raccoon | 43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
Size

6.3MB
MD5

b5244af94b52a188ce9b656496cfd4e9
SHA1

b20b386d490de019c1c545ed6b559bec6d26fb20
SHA256

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
SHA512

bebbf03384684dd496f49d5b9cba325f8037d424319d753fd53676f70f582c562aa72057ee84874745094dd1ac992394ce1dc7c935d108b5fbbf831166145af9
SSDEEP

196608:mTpT8xO0fG5I8DOeo/thaqgBy85X2xuA:mUO0fG+eoVh4ykmT

Score

10^/10

raccoon xmrig ytstealer 4d169f192247ee46f9b3369d26d270d2 discovery miner persistence spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

4d169f192247ee46f9b3369d26d270d2

http://185.225.19.190/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2452-183-0x0000000000C50000-0x0000000001A64000-memory.dmp	family_ytstealer
behavioral2/memory/2452-224-0x0000000000C50000-0x0000000001A64000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

GNelXvB2.exeixMeNV71.exeE2i1j5KY.exedllhost.exewinlogson.exe

pid process

3216 GNelXvB2.exe
5000 ixMeNV71.exe
2452 E2i1j5KY.exe
2880 dllhost.exe
2316 winlogson.exe

pid	process
3216	GNelXvB2.exe
5000	ixMeNV71.exe
2452	E2i1j5KY.exe
2880	dllhost.exe
2316	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E2i1j5KY.exe	upx
C:\Users\Admin\AppData\Local\Temp\E2i1j5KY.exe	upx
behavioral2/memory/2452-161-0x0000000000C50000-0x0000000001A64000-memory.dmp	upx
behavioral2/memory/2452-183-0x0000000000C50000-0x0000000001A64000-memory.dmp	upx
behavioral2/memory/2452-224-0x0000000000C50000-0x0000000001A64000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe

Loads dropped DLL 3 IoCs

Processes:

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe

pid	process
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exeGNelXvB2.exe

pid	process
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
3216	GNelXvB2.exe
3216	GNelXvB2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1464 3216 WerFault.exe GNelXvB2.exe

pid	pid_target	process	target process
1464	3216	WerFault.exe	GNelXvB2.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2628	schtasks.exe
3208	schtasks.exe
2468	schtasks.exe
4696	schtasks.exe
1404	schtasks.exe
3488	schtasks.exe
3616	schtasks.exe
612	schtasks.exe
4208	schtasks.exe
1292	schtasks.exe
2824	schtasks.exe
3988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exeGNelXvB2.exepowershell.exeixMeNV71.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exe

pid	process
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
3216	GNelXvB2.exe
3216	GNelXvB2.exe
4928	powershell.exe
4928	powershell.exe
5000	ixMeNV71.exe
4196	powershell.exe
4196	powershell.exe
2704	powershell.exe
2704	powershell.exe
5088	powershell.exe
5088	powershell.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeixMeNV71.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	5000	ixMeNV71.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	2880	dllhost.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeLockMemoryPrivilege	2316	winlogson.exe
Token: SeLockMemoryPrivilege	2316	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

2316 winlogson.exe

pid	process
2316	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exeGNelXvB2.execmd.exeixMeNV71.execmd.exedllhost.exe

