raccoon | f93521d653a724f562be130f117f3e7ee1b87eeab357f3c5695812a4a9ea73a5

Analysis

max time kernel
152s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2022 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

1000KB
MD5

6ffb07e3414cd88275cd4c3b8bbe7b5e
SHA1

0b5f524c0478d84860d16c786358ebda166a5ee1
SHA256

f93521d653a724f562be130f117f3e7ee1b87eeab357f3c5695812a4a9ea73a5
SHA512

ec9f389f258b2553b52c68ea602c55aacd0d1ed052b17d63b7ca5324b2bccfab97e843d540baea9628f15dc9a798b58512218921373f535815093351f2388885
SSDEEP

12288:jylN+SwBxYRjRGLFA8gpO4Xspi5n/IxrcBWQzf7x:jDSw/RsWe1W4

Score

10^/10

raccoon xmrig ytstealer 4689c837190317f8309bc798897decf7 miner persistence spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

4689c837190317f8309bc798897decf7

http://91.234.254.126/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-166-0x0000000000C40000-0x0000000001A19000-memory.dmp	family_ytstealer
behavioral2/memory/3480-174-0x0000000000C40000-0x0000000001A19000-memory.dmp	family_ytstealer
behavioral2/memory/3480-187-0x0000000000C40000-0x0000000001A19000-memory.dmp	family_ytstealer
behavioral2/memory/4464-188-0x00000000003D0000-0x00000000011E2000-memory.dmp	family_ytstealer
behavioral2/memory/4464-206-0x00000000003D0000-0x00000000011E2000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

QrcFlL2y.exe28Y17k99.exeqv84UX5a.exe50GNcc67.exedllhost.exewinlogson.exe

pid process

1720 QrcFlL2y.exe
2656 28Y17k99.exe
3480 qv84UX5a.exe
4464 50GNcc67.exe
3432 dllhost.exe
5108 winlogson.exe

pid	process
1720	QrcFlL2y.exe
2656	28Y17k99.exe
3480	qv84UX5a.exe
4464	50GNcc67.exe
3432	dllhost.exe
5108	winlogson.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe	upx
C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe	upx
behavioral2/memory/3480-166-0x0000000000C40000-0x0000000001A19000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\50GNcc67.exe	upx
C:\Users\Admin\AppData\Local\Temp\50GNcc67.exe	upx
behavioral2/memory/4464-173-0x00000000003D0000-0x00000000011E2000-memory.dmp	upx
behavioral2/memory/3480-174-0x0000000000C40000-0x0000000001A19000-memory.dmp	upx
behavioral2/memory/3480-187-0x0000000000C40000-0x0000000001A19000-memory.dmp	upx
behavioral2/memory/4464-188-0x00000000003D0000-0x00000000011E2000-memory.dmp	upx
behavioral2/memory/4464-206-0x00000000003D0000-0x00000000011E2000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

cvtres.exe

pid process

1800 cvtres.exe
1800 cvtres.exe
1800 cvtres.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1800	cvtres.exe
1800	cvtres.exe
1800	cvtres.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

QrcFlL2y.exe

pid process

1720 QrcFlL2y.exe
1720 QrcFlL2y.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Installer.exe

description pid process target process

PID 3080 set thread context of 1800 3080 Installer.exe cvtres.exe

pid	process
1720	QrcFlL2y.exe
1720	QrcFlL2y.exe

description	pid	process	target process
PID 3080 set thread context of 1800	3080	Installer.exe	cvtres.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2416	schtasks.exe
2904	schtasks.exe
2564	schtasks.exe
2264	schtasks.exe
3492	schtasks.exe
752	schtasks.exe
3648	schtasks.exe
1792	schtasks.exe
1488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeQrcFlL2y.exe28Y17k99.exepowershell.exeqv84UX5a.exepowershell.exepowershell.exedllhost.exe

