\Users\Admin\AppData\Local\Temp\mtaskhost.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
732.4MB

MD5
0c0a3b597f7113259c78651ba57e1542

SHA1
accf839839078e0cfae08e118a59a78b815afdf4

SHA256
85a0cd0bd1859fdd87bfbe488332d3109dbb0616caa0b975e6cd77ba4051d28d

SHA512
a5f23f48230a99e37a050e9893858ff8018bedf9e49115c4d4f345a0211519be67d0f17bce8f928b0f5fb433f5b5660e578b3e2959cbdd97290921faebd5182f

Download Submit
memory/268-70-0x0000000006D60000-0x0000000007B5B000-memory.dmp

Filesize
14.0MB

Download
memory/268-64-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/268-63-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/268-62-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/268-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/268-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/268-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/268-88-0x0000000006D60000-0x0000000007558000-memory.dmp

Filesize
8.0MB

Download
memory/556-189-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/556-182-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/556-194-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/556-187-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/556-185-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/836-144-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/836-158-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-161-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-155-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-175-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-147-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-181-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-148-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-149-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-169-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-153-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-152-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-151-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/900-150-0x000000013F1F0000-0x000000013FFEB000-memory.dmp

Filesize
14.0MB

Download
memory/924-56-0x00000000009F0000-0x0000000000A62000-memory.dmp

Filesize
456KB

Download
memory/924-55-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/924-54-0x00000000010A0000-0x0000000001256000-memory.dmp

Filesize
1.7MB

Download
memory/944-174-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/944-173-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/944-176-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1376-164-0x0000000001260000-0x00000000012E0000-memory.dmp

Filesize
512KB

Download
memory/1376-165-0x0000000001260000-0x00000000012E0000-memory.dmp

Filesize
512KB

Download
memory/1376-163-0x0000000001260000-0x00000000012E0000-memory.dmp

Filesize
512KB

Download
memory/1376-162-0x0000000001260000-0x00000000012E0000-memory.dmp

Filesize
512KB

Download
memory/1380-123-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-190-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-156-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-122-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-166-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-107-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-154-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-108-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-168-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-172-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-119-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-186-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-137-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-159-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-183-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-116-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-115-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-114-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-113-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1380-110-0x0000000000190000-0x0000000000988000-memory.dmp

Filesize
8.0MB

Download
memory/1488-184-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1488-191-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1540-135-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/1540-134-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/1540-133-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/1540-132-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/1540-130-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/1540-129-0x000000001AF80000-0x000000001B262000-memory.dmp

Filesize
2.9MB

Download
memory/1668-105-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/1668-117-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1668-98-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1668-99-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1668-131-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1668-111-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1668-106-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/1684-140-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-91-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-81-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-71-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-77-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-136-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-109-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-72-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-82-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-73-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-75-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1684-118-0x000000013F440000-0x000000014023B000-memory.dmp

Filesize
14.0MB

Download
memory/1736-85-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-89-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-90-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-87-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-83-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-84-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-86-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-93-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download
memory/1736-104-0x0000000000810000-0x0000000001008000-memory.dmp

Filesize
8.0MB

Download