xmrig | dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f

Analysis

max time kernel
300s
max time network
296s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29/05/2023, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe
Size

312KB
MD5

7c3c0e8ef38bdb43da4aa12b1815ac8b
SHA1

778dcbf3ecbc7f46c3166abbae9f9a1fd17319e4
SHA256

dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f
SHA512

07a8f990fedfd04776f30f69faac52d62a372d0291099818bb3e959d6e1228ea4e63f1022905f31f2d4a0598f0e83122f5ba67b9909e43bc458cf6479bad1cb2
SSDEEP

6144:ZqizpeVCVvjFKDLXJepjSq5dEO9Uj6qcIwvD:HdeoRJKDLXJSSqP9y6qFgD

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 25 IoCs

miner

resource	yara_rule
behavioral2/files/0x000200000001aec3-1450.dat	family_xmrig
behavioral2/files/0x000200000001aec3-1450.dat	xmrig
behavioral2/memory/3384-1454-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1455-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1457-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1459-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1460-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1461-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1462-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1463-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1464-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1465-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1466-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1467-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1468-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1469-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1470-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1471-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1472-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1473-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1474-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1475-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1476-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1477-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3384-1478-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
4392	dllhost.exe
3384	winlogson.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 3748	3240	dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe	67

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4076	schtasks.exe
2460	schtasks.exe
3980	schtasks.exe
3200	schtasks.exe
4600	schtasks.exe
4232	schtasks.exe
4948	schtasks.exe
4504	schtasks.exe
4940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	AppLaunch.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
2464	powershell.exe
2464	powershell.exe
2096	powershell.exe
2096	powershell.exe
4616	powershell.exe
4616	powershell.exe
1104	powershell.exe
1104	powershell.exe
4612	powershell.exe
4612	powershell.exe
1104	powershell.exe
2464	powershell.exe
2096	powershell.exe
4612	powershell.exe
4616	powershell.exe
1104	powershell.exe
2464	powershell.exe
2096	powershell.exe
4612	powershell.exe
4616	powershell.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe
4392	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	AppLaunch.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeShutdownPrivilege	1508	powercfg.exe
Token: SeCreatePagefilePrivilege	1508	powercfg.exe
Token: SeShutdownPrivilege	4580	powercfg.exe
Token: SeCreatePagefilePrivilege	4580	powercfg.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeCreatePagefilePrivilege	2344	powercfg.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeShutdownPrivilege	4452	powercfg.exe
Token: SeCreatePagefilePrivilege	4452	powercfg.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeShutdownPrivilege	4384	powercfg.exe
Token: SeCreatePagefilePrivilege	4384	powercfg.exe
Token: SeShutdownPrivilege	4384	powercfg.exe
Token: SeCreatePagefilePrivilege	4384	powercfg.exe
Token: SeDebugPrivilege	4392	dllhost.exe
Token: SeLockMemoryPrivilege	3384	winlogson.exe
Token: SeLockMemoryPrivilege	3384	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3384	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3748	3240	dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe	67
PID 3240 wrote to memory of 3748	3240	dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe	67
PID 3240 wrote to memory of 3748	3240	dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe	67
PID 3240 wrote to memory of 3748	3240	dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe	67
PID 3240 wrote to memory of 3748	3240	dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe	67
PID 3748 wrote to memory of 5008	3748	AppLaunch.exe	69
PID 3748 wrote to memory of 5008	3748	AppLaunch.exe	69
PID 3748 wrote to memory of 5008	3748	AppLaunch.exe	69
PID 5008 wrote to memory of 1764	5008	cmd.exe	71
PID 5008 wrote to memory of 1764	5008	cmd.exe	71
PID 5008 wrote to memory of 1764	5008	cmd.exe	71
PID 3748 wrote to memory of 4392	3748	AppLaunch.exe	72
PID 3748 wrote to memory of 4392	3748	AppLaunch.exe	72
PID 3748 wrote to memory of 4392	3748	AppLaunch.exe	72
PID 3748 wrote to memory of 1848	3748	AppLaunch.exe	86