pid	process
3164	powershell.exe
3164	powershell.exe
1720	QrcFlL2y.exe
1720	QrcFlL2y.exe
2656	28Y17k99.exe
896	powershell.exe
896	powershell.exe
3480	qv84UX5a.exe
3480	qv84UX5a.exe
3480	qv84UX5a.exe
3480	qv84UX5a.exe
1860	powershell.exe
1860	powershell.exe
532	powershell.exe
532	powershell.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe
3432	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exe28Y17k99.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	2656	28Y17k99.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	3432	dllhost.exe
Token: SeLockMemoryPrivilege	5108	winlogson.exe
Token: SeLockMemoryPrivilege	5108	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5108 winlogson.exe

pid	process
5108	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Installer.execvtres.exeQrcFlL2y.exe28Y17k99.execmd.exeqv84UX5a.execmd.exe50GNcc67.exedllhost.exe

description	pid	process	target process
PID 3080 wrote to memory of 3164	3080	Installer.exe	powershell.exe
PID 3080 wrote to memory of 3164	3080	Installer.exe	powershell.exe
PID 3080 wrote to memory of 3164	3080	Installer.exe	powershell.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 3080 wrote to memory of 1800	3080	Installer.exe	cvtres.exe
PID 1800 wrote to memory of 1720	1800	cvtres.exe	QrcFlL2y.exe
PID 1800 wrote to memory of 1720	1800	cvtres.exe	QrcFlL2y.exe
PID 1800 wrote to memory of 1720	1800	cvtres.exe	QrcFlL2y.exe
PID 1800 wrote to memory of 2656	1800	cvtres.exe	28Y17k99.exe
PID 1800 wrote to memory of 2656	1800	cvtres.exe	28Y17k99.exe
PID 1800 wrote to memory of 2656	1800	cvtres.exe	28Y17k99.exe
PID 1720 wrote to memory of 2264	1720	QrcFlL2y.exe	schtasks.exe
PID 1720 wrote to memory of 2264	1720	QrcFlL2y.exe	schtasks.exe
PID 1720 wrote to memory of 2264	1720	QrcFlL2y.exe	schtasks.exe
PID 1800 wrote to memory of 3480	1800	cvtres.exe	qv84UX5a.exe
PID 1800 wrote to memory of 3480	1800	cvtres.exe	qv84UX5a.exe
PID 1720 wrote to memory of 1784	1720	QrcFlL2y.exe	schtasks.exe
PID 1720 wrote to memory of 1784	1720	QrcFlL2y.exe	schtasks.exe
PID 1720 wrote to memory of 1784	1720	QrcFlL2y.exe	schtasks.exe
PID 1800 wrote to memory of 4464	1800	cvtres.exe	50GNcc67.exe
PID 1800 wrote to memory of 4464	1800	cvtres.exe	50GNcc67.exe
PID 2656 wrote to memory of 3216	2656	28Y17k99.exe	cmd.exe
PID 2656 wrote to memory of 3216	2656	28Y17k99.exe	cmd.exe
PID 2656 wrote to memory of 3216	2656	28Y17k99.exe	cmd.exe
PID 3216 wrote to memory of 4476	3216	cmd.exe	chcp.com
PID 3216 wrote to memory of 4476	3216	cmd.exe	chcp.com
PID 3216 wrote to memory of 4476	3216	cmd.exe	chcp.com
PID 3216 wrote to memory of 896	3216	cmd.exe	powershell.exe
PID 3216 wrote to memory of 896	3216	cmd.exe	powershell.exe
PID 3216 wrote to memory of 896	3216	cmd.exe	powershell.exe
PID 3480 wrote to memory of 2124	3480	qv84UX5a.exe	cmd.exe
PID 3480 wrote to memory of 2124	3480	qv84UX5a.exe	cmd.exe
PID 2124 wrote to memory of 4304	2124	cmd.exe	choice.exe
PID 2124 wrote to memory of 4304	2124	cmd.exe	choice.exe
PID 4464 wrote to memory of 1860	4464	50GNcc67.exe	powershell.exe
PID 4464 wrote to memory of 1860	4464	50GNcc67.exe	powershell.exe
PID 3216 wrote to memory of 532	3216	cmd.exe	powershell.exe
PID 3216 wrote to memory of 532	3216	cmd.exe	powershell.exe
PID 3216 wrote to memory of 532	3216	cmd.exe	powershell.exe
PID 2656 wrote to memory of 3432	2656	28Y17k99.exe	dllhost.exe
PID 2656 wrote to memory of 3432	2656	28Y17k99.exe	dllhost.exe
PID 2656 wrote to memory of 3432	2656	28Y17k99.exe	dllhost.exe
PID 3432 wrote to memory of 424	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 424	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 424	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 1848	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 1848	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 1848	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 3396	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 3396	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 3396	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 2560	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 2560	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 2560	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 4008	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 4008	3432	dllhost.exe	cmd.exe
PID 3432 wrote to memory of 4008	3432	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\QrcFlL2y.exe
"C:\Users\Admin\AppData\Local\Temp\QrcFlL2y.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Local Security Authority Process{K8G5D4S3V5F5D4-O63D4F5S6V-F7G8V3A2D4}" /tr "C:\Users\Admin\AppData\Roaming\Windows\System32\lsass.exe"
4⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Local Security Authority Process{K8G5D4S3V5F5D4-O63D4F5S6V-F7G8V3A2D4}"
4⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\28Y17k99.exe
"C:\Users\Admin\AppData\Local\Temp\28Y17k99.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:424