description	pid	process	target process
PID 4564 wrote to memory of 3216	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	GNelXvB2.exe
PID 4564 wrote to memory of 3216	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	GNelXvB2.exe
PID 4564 wrote to memory of 3216	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	GNelXvB2.exe
PID 3216 wrote to memory of 3208	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 3208	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 3208	3216	GNelXvB2.exe	schtasks.exe
PID 4564 wrote to memory of 5000	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	ixMeNV71.exe
PID 4564 wrote to memory of 5000	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	ixMeNV71.exe
PID 4564 wrote to memory of 5000	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	ixMeNV71.exe
PID 3216 wrote to memory of 1140	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 1140	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 1140	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 2468	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 2468	3216	GNelXvB2.exe	schtasks.exe
PID 3216 wrote to memory of 2468	3216	GNelXvB2.exe	schtasks.exe
PID 4564 wrote to memory of 2452	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	E2i1j5KY.exe
PID 4564 wrote to memory of 2452	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	E2i1j5KY.exe
PID 4564 wrote to memory of 2796	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	cmd.exe
PID 4564 wrote to memory of 2796	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	cmd.exe
PID 4564 wrote to memory of 2796	4564	43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe	cmd.exe
PID 2796 wrote to memory of 4928	2796	cmd.exe	powershell.exe
PID 2796 wrote to memory of 4928	2796	cmd.exe	powershell.exe
PID 2796 wrote to memory of 4928	2796	cmd.exe	powershell.exe
PID 5000 wrote to memory of 1868	5000	ixMeNV71.exe	cmd.exe
PID 5000 wrote to memory of 1868	5000	ixMeNV71.exe	cmd.exe
PID 5000 wrote to memory of 1868	5000	ixMeNV71.exe	cmd.exe
PID 1868 wrote to memory of 1872	1868	cmd.exe	chcp.com
PID 1868 wrote to memory of 1872	1868	cmd.exe	chcp.com
PID 1868 wrote to memory of 1872	1868	cmd.exe	chcp.com
PID 1868 wrote to memory of 4196	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 4196	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 4196	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 2704	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 2704	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 2704	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 5088	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 5088	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 5088	1868	cmd.exe	powershell.exe
PID 5000 wrote to memory of 2880	5000	ixMeNV71.exe	dllhost.exe
PID 5000 wrote to memory of 2880	5000	ixMeNV71.exe	dllhost.exe
PID 5000 wrote to memory of 2880	5000	ixMeNV71.exe	dllhost.exe
PID 2880 wrote to memory of 1000	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1000	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1000	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 3852	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 3852	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 3852	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1480	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1480	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1480	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 4732	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 4732	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 4732	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 3168	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 3168	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 3168	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1832	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1832	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1832	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 5024	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 5024	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 5024	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1672	2880	dllhost.exe	cmd.exe
PID 2880 wrote to memory of 1672	2880	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe
"C:\Users\Admin\AppData\Local\Temp\43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Roaming\GNelXvB2.exe
"C:\Users\Admin\AppData\Roaming\GNelXvB2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Safety Token Auth{B8P2E8I1X7Z1N-E6N7I7P5V1T3Z8M-I0E2M4Z5S2D}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WPC\WpcTok.exe"
3⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Safety Token Auth{B8P2E8I1X7Z1N-E6N7I7P5V1T3Z8M-I0E2M4Z5S2D}"
3⤵
PID:1140

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "Safety Token Auth{B8P2E8I1X7Z1N-E6N7I7P5V1T3Z8M-I0E2M4Z5S2D}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\WPC\57656746712647612565"
3⤵
- Creates scheduled task(s)
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 608
3⤵
- Program crash
PID:1464

C:\Users\Admin\AppData\Local\Temp\ixMeNV71.exe
"C:\Users\Admin\AppData\Local\Temp\ixMeNV71.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:1000

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:612

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:3852

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:1480

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:4208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:3168

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:2824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:4732

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:1832

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5024

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:3488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2156" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:4036

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2156" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3827" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5993" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7175" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:2844

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7175" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:2160

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:4864

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:768

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2316

C:\Users\Admin\AppData\Local\Temp\E2i1j5KY.exe
"C:\Users\Admin\AppData\Local\Temp\E2i1j5KY.exe"
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -NoProfile -NonInteractive -Command [reflection.assembly]::loadwithpartialname('system.windows.forms'); [system.Windows.Forms.MessageBox]::show('This application could not be started', 'Error', 0, 16)
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -NonInteractive -Command [reflection.assembly]::loadwithpartialname('system.windows.forms'); [system.Windows.Forms.MessageBox]::show('This application could not be started', 'Error', 0, 16)
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3216 -ip 3216
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
309B

MD5
da16a63e5a385e73513786feeec1a40a

SHA1
e60474d201cb21a0da7663ddc4f5a593f222a1af

SHA256
c140995fb03c74e79242e503c0aa089b56d4dad14fb06e7b654f54283d587473

SHA512
33cd940cef70c976c0f6635ed7a643ddf49ff9d4c0f7098abcf7781e793c39f5f059abbd88fbabf311842f73e78dc64fb998e5baea9274ef9341e7922bf5dade

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
95cd979ef95419619bb688a44e8b2f6d