PID 3748 wrote to memory of 1848	3748	AppLaunch.exe	86
PID 3748 wrote to memory of 1848	3748	AppLaunch.exe	86
PID 3748 wrote to memory of 604	3748	AppLaunch.exe	85
PID 3748 wrote to memory of 604	3748	AppLaunch.exe	85
PID 3748 wrote to memory of 604	3748	AppLaunch.exe	85
PID 3748 wrote to memory of 4316	3748	AppLaunch.exe	84
PID 3748 wrote to memory of 4316	3748	AppLaunch.exe	84
PID 3748 wrote to memory of 4316	3748	AppLaunch.exe	84
PID 3748 wrote to memory of 3456	3748	AppLaunch.exe	83
PID 3748 wrote to memory of 3456	3748	AppLaunch.exe	83
PID 3748 wrote to memory of 3456	3748	AppLaunch.exe	83
PID 3748 wrote to memory of 3028	3748	AppLaunch.exe	82
PID 3748 wrote to memory of 3028	3748	AppLaunch.exe	82
PID 3748 wrote to memory of 3028	3748	AppLaunch.exe	82
PID 3748 wrote to memory of 1584	3748	AppLaunch.exe	81
PID 3748 wrote to memory of 1584	3748	AppLaunch.exe	81
PID 3748 wrote to memory of 1584	3748	AppLaunch.exe	81
PID 3748 wrote to memory of 192	3748	AppLaunch.exe	80
PID 3748 wrote to memory of 192	3748	AppLaunch.exe	80
PID 3748 wrote to memory of 192	3748	AppLaunch.exe	80
PID 3748 wrote to memory of 3512	3748	AppLaunch.exe	79
PID 3748 wrote to memory of 3512	3748	AppLaunch.exe	79
PID 3748 wrote to memory of 3512	3748	AppLaunch.exe	79
PID 3748 wrote to memory of 308	3748	AppLaunch.exe	78
PID 3748 wrote to memory of 308	3748	AppLaunch.exe	78
PID 3748 wrote to memory of 308	3748	AppLaunch.exe	78
PID 3748 wrote to memory of 3516	3748	AppLaunch.exe	77
PID 3748 wrote to memory of 3516	3748	AppLaunch.exe	77
PID 3748 wrote to memory of 3516	3748	AppLaunch.exe	77
PID 3748 wrote to memory of 220	3748	AppLaunch.exe	76
PID 3748 wrote to memory of 220	3748	AppLaunch.exe	76
PID 3748 wrote to memory of 220	3748	AppLaunch.exe	76
PID 3748 wrote to memory of 216	3748	AppLaunch.exe	75
PID 3748 wrote to memory of 216	3748	AppLaunch.exe	75
PID 3748 wrote to memory of 216	3748	AppLaunch.exe	75
PID 3748 wrote to memory of 2212	3748	AppLaunch.exe	74
PID 3748 wrote to memory of 2212	3748	AppLaunch.exe	74
PID 3748 wrote to memory of 2212	3748	AppLaunch.exe	74
PID 3748 wrote to memory of 2240	3748	AppLaunch.exe	73
PID 3748 wrote to memory of 2240	3748	AppLaunch.exe	73
PID 3748 wrote to memory of 2240	3748	AppLaunch.exe	73
PID 4316 wrote to memory of 3200	4316	cmd.exe	101
PID 4316 wrote to memory of 3200	4316	cmd.exe	101
PID 4316 wrote to memory of 3200	4316	cmd.exe	101
PID 3456 wrote to memory of 4232	3456	cmd.exe	109
PID 3456 wrote to memory of 4232	3456	cmd.exe	109
PID 3456 wrote to memory of 4232	3456	cmd.exe	109
PID 3028 wrote to memory of 3980	3028	cmd.exe	108
PID 3028 wrote to memory of 3980	3028	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe
"C:\Users\Admin\AppData\Local\Temp\dca33b5f75d01e953e87a0bfca64ed31d460f2feed1db968b59dc7f98771221f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADMAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAOABPADMATABIAG8ARgBnADgAZAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAMQBRADQAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AEEATgA4AG0ANgB6ADEAWABzAG0AagAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADMAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAOABPADMATABIAG8ARgBnADgAZAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAMQBRADQAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AEEATgA4AG0ANgB6ADEAWABzAG0AagAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1764
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4120
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo UN & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo vaйeqwТчЦМ1pOьj3
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4580
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4384
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADoEQwRsAEgELQQbBFkAIQQdBBQETAQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAVQBzAEkAJQQkBFIAcwAuBHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEEAdQAfBEQEUgA5ABEENAA+BD4EVQBzACMAPgAgAEAAKAAgADwAIwBNAEMEVQBlAHEAGwROBDQEJAQrBGkAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFEAEQQcBE8ANgBNBEcEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEwEHwRXAGcATQBoADYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANgBrACEEKgRDADYAGAROADgATgBiAG0AWAAjAD4A"
    3⤵
    PID:2212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADoEQwRsAEgELQQbBFkAIQQdBBQETAQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAVQBzAEkAJQQkBFIAcwAuBHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEEAdQAfBEQEUgA5ABEENAA+BD4EVQBzACMAPgAgAEAAKAAgADwAIwBNAEMEVQBlAHEAGwROBDQEJAQrBGkAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFEAEQQcBE8ANgBNBEcEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEwEHwRXAGcATQBoADYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANgBrACEEKgRDADYAGAROADgATgBiAG0AWAAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADgANQQXBBcELwRPBE0AbAA5BD0EeAArBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABqAEkAQwA8BEUEOgR3AGYARwBlAFEATQQeBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBKAE8EKwQjAD4AIABAACgAIAA8ACMAUgAVBDIEcwBWACUEJgQVBDIENQA1ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA2BHkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGkATAAvBDUEKwQ9BEkEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMwBJAB0EOQBIAB0EdQApBCkEIwA+AA=="