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3396

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1848

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2560

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3648

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4572

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4244

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1784

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8808" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9684" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9684" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5008" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3294" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:3400

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:3456

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5108

C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe
"C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\50GNcc67.exe
"C:\Users\Admin\AppData\Local\Temp\50GNcc67.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
313B

MD5
f920724371620678f04d3578dcf70b03

SHA1
fef9541c5d2a818518d934300e20aba60df6c82c

SHA256
40764f677fa97fe2ef4c9099e94b107f345286f11e38d9c22dca6ba3d8053d05

SHA512
5dcbe7fe11bef73611d3669dc0c3f787ebb27ef668ca217acc05f39b3d4330fce58f26f16d4ab5ab99a807c218dc370cb4ea227c1e5498d61f05a8cd40ce86e2

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
4875e0a9b5559ea56e4c06993b89fd9e

SHA1
b1619f3579a946022892e882cbe1daca1c95487e

SHA256
bc6f134a8103a5fa02f8146ea17e59e8eb6dcda4aba64601e01cde2ef00e39f5

SHA512
ac1508d1068cc9d5a395a452be524ca1538c0bb32384b80952e443ae43e2382485910279fbc9408774562d8e5c51899ee026c82da84081f984cfc47e7bda3f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
10dfa0d1b926f3f599c94d396a70bfa1

SHA1
283dbc5f6d7341203e5248e19d322cd69d9eb113

SHA256
41588f2daeb99ce5c6e8e54e604a41f29eb11b58816fc68eac7fd05ed7ab6828

SHA512
703fe732112587d72bc827129b5e177a7ce64057b47313dd0317f5d826334b2806e1aaee0dc6824aa3a05ddadfae98abe4499fdb2b1c2fb53f006f03a1b1d672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
305a30b8cce49515227cb8e535823756

SHA1
8e5af25c9d48d13de544f4c346a1f11dffea7968

SHA256
72372fa38bcff486fe52dedf02d1127d8fee2e107a7a03e7b72dd45d54b7bc63

SHA512
72961a214d6e2a21d28c6f2034da525b0963f3803f2a16e82f0772542b549bff0d59ec84ffc5018398380ae41d97b04deb404ac5f4e2962a9b954365f8fc999a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
dec846d0767c107f8d7f15206c2ee10f

SHA1
89690ae34f8a5a782754db6a1b087c1be3cf10b1

SHA256
a0a179e9033c255d7fe7b6b7396cf00362f087a3db815b3849ed12cb5ea41447

SHA512
1d05cedbdacfd38b612f699a3f326fe4706bfbfff7dc4176d99f7f617e9592b6ca17532500ddf378bd77d24d8f07ad8c2b96f506720591eb38e5c4d78b241788

