laplas | 1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

Analysis

max time kernel
280s
max time network
302s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-07-2023 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Size

2.3MB
MD5

3c55617e6b69330386a0350e9f6aa0b4
SHA1

99bff391433cfc610b27f3b2b7ebc3239314f831
SHA256

1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
SHA512

46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28
SSDEEP

49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir

Score

10^/10

laplas redline xmrig 120723_rc_11 clipper evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

120723_rc_11

rcam.tuktuk.ug:11290

Attributes

auth_value
3a7b4b38a7116be1f337083fb37de790

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 852 created 1284	852	TaskMnr.exe	21
PID 852 created 1284	852	TaskMnr.exe	21
PID 852 created 1284	852	TaskMnr.exe	21
PID 852 created 1284	852	TaskMnr.exe	21
PID 852 created 1284	852	TaskMnr.exe	21
PID 1656 created 1284	1656	updater.exe	21
PID 1656 created 1284	1656	updater.exe	21
PID 1656 created 1284	1656	updater.exe	21
PID 1656 created 1284	1656	updater.exe	21
PID 1656 created 1284	1656	updater.exe	21
PID 1656 created 1284	1656	updater.exe	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Octium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TaskMnr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/1656-206-0x000000013F890000-0x0000000140830000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	TaskMnr.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Octium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Octium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 4 IoCs

pid	Process
1204	Octium.exe
852	TaskMnr.exe
2020	ntlhost.exe
1656	updater.exe

Loads dropped DLL 4 IoCs

pid	Process
2936	AppLaunch.exe
2936	AppLaunch.exe
1204	Octium.exe
284	taskeng.exe

Themida packer 25 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2492-57-0x0000000000870000-0x0000000000DD8000-memory.dmp	themida
behavioral1/memory/2492-58-0x0000000000870000-0x0000000000DD8000-memory.dmp	themida
behavioral1/memory/2492-98-0x0000000000870000-0x0000000000DD8000-memory.dmp	themida
behavioral1/files/0x0009000000015c45-119.dat	themida
behavioral1/files/0x0009000000015c45-121.dat	themida
behavioral1/memory/852-122-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-124-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-123-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-125-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-126-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-127-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-128-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/memory/852-142-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/files/0x0009000000015c45-168.dat	themida
behavioral1/memory/852-170-0x000000013FDE0000-0x0000000140D80000-memory.dmp	themida
behavioral1/files/0x000c000000015d9a-173.dat	themida
behavioral1/files/0x000c000000015d9a-172.dat	themida
behavioral1/files/0x000c000000015d9a-171.dat	themida
behavioral1/memory/1656-174-0x000000013F890000-0x0000000140830000-memory.dmp	themida
behavioral1/memory/1656-175-0x000000013F890000-0x0000000140830000-memory.dmp	themida
behavioral1/memory/1656-176-0x000000013F890000-0x0000000140830000-memory.dmp	themida
behavioral1/memory/1656-181-0x000000013F890000-0x0000000140830000-memory.dmp	themida
behavioral1/memory/1656-187-0x000000013F890000-0x0000000140830000-memory.dmp	themida
behavioral1/files/0x000c000000015d9a-202.dat	themida
behavioral1/memory/1656-206-0x000000013F890000-0x0000000140830000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	Octium.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Octium.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TaskMnr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
1204	Octium.exe
852	TaskMnr.exe
2020	ntlhost.exe
1656	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 1656 set thread context of 2344	1656	updater.exe	75
PID 1656 set thread context of 2980	1656	updater.exe	76