SHA1
18f5ba100b903d35948e5f15f88c3ea2d7d0e05e

SHA256
6325c5d183a7d74e050a072b5f443249c6e7bd59995ad2c933d994d0152ef293

SHA512
66192099b47e36d19061fa27cda595cecd0d9f998e0d79b26e6e0bbbee8d65fc6d221d52238a76b7ff3eab9c52443650af71b41357c74832fcd2a931fc4928f0

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
1251e3924d750fe42d60657bbb5b3076

SHA1
589123bca8ef527394aa85e3f08c5010d63d38d8

SHA256
f023fd731a01562f8e7c49a99bebc9b7e5060e923f851a832c641a2de60d0412

SHA512
b77b5d37ab86b0ab4f4a62a9f121aa245548d17e6608caf733d043a61e9cd92a6ca99a8fff714f18e110d7a591647a47c7631646a6542a13cdf88667a14daf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1eca050e43a15809862a37a886e7bfaf

SHA1
b5039d573606447deec9ed20cead1d6197c02be2

SHA256
a1d46c10b8c01d7a0d55029572dbac1ab2e99769021e2d2dbd5b6a59c259fe85

SHA512
9262d6d1deff7629f2b5c7eb681ce866f4439d82d544b6c71e4bfc094b699c5238f2f95e86a24161125c3acd4d862a639f8f58d2e2c81703872df060200619ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1eca050e43a15809862a37a886e7bfaf

SHA1
b5039d573606447deec9ed20cead1d6197c02be2

SHA256
a1d46c10b8c01d7a0d55029572dbac1ab2e99769021e2d2dbd5b6a59c259fe85

SHA512
9262d6d1deff7629f2b5c7eb681ce866f4439d82d544b6c71e4bfc094b699c5238f2f95e86a24161125c3acd4d862a639f8f58d2e2c81703872df060200619ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9aa5ff3b066f146c42675704befc7cf7

SHA1
32372a6928df938b1ad3a80c72409a4d0a737a9b

SHA256
3f214622507750c9e86465f1af099cba213d3a0feda00d39abd9557cfd3e5fe9

SHA512
501217b3eb3b9d274dfef16ca1abc3e536dd49204bef4dc471d65c3e1b90f8fe33e193eb88975403e78759b8cb12e67f92d232107edac47166ae51d73e41bbad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e8f78ff724a58376f2e624aa90763e02

SHA1
08388a1a61b918fa976bc16ff78c82091b618816

SHA256
c3b3a7454f67632cf60d3dab0821ba56cf8fb68d7f91994b623e905eb345903a

SHA512
f2c7d12c6895800702b97cc1dc6669d0f95cfbf94c244698db8664975842fc6bd825c8e9b79da2e7a0f86c8ae21da918bb3780ca91b24f74c82ae289989dcec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2i1j5KY.exe

Filesize
4.0MB

MD5
947ac0d59f24c19f55a89c4fcf08aca2

SHA1
0ae20cf5c7c0336b52f5c5416a9f283e9395fdf9

SHA256
f2e0fa01291e35a38903a47acf970d79e55ea709131a903be2d87b679530702b

SHA512
79d9e7f96e5e461bb0384c4de8c33e9758f973ee3a038ec7f0f42df280bc085ce9d83418fae7def66c22a8fb8a24689adbf400062715a30c2ef09d064bd4382c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2i1j5KY.exe

Filesize
4.0MB

MD5
947ac0d59f24c19f55a89c4fcf08aca2

SHA1
0ae20cf5c7c0336b52f5c5416a9f283e9395fdf9

SHA256
f2e0fa01291e35a38903a47acf970d79e55ea709131a903be2d87b679530702b

SHA512
79d9e7f96e5e461bb0384c4de8c33e9758f973ee3a038ec7f0f42df280bc085ce9d83418fae7def66c22a8fb8a24689adbf400062715a30c2ef09d064bd4382c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixMeNV71.exe

Filesize
71KB

MD5
7909a4904f6c8d6b49f00e82c1df3d8a

SHA1
e80ceb1438f2ce670d58696c6a6f52da29b52f54

SHA256
3277af3920a0027f32d929bee2ef92183adac7f65eadc12fd536589a3f488820

SHA512
6a7b5bd721a43c56ae63c6f043ee31fa2f217dd3c5893f224426a6a5911ae6ed492f0026c56a79a7c51ac11001ba3c861a37ebacbb759b65604dc06eeca22072

