26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725

Analysis

max time kernel
301s
max time network
202s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Size

63KB
MD5

d7cf93cdc74ec7ee635a0ab5ad0dd573
SHA1

88eb48930852beeec6d810967506ad4462329253
SHA256

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725
SHA512

f158983b8cce0849c4947db54ce08519cb1aae1c8d00ac56c9b24bf988aceddd5842a2fbb34ae02c29d908b33e537fd7faeaeca6bc96d6710524d581f2bf9966

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

1064 dllhost.exe
Loads dropped DLL 1 IoCs

Processes:

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe

pid process

1192 26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe

pid	process
1064	dllhost.exe

pid	process
1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1664	schtasks.exe
916	schtasks.exe
1592	schtasks.exe
1760	schtasks.exe
1000	schtasks.exe
1964	schtasks.exe
320	schtasks.exe
1524	schtasks.exe
1768	schtasks.exe
304	schtasks.exe
748	schtasks.exe
1496	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exedllhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	dllhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1220	powershell.exe
1992	powershell.exe
1784	powershell.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe
1064	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Token: SeDebugPrivilege	1064	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 1680	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 1192 wrote to memory of 1680	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 1192 wrote to memory of 1680	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 1192 wrote to memory of 1680	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 1680 wrote to memory of 1264	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1264	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1264	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1264	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1220	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1220	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1220	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1220	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1992	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1992	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1992	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1992	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1784	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1784	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1784	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1784	1680	cmd.exe	powershell.exe
PID 1192 wrote to memory of 1064	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 1192 wrote to memory of 1064	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 1192 wrote to memory of 1064	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 1192 wrote to memory of 1064	1192	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 1064 wrote to memory of 1160	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1160	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1160	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1160	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1412	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1412	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1412	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1412	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1776	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1776	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1776	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1776	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 2020	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 2020	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 2020	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 2020	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1032	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1032	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1032	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 1032	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 684	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 684	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 684	1064	dllhost.exe	cmd.exe
PID 1064 wrote to memory of 684	1064	dllhost.exe	cmd.exe
PID 1160 wrote to memory of 1664	1160	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 1664	1160	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 1664	1160	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 1664	1160	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 916	1412	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 916	1412	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 916	1412	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 916	1412	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1768	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1768	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1768	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1768	1776	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1760	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1760	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1760	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1760	1032	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
"C:\Users\Admin\AppData\Local\Temp\26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:1264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:916

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2020

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:684

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3552" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3552" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:748

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7159" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3988" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1072

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3988" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1348" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1692

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1384

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:2020

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1740

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1204

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1968

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1348" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:320

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7159" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
483B

MD5
f18199cca935101bc69f32237311cd21

SHA1
9a997db9963ac2a32284871dd61b3deebc98dc64

SHA256
287957d2a31213e87fc7df350ccb935cc66764605a61a66032539d6b08431cf1

SHA512
f6770230ec32f440a65f78e5670bb6b99b3fdcecc923a6d96da06e9586ab2953726601367f78d3d087ab0aea886c833463b429a740b985028daded3de1c78606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db527f114abfa6fb47c0c5f56d2c0030

SHA1
002758f7a6fdef85d73f1b4776e308b7503718e4

SHA256
5f42aa498a3ed40915090fdb0f722348dfae5b8113e1fea44843fb18b8b26bd9

SHA512
6fd315b774af43e575e5592d6600576744555fef42892e87a19c9169a49e8f8c3531c0c651b59bb85938cc38360c665e4c1ccadc7f13ace241503ad778e4ee24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
db527f114abfa6fb47c0c5f56d2c0030

SHA1
002758f7a6fdef85d73f1b4776e308b7503718e4

SHA256
5f42aa498a3ed40915090fdb0f722348dfae5b8113e1fea44843fb18b8b26bd9

SHA512
6fd315b774af43e575e5592d6600576744555fef42892e87a19c9169a49e8f8c3531c0c651b59bb85938cc38360c665e4c1ccadc7f13ace241503ad778e4ee24

Download Submit
\ProgramData\Dllhost\dllhost.exe

Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
memory/304-98-0x0000000000000000-mapping.dmp

Download
memory/320-95-0x0000000000000000-mapping.dmp

Download
memory/684-82-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000000000-mapping.dmp

Download
memory/896-93-0x0000000000000000-mapping.dmp

Download
memory/916-84-0x0000000000000000-mapping.dmp

Download
memory/996-112-0x0000000000000000-mapping.dmp

Download
memory/1000-96-0x0000000000000000-mapping.dmp

Download
memory/1032-81-0x0000000000000000-mapping.dmp

Download
memory/1064-71-0x0000000000000000-mapping.dmp

Download
memory/1064-74-0x0000000001110000-0x000000000112A000-memory.dmp

Filesize
104KB

Download
memory/1064-75-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1072-91-0x0000000000000000-mapping.dmp

Download
memory/1080-88-0x0000000000000000-mapping.dmp

Download
memory/1160-77-0x0000000000000000-mapping.dmp

Download
memory/1192-54-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1192-56-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1192-55-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1204-114-0x0000000000000000-mapping.dmp

Download
memory/1220-61-0x000000006FD00000-0x00000000702AB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-59-0x0000000000000000-mapping.dmp

Download
memory/1264-58-0x0000000000000000-mapping.dmp

Download
memory/1352-109-0x0000000000000000-mapping.dmp

Download
memory/1384-105-0x0000000000000000-mapping.dmp

Download
memory/1412-78-0x0000000000000000-mapping.dmp

Download
memory/1476-90-0x0000000000000000-mapping.dmp

Download
memory/1496-100-0x0000000000000000-mapping.dmp

Download
memory/1524-94-0x0000000000000000-mapping.dmp

Download
memory/1592-87-0x0000000000000000-mapping.dmp

Download
memory/1664-83-0x0000000000000000-mapping.dmp

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download
memory/1692-102-0x0000000000000000-mapping.dmp

Download
memory/1740-111-0x0000000000000000-mapping.dmp

Download
memory/1760-86-0x0000000000000000-mapping.dmp

Download
memory/1768-85-0x0000000000000000-mapping.dmp

Download
memory/1776-79-0x0000000000000000-mapping.dmp

Download
memory/1784-69-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/1784-66-0x0000000000000000-mapping.dmp

Download
memory/1888-92-0x0000000000000000-mapping.dmp

Download
memory/1944-89-0x0000000000000000-mapping.dmp

Download
memory/1964-97-0x0000000000000000-mapping.dmp

Download
memory/1968-115-0x0000000000000000-mapping.dmp

Download
memory/1992-65-0x000000006FE00000-0x00000000703AB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-62-0x0000000000000000-mapping.dmp

Download
memory/1996-103-0x0000000000000000-mapping.dmp

Download
memory/2020-108-0x0000000000000000-mapping.dmp

Download
memory/2020-80-0x0000000000000000-mapping.dmp

Download
memory/2036-106-0x0000000000000000-mapping.dmp

Download