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Chrome\updater.exe	TaskMnr.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2188	sc.exe
1372	sc.exe
1556	sc.exe
2528	sc.exe
1732	sc.exe
1952	sc.exe
2256	sc.exe
1144	sc.exe
2208	sc.exe
2176	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
676	schtasks.exe
1628	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0c79b371fb5d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
2936	AppLaunch.exe
2936	AppLaunch.exe
852	TaskMnr.exe
852	TaskMnr.exe
2724	powershell.exe
852	TaskMnr.exe
852	TaskMnr.exe
852	TaskMnr.exe
852	TaskMnr.exe
852	TaskMnr.exe
852	TaskMnr.exe
2436	powershell.exe
852	TaskMnr.exe
852	TaskMnr.exe
1656	updater.exe
1656	updater.exe
1752	powershell.exe
1656	updater.exe
1656	updater.exe
1656	updater.exe
1656	updater.exe
1656	updater.exe
1656	updater.exe
2044	powershell.exe
1656	updater.exe
1656	updater.exe
1656	updater.exe
1656	updater.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Token: SeDebugPrivilege	2936	AppLaunch.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeShutdownPrivilege	2132	powercfg.exe
Token: SeShutdownPrivilege	2684	powercfg.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeShutdownPrivilege	2112	powercfg.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeShutdownPrivilege	1244	powercfg.exe
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeShutdownPrivilege	2712	powercfg.exe
Token: SeShutdownPrivilege	2708	powercfg.exe
Token: SeDebugPrivilege	1656	updater.exe
Token: SeLockMemoryPrivilege	2980	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2492 wrote to memory of 2936	2492	1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe	28
PID 2936 wrote to memory of 1204	2936	AppLaunch.exe	32
PID 2936 wrote to memory of 1204	2936	AppLaunch.exe	32
PID 2936 wrote to memory of 1204	2936	AppLaunch.exe	32
PID 2936 wrote to memory of 1204	2936	AppLaunch.exe	32
PID 2936 wrote to memory of 852	2936	AppLaunch.exe	33
PID 2936 wrote to memory of 852	2936	AppLaunch.exe	33
PID 2936 wrote to memory of 852	2936	AppLaunch.exe	33
PID 2936 wrote to memory of 852	2936	AppLaunch.exe	33
PID 1204 wrote to memory of 2020	1204	Octium.exe	34
PID 1204 wrote to memory of 2020	1204	Octium.exe	34
PID 1204 wrote to memory of 2020	1204	Octium.exe	34
PID 2200 wrote to memory of 2528	2200	cmd.exe	38
PID 2200 wrote to memory of 2528	2200	cmd.exe	38
PID 2200 wrote to memory of 2528	2200	cmd.exe	38
PID 2200 wrote to memory of 1952	2200	cmd.exe	50
PID 2200 wrote to memory of 1952	2200	cmd.exe	50
PID 2200 wrote to memory of 1952	2200	cmd.exe	50
PID 2200 wrote to memory of 2176	2200	cmd.exe	49
PID 2200 wrote to memory of 2176	2200	cmd.exe	49
PID 2200 wrote to memory of 2176	2200	cmd.exe	49
PID 2200 wrote to memory of 1732	2200	cmd.exe	46
PID 2200 wrote to memory of 1732	2200	cmd.exe	46
PID 2200 wrote to memory of 1732	2200	cmd.exe	46
PID 2200 wrote to memory of 2208	2200	cmd.exe	39
PID 2200 wrote to memory of 2208	2200	cmd.exe	39
PID 2200 wrote to memory of 2208	2200	cmd.exe	39
PID 2776 wrote to memory of 2132	2776	cmd.exe	41
PID 2776 wrote to memory of 2132	2776	cmd.exe	41
PID 2776 wrote to memory of 2132	2776	cmd.exe	41
PID 2776 wrote to memory of 2684	2776	cmd.exe	45
PID 2776 wrote to memory of 2684	2776	cmd.exe	45
PID 2776 wrote to memory of 2684	2776	cmd.exe	45
PID 2776 wrote to memory of 2128	2776	cmd.exe	47
PID 2776 wrote to memory of 2128	2776	cmd.exe	47
PID 2776 wrote to memory of 2128	2776	cmd.exe	47
PID 2776 wrote to memory of 2112	2776	cmd.exe	48
PID 2776 wrote to memory of 2112	2776	cmd.exe	48
PID 2776 wrote to memory of 2112	2776	cmd.exe	48
PID 2436 wrote to memory of 676	2436	powershell.exe	52
PID 2436 wrote to memory of 676	2436	powershell.exe	52
PID 2436 wrote to memory of 676	2436	powershell.exe	52
PID 284 wrote to memory of 1656	284	taskeng.exe	56
PID 284 wrote to memory of 1656	284	taskeng.exe	56
PID 284 wrote to memory of 1656	284	taskeng.exe	56
PID 2308 wrote to memory of 1556	2308	cmd.exe	72
PID 2308 wrote to memory of 1556	2308	cmd.exe	72
PID 2308 wrote to memory of 1556	2308	cmd.exe	72
PID 2308 wrote to memory of 1372	2308	cmd.exe	71
PID 2308 wrote to memory of 1372	2308	cmd.exe	71
PID 2308 wrote to memory of 1372	2308	cmd.exe	71
PID 2308 wrote to memory of 2256	2308	cmd.exe	59
PID 2308 wrote to memory of 2256	2308	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
  "C:\Users\Admin\AppData\Local\Temp\1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\Octium.exe
      "C:\Users\Admin\AppData\Local\Temp\Octium.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe
      "C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:676
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1628
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2344
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:2528

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:2208

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:1732

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:2176

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1952

C:\Windows\system32\taskeng.exe
taskeng.exe {FD6E3E67-39AB-4AC4-84F6-FC011525C622} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:2256

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:1144

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:2188

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1372

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3baa89e4203c864814f555aed3c0ffde

SHA1
a815a16da666a53276e5a95f49b24126a30e6a96

SHA256
7dfc41f7f45b31e4dd6b70082083e5fe4db14ee42382e8cd5fb91ff51fcb0ff7

SHA512
4cd2038915353a20cb1a080844483b1c243789be08c21e1e609f46dcf28945d9461ccc5c621d35b812379a975c50ecf6048141803741084233a09d4c708e9128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITADQJVTAV6TOXVD22LF.temp