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixMeNV71.exe

Filesize
71KB

MD5
7909a4904f6c8d6b49f00e82c1df3d8a

SHA1
e80ceb1438f2ce670d58696c6a6f52da29b52f54

SHA256
3277af3920a0027f32d929bee2ef92183adac7f65eadc12fd536589a3f488820

SHA512
6a7b5bd721a43c56ae63c6f043ee31fa2f217dd3c5893f224426a6a5911ae6ed492f0026c56a79a7c51ac11001ba3c861a37ebacbb759b65604dc06eeca22072

Download Submit
C:\Users\Admin\AppData\Roaming\GNelXvB2.exe

Filesize
6.1MB

MD5
89104b53e0bd7c906e1fc967a5f2f79f

SHA1
8b378f9734411eb6b6ff859352dddff5222e91e9

SHA256
23c8e6a93bc51e8ed0bfe5225da3de69395fa0455808830b7a5826e967d3a7e7

SHA512
07efd78b383e9e316a782d5f1ab0a792ccd03ec78fa0d612a5b481e288db4130041a4c132af71d08dd5c15953c59fec57f2f31fff1613ccf54a8ac8fd1b89123

Download Submit
C:\Users\Admin\AppData\Roaming\GNelXvB2.exe

Filesize
6.1MB

MD5
89104b53e0bd7c906e1fc967a5f2f79f

SHA1
8b378f9734411eb6b6ff859352dddff5222e91e9

SHA256
23c8e6a93bc51e8ed0bfe5225da3de69395fa0455808830b7a5826e967d3a7e7

SHA512
07efd78b383e9e316a782d5f1ab0a792ccd03ec78fa0d612a5b481e288db4130041a4c132af71d08dd5c15953c59fec57f2f31fff1613ccf54a8ac8fd1b89123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WPC\57656746712647612565

Filesize
1KB

MD5
9f0257b6b283ccd88396c03c9fff495b

SHA1
3d073088e5c2b774374dc4212141d7bb2476a7e1

SHA256
ddcdb828fd3f78b5c79e22ff78e195646a131131302831ec430429ad12d32321

SHA512
fb1d419a79cfcbfe423f556c54bd5732c579af63cc9df0d41c97ff4b620bab14ef2e10ab06a26fb01bf6f05823b4f3b2fe6e7102ea79b3a474815c90872656bf