    3⤵
    PID:216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADgANQQXBBcELwRPBE0AbAA5BD0EeAArBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABqAEkAQwA8BEUEOgR3AGYARwBlAFEATQQeBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBKAE8EKwQjAD4AIABAACgAIAA8ACMAUgAVBDIEcwBWACUEJgQVBDIENQA1ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA2BHkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGkATAAvBDUEKwQ9BEkEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMwBJAB0EOQBIAB0EdQApBCkEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADcEZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABIESQRGADEEcgAfBD0EFwRQAE0ENgBxAEEEQAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAcgBDBDkAOABVADgEQQAQBB0EFwRKBC0EIQQYBEoAIwA+ACAAQAAoACAAPAAjAEUAJgQ4AB8EWABkADIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAC4EJAQgBFcAJwRvAEMEOQAyAFoAFQQxACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBrAE8EegA7BEcENQAWBEgEHAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwArBGcASABCAFUAQQAmBEkEbgBrACMAPgA="
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADcEZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABIESQRGADEEcgAfBD0EFwRQAE0ENgBxAEEEQAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAcgBDBDkAOABVADgEQQAQBB0EFwRKBC0EIQQYBEoAIwA+ACAAQAAoACAAPAAjAEUAJgQ4AB8EWABkADIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAC4EJAQgBFcAJwRvAEMEOQAyAFoAFQQxACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBrAE8EegA7BEcENQAWBEgEHAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwArBGcASABCAFUAQQAmBEkEbgBrACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABcEeQB5AEMAZQBlAFoASgRCACoEEwQxBDIETARDBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAHgRUABoETgRDAFoASAA4BCsERQRIADEASQBQADAEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAC0EEwRQABUEZgAwBHkAIwA+ACAAQAAoACAAPAAjABAEJAQ8BEgEbQBJAC8EbABUABQEMABPBFMAVAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAMAAtBDgAVQA2ACMEEQROACAEQgAxACkEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAFkAMQQcBEkAdgAQBB8EVgA8BEIEMgRFBD4EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABUABYEJwQjAD4A"
    3⤵
    PID:3516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABcEeQB5AEMAZQBlAFoASgRCACoEEwQxBDIETARDBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAHgRUABoETgRDAFoASAA4BCsERQRIADEASQBQADAEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAC0EEwRQABUEZgAwBHkAIwA+ACAAQAAoACAAPAAjABAEJAQ8BEgEbQBJAC8EbABUABQEMABPBFMAVAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAMAAtBDgAVQA2ACMEEQROACAEQgAxACkEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAFkAMQQcBEkAdgAQBB8EVgA8BEIEMgRFBD4EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABUABYEJwQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABYEQQRVAHIAZwBABCUEbwA/BHMAKwQTBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcgBvADwEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACsEOQRMACMEVgAfBDkERABOBEQEPARiACMAPgAgAEAAKAAgADwAIwBPADYEMgQQBG4AawBMAHcAPgQ2BDkEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABoEdAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMARAAkBEMALwRJADIAFgRYAB4EYgA9BCkEHwQUBE4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABtACMAPgA="
    3⤵
    PID:308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABYEQQRVAHIAZwBABCUEbwA/BHMAKwQTBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcgBvADwEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACsEOQRMACMEVgAfBDkERABOBEQEPARiACMAPgAgAEAAKAAgADwAIwBPADYEMgQQBG4AawBMAHcAPgQ2BDkEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABoEdAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMARAAkBEMALwRJADIAFgRYAB4EYgA9BCkEHwQUBE4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABtACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Ь & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo КОy
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ДКwOGяМЦЮФmш & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo лcЕэOчKPsYLХdЧU
    3⤵
    PID:192
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo JNяЩчч & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo сYьъъn7EZфюuОUkгН
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo т0АЖGАг & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo пчеС
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo гбШМжнuотщРT9мRpZ & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo аQил
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 9kkIQSЫP & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo FJliJ5фдоzk
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ТxeDаЮцЧyи6 & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ПЗУ
    3⤵
    PID:604
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ДКRШ6 & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo бАmД3мpОx1Aч
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
321B