Filesize
7KB

MD5
3baa89e4203c864814f555aed3c0ffde

SHA1
a815a16da666a53276e5a95f49b24126a30e6a96

SHA256
7dfc41f7f45b31e4dd6b70082083e5fe4db14ee42382e8cd5fb91ff51fcb0ff7

SHA512
4cd2038915353a20cb1a080844483b1c243789be08c21e1e609f46dcf28945d9461ccc5c621d35b812379a975c50ecf6048141803741084233a09d4c708e9128

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
727.2MB

MD5
558616c7f41e97ae6694170b304a3f2b

SHA1
9b58d15a35993e5029665a46f37af3d91ddc5a32

SHA256
d19ef81b8a98c1c858494564945c22bc6084f631bb24efc5490f4fffe0ff9009

SHA512
8f1e821ac4e82b28573ce9154e57758e22dd352c7fad15f82957e2196bad1ad53b547237deb987888823b7624a2344df9c4d6142f1f320248c0c24026fadbecb

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
727.2MB

MD5
558616c7f41e97ae6694170b304a3f2b

SHA1
9b58d15a35993e5029665a46f37af3d91ddc5a32

SHA256
d19ef81b8a98c1c858494564945c22bc6084f631bb24efc5490f4fffe0ff9009

SHA512
8f1e821ac4e82b28573ce9154e57758e22dd352c7fad15f82957e2196bad1ad53b547237deb987888823b7624a2344df9c4d6142f1f320248c0c24026fadbecb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
727.2MB

MD5
558616c7f41e97ae6694170b304a3f2b

SHA1
9b58d15a35993e5029665a46f37af3d91ddc5a32

SHA256
d19ef81b8a98c1c858494564945c22bc6084f631bb24efc5490f4fffe0ff9009

SHA512
8f1e821ac4e82b28573ce9154e57758e22dd352c7fad15f82957e2196bad1ad53b547237deb987888823b7624a2344df9c4d6142f1f320248c0c24026fadbecb

Download Submit
memory/284-180-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/284-186-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/852-170-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-125-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-128-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-127-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-123-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-124-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-122-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-142-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/852-126-0x000000013FDE0000-0x0000000140D80000-memory.dmp

Filesize
15.6MB

Download
memory/1204-133-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-110-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-111-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-115-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-116-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-107-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-108-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1204-109-0x00000000000B0000-0x00000000009CD000-memory.dmp

Filesize
9.1MB

Download
memory/1656-181-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/1656-174-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/1656-206-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/1656-187-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/1656-176-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/1656-175-0x000000013F890000-0x0000000140830000-memory.dmp

Filesize
15.6MB

Download
memory/1752-193-0x000000000033B000-0x0000000000372000-memory.dmp

Filesize
220KB

Download
memory/1752-192-0x0000000000334000-0x0000000000337000-memory.dmp

Filesize
12KB

Download
memory/2020-134-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-146-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-143-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-140-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-138-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-137-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-139-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-136-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-144-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-141-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2020-135-0x0000000000070000-0x000000000098D000-memory.dmp

Filesize
9.1MB

Download
memory/2044-198-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/2044-210-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/2044-197-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/2044-199-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/2044-196-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/2436-167-0x000000000249B000-0x00000000024D2000-memory.dmp

Filesize
220KB

Download
memory/2436-165-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/2436-166-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2436-164-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/2492-70-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-72-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-62-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/2492-63-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-64-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-66-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-68-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-84-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-74-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-98-0x0000000000870000-0x0000000000DD8000-memory.dmp

Filesize
5.4MB

Download
memory/2492-61-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2492-60-0x0000000000870000-0x0000000000DD8000-memory.dmp

Filesize
5.4MB

Download
memory/2492-78-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-57-0x0000000000870000-0x0000000000DD8000-memory.dmp

Filesize
5.4MB

Download
memory/2492-76-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-58-0x0000000000870000-0x0000000000DD8000-memory.dmp

Filesize
5.4MB

Download
memory/2492-82-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-80-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2492-86-0x00000000004F0000-0x0000000000505000-memory.dmp

Filesize
84KB

Download
memory/2724-155-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2724-157-0x00000000025EB000-0x0000000002622000-memory.dmp

Filesize
220KB

Download
memory/2724-153-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/2724-152-0x000000001B040000-0x000000001B322000-memory.dmp

Filesize
2.9MB

Download
memory/2724-154-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2724-156-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2936-91-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-94-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-112-0x00000000080E0000-0x00000000089FD000-memory.dmp

Filesize
9.1MB

Download
memory/2936-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-99-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2936-100-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2936-101-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2980-208-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/2980-213-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download