Download Submit
memory/612-207-0x0000000000000000-mapping.dmp

Download
memory/768-227-0x0000000000000000-mapping.dmp

Download
memory/1000-194-0x0000000000000000-mapping.dmp

Download
memory/1140-148-0x0000000000000000-mapping.dmp

Download
memory/1292-211-0x0000000000000000-mapping.dmp

Download
memory/1404-209-0x0000000000000000-mapping.dmp

Download
memory/1480-196-0x0000000000000000-mapping.dmp

Download
memory/1672-202-0x0000000000000000-mapping.dmp

Download
memory/1832-200-0x0000000000000000-mapping.dmp

Download
memory/1868-168-0x0000000000000000-mapping.dmp

Download
memory/1872-169-0x0000000000000000-mapping.dmp

Download
memory/1936-222-0x0000000000000000-mapping.dmp

Download
memory/2160-221-0x0000000000000000-mapping.dmp

Download
memory/2316-233-0x00000279A6500000-0x00000279A6540000-memory.dmp

Filesize
256KB

Download
memory/2316-228-0x0000000000000000-mapping.dmp

Download
memory/2316-235-0x00000279A6540000-0x00000279A6560000-memory.dmp

Filesize
128KB

Download
memory/2316-234-0x00000279A6540000-0x00000279A6560000-memory.dmp

Filesize
128KB

Download
memory/2316-231-0x00000279A64A0000-0x00000279A64C0000-memory.dmp

Filesize
128KB

Download
memory/2452-224-0x0000000000C50000-0x0000000001A64000-memory.dmp

Filesize
14.1MB

Download
memory/2452-161-0x0000000000C50000-0x0000000001A64000-memory.dmp

Filesize
14.1MB

Download
memory/2452-155-0x0000000000000000-mapping.dmp

Download
memory/2452-183-0x0000000000C50000-0x0000000001A64000-memory.dmp

Filesize
14.1MB

Download
memory/2468-150-0x0000000000000000-mapping.dmp

Download
memory/2592-204-0x0000000000000000-mapping.dmp

Download
memory/2628-214-0x0000000000000000-mapping.dmp

Download
memory/2704-187-0x0000000074E20000-0x0000000074E6C000-memory.dmp

Filesize
304KB

Download
memory/2704-185-0x0000000000000000-mapping.dmp

Download
memory/2796-158-0x0000000000000000-mapping.dmp

Download
memory/2824-215-0x0000000000000000-mapping.dmp

Download
memory/2844-206-0x0000000000000000-mapping.dmp

Download
memory/2880-190-0x0000000000000000-mapping.dmp

Download
memory/2880-193-0x00000000001F0000-0x00000000002E4000-memory.dmp

Filesize
976KB

Download
memory/3168-199-0x0000000000000000-mapping.dmp

Download
memory/3208-143-0x0000000000000000-mapping.dmp

Download
memory/3216-147-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3216-139-0x0000000000000000-mapping.dmp

Download
memory/3216-163-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3216-142-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3488-212-0x0000000000000000-mapping.dmp

Download
memory/3616-213-0x0000000000000000-mapping.dmp

Download
memory/3852-195-0x0000000000000000-mapping.dmp

Download
memory/3988-216-0x0000000000000000-mapping.dmp

Download
memory/4036-203-0x0000000000000000-mapping.dmp

Download
memory/4196-172-0x0000000006150000-0x0000000006182000-memory.dmp

Filesize
200KB

Download
memory/4196-178-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/4196-177-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/4196-171-0x0000000000000000-mapping.dmp

Download
memory/4196-175-0x0000000007510000-0x0000000007B8A000-memory.dmp

Filesize
6.5MB

Download
memory/4196-176-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/4196-173-0x0000000074DF0000-0x0000000074E3C000-memory.dmp

Filesize
304KB

Download
memory/4196-179-0x00000000070E0000-0x00000000070EE000-memory.dmp

Filesize
56KB

Download
memory/4196-180-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/4196-174-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/4196-181-0x0000000007120000-0x0000000007128000-memory.dmp

Filesize
32KB

Download
memory/4208-208-0x0000000000000000-mapping.dmp

Download
memory/4272-205-0x0000000000000000-mapping.dmp

Download
memory/4564-132-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/4564-135-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/4564-134-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/4564-160-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/4696-210-0x0000000000000000-mapping.dmp

Download
memory/4732-198-0x0000000000000000-mapping.dmp

Download
memory/4864-226-0x0000000000000000-mapping.dmp

Download
memory/4880-225-0x00007FFDE7810000-0x00007FFDE82D1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-223-0x00007FFDE7810000-0x00007FFDE82D1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-218-0x0000000000000000-mapping.dmp

Download
memory/4880-219-0x0000015B27C80000-0x0000015B27CA2000-memory.dmp

Filesize
136KB

Download
memory/4928-166-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/4928-164-0x0000000004850000-0x0000000004886000-memory.dmp

Filesize
216KB

Download
memory/4928-170-0x0000000005890000-0x00000000058AE000-memory.dmp

Filesize
120KB

Download
memory/4928-167-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/4928-162-0x0000000000000000-mapping.dmp

Download
memory/4928-165-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/5000-154-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/5000-149-0x0000000000A10000-0x0000000000A28000-memory.dmp

Filesize
96KB

Download
memory/5000-144-0x0000000000000000-mapping.dmp

Download
memory/5000-152-0x0000000009E40000-0x000000000A3E4000-memory.dmp

Filesize
5.6MB

Download
memory/5000-153-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/5000-159-0x00000000063D0000-0x0000000006436000-memory.dmp

Filesize
408KB

Download
memory/5024-201-0x0000000000000000-mapping.dmp

Download
memory/5088-197-0x0000000074E20000-0x0000000074E6C000-memory.dmp

Filesize
304KB

Download
memory/5088-188-0x0000000000000000-mapping.dmp

Download