MD5
300b449edc60caae9b8a51f5e539e2ff

SHA1
fea241c542cd60d1145f53de5f4c0beadb1f7c0c

SHA256
1fe7f8b2dad7fafab0f942f77a80ffe6bd5a69afd21802f23aba6905566cfdf0

SHA512
cb1e76f4a77169edf8f7293b64becb3a6dfa2fc8d92c61d5a282568331f8e72fed6c4869aea94114abcaa0cc5a4569e3fc10bcab8f36ee2e666880ed8c6e08b7

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
345B

MD5
f772286a692719f8a6df95e2ca1df811

SHA1
9e9b67c0f3d196354e58c35b54a626dbc8bd0695

SHA256
658ba60fd24a40cfc2367f4a803ecd2cfc412155427575b8477926cd37caa5fc

SHA512
9d60db43f8a3942877f7f9b4c892888b3426d8df8a79d0b7204e10215b7789ae7ae87cdcbfee88d1fa91a39eb632085be52857dbc9be952ca0e2d9a1c2012cbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4469970d2a5b92dac77a724bf801ecb5

SHA1
884eb7a9095f71130efd7de4283452bee402203a

SHA256
ef3af585fb52b0a1761061b0d7c443bcd6dbdc3f4cd02183ee42c02bfcbaf6c2

SHA512
266b700ad324d55bd4385f2695c9b288ad01b2c5bf585dddd470c6d037cfe7240b3f915784fa14df883d59347e6ae40af9f78efaf3bc1cd15e30c6c30597751c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1106996ecfab7bedb77b84657c3dfd43

SHA1
4d5d40fcc3d2d2073d642c6ab1cadbff0755867b

SHA256
54530a53c4ba36610333b3ebb18bbc69d4e580ca690f227f8f41b5b7d957b113

SHA512
5e8638c0b5349b25b8d3db2a6c121983b26115a57d0127fda936994db02051554aa990bad7ce97fb933285f2b2876396548303bb189e8e637c7ef1e22a7a75e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dc77079a997cdb7f41554838912631c8

SHA1
be55cab2556b30b283c83b607dc902d9581353ba

SHA256
c89efc2342c08c33245fb6537dd6a83194788a44bd0bc4af8f3a7efdba297b25

SHA512
7ce3ebc416c039a15f80e78e422a37e7eadc553acb8aaf47174d220e65502248c6e7d8cff5b43d222e15aa3faea29d5bece846b6c1f375cc12e047aa4484237f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
51c3b5dc3cabf153b0442954d21cc3c2

SHA1
d845b7372273486ababd38a40031974ce0f7e63a

SHA256
a4bdc50858e78eb6ac00f5e2527e79fe02543c0086f2eb55a5c620165b8766be

SHA512
fb428803587bb93451626b65db23fcd656f8fc2675b1b7445fb3e4cd1589e247710d44fd99a665fbfae0813272536c4d68ad6242076f71e3e2227c69c853e58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iep1eeco.yqc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1104-1040-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1104-565-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1104-510-0x000000007EDE0000-0x000000007EDF0000-memory.dmp

Filesize
64KB

Download
memory/1104-505-0x0000000009A80000-0x0000000009B25000-memory.dmp

Filesize
660KB

Download
memory/1104-426-0x0000000008A40000-0x0000000008A8B000-memory.dmp

Filesize
300KB

Download
memory/1104-835-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1104-839-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1104-418-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1104-993-0x000000007EDE0000-0x000000007EDF0000-memory.dmp

Filesize
64KB

Download
memory/1104-419-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1764-175-0x000000007FC60000-0x000000007FC70000-memory.dmp

Filesize
64KB

Download
memory/1764-168-0x0000000009560000-0x000000000957E000-memory.dmp

Filesize
120KB

Download
memory/1764-140-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1764-136-0x0000000007560000-0x0000000007B88000-memory.dmp

Filesize
6.2MB

Download
memory/1764-139-0x0000000007DD0000-0x0000000008120000-memory.dmp

Filesize
3.3MB

Download
memory/1764-138-0x0000000007480000-0x00000000074E6000-memory.dmp

Filesize
408KB

Download
memory/1764-143-0x00000000083B0000-0x00000000083FB000-memory.dmp

Filesize
300KB

Download
memory/1764-137-0x00000000073E0000-0x0000000007402000-memory.dmp

Filesize
136KB

Download
memory/1764-135-0x0000000004970000-0x00000000049A6000-memory.dmp

Filesize
216KB

Download
memory/1764-142-0x00000000081A0000-0x00000000081BC000-memory.dmp

Filesize
112KB

Download
memory/1764-144-0x0000000008480000-0x00000000084F6000-memory.dmp

Filesize
472KB

Download
memory/1764-377-0x00000000097F0000-0x00000000097F8000-memory.dmp

Filesize
32KB

Download
memory/1764-372-0x0000000009810000-0x000000000982A000-memory.dmp

Filesize
104KB

Download
memory/1764-167-0x0000000009580000-0x00000000095B3000-memory.dmp

Filesize
204KB

Download
memory/1764-141-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1764-176-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1764-173-0x00000000095C0000-0x0000000009665000-memory.dmp

Filesize
660KB

Download
memory/1764-174-0x00000000098B0000-0x0000000009944000-memory.dmp

Filesize
592KB

Download
memory/2096-831-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2096-819-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2096-586-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2096-417-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2096-560-0x000000007EE80000-0x000000007EE90000-memory.dmp

Filesize
64KB

Download
memory/2096-1036-0x000000007EE80000-0x000000007EE90000-memory.dmp

Filesize
64KB

Download
memory/2096-414-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2464-950-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2464-512-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2464-580-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/2464-415-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/2464-416-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/2464-424-0x00000000076F0000-0x0000000007A40000-memory.dmp

Filesize
3.3MB

Download
memory/2464-827-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/2464-823-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/3384-1470-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1477-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1476-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1474-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1473-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1472-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1471-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1455-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1469-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1468-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1467-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1475-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1478-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1466-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1465-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1464-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1463-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1462-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1461-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1460-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1459-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1451-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/3384-1457-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3384-1454-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3748-121-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3748-395-0x000000000B4C0000-0x000000000B4D0000-memory.dmp

Filesize
64KB

Download
memory/3748-129-0x000000000B330000-0x000000000B3C2000-memory.dmp

Filesize
584KB

Download
memory/3748-128-0x000000000B790000-0x000000000BC8E000-memory.dmp

Filesize
5.0MB

Download
memory/3748-130-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/3748-131-0x000000000B4D0000-0x000000000B536000-memory.dmp

Filesize
408KB

Download
memory/3748-132-0x000000000B4C0000-0x000000000B4D0000-memory.dmp

Filesize
64KB

Download
memory/4392-400-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/4392-413-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/4392-814-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/4612-423-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4612-599-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4612-574-0x000000007EE50000-0x000000007EE60000-memory.dmp

Filesize
64KB

Download
memory/4612-851-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4612-422-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4612-847-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4616-421-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4616-842-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4616-845-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4616-420-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4616-592-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4616-569-0x000000007F000000-0x000000007F010000-memory.dmp

Filesize
64KB

Download