Download Submit
C:\Users\Admin\AppData\Local\Temp\28Y17k99.exe
Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\28Y17k99.exe
Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\50GNcc67.exe
Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\50GNcc67.exe
Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QrcFlL2y.exe
Filesize
6.0MB

MD5
a38fe61434aec554fd09175050a87f0d

SHA1
c767034d05085ba0d701f0b5216ae139429eae39

SHA256
f9eeb56697ff517cb6f00fb13e5302596989147d225495b5f7b19256d4f54ec5

SHA512
a85719c1382616625a393661f92039505de63f6e21f42c1fc41d9a1179cba46b84e1b005afba27f818d8e869634d0ef6e11eb9f0ff87ec73d0627858ac0feb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\QrcFlL2y.exe
Filesize
6.0MB

MD5
a38fe61434aec554fd09175050a87f0d

SHA1
c767034d05085ba0d701f0b5216ae139429eae39

SHA256
f9eeb56697ff517cb6f00fb13e5302596989147d225495b5f7b19256d4f54ec5

SHA512
a85719c1382616625a393661f92039505de63f6e21f42c1fc41d9a1179cba46b84e1b005afba27f818d8e869634d0ef6e11eb9f0ff87ec73d0627858ac0feb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe
Filesize
4.0MB

MD5
16ff8074ba61c2a46cdb6c72c2c6057d

SHA1
5e7c56085209a3190a2a831fffefdeef192a6b25

SHA256
b22daf5bfcbdcd0032f07a012e34ee6eb102203963b2f488dd1cf9d14b60550f

SHA512
674c22cee088d96d42d43aa7cbd7988c01318a211185be6767e43c50dbdf5e7f0dd9e65be123127744015e17c34415feef727a08f237e350ccd04068ce28ddce

Download Submit
C:\Users\Admin\AppData\Local\Temp\qv84UX5a.exe
Filesize
4.0MB

MD5
16ff8074ba61c2a46cdb6c72c2c6057d

SHA1
5e7c56085209a3190a2a831fffefdeef192a6b25

SHA256
b22daf5bfcbdcd0032f07a012e34ee6eb102203963b2f488dd1cf9d14b60550f

SHA512
674c22cee088d96d42d43aa7cbd7988c01318a211185be6767e43c50dbdf5e7f0dd9e65be123127744015e17c34415feef727a08f237e350ccd04068ce28ddce

Download Submit
memory/424-204-0x0000000000000000-mapping.dmp

Download
memory/532-202-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/532-194-0x0000000000000000-mapping.dmp

Download
memory/752-218-0x0000000000000000-mapping.dmp

Download
memory/896-192-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

Filesize
32KB

Download
memory/896-183-0x0000000007950000-0x000000000796E000-memory.dmp

Filesize
120KB

Download
memory/896-182-0x0000000073B50000-0x0000000073B9C000-memory.dmp

Filesize
304KB

Download
memory/896-184-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/896-189-0x0000000007F70000-0x0000000008006000-memory.dmp

Filesize
600KB

Download
memory/896-181-0x0000000007990000-0x00000000079C2000-memory.dmp

Filesize
200KB

Download
memory/896-190-0x0000000006830000-0x000000000683E000-memory.dmp

Filesize
56KB

Download
memory/896-191-0x0000000007F10000-0x0000000007F2A000-memory.dmp

Filesize
104KB

Download
memory/896-177-0x0000000000000000-mapping.dmp

Download
memory/1392-227-0x0000000000000000-mapping.dmp

Download
memory/1488-224-0x0000000000000000-mapping.dmp

Download
memory/1720-159-0x0000000000400000-0x0000000000D6E000-memory.dmp

Filesize
9.4MB

Download
memory/1720-158-0x0000000000400000-0x0000000000D6E000-memory.dmp

Filesize
9.4MB

Download
memory/1720-169-0x0000000000400000-0x0000000000D6E000-memory.dmp

Filesize
9.4MB

Download
memory/1720-151-0x0000000000000000-mapping.dmp

Download
memory/1784-167-0x0000000000000000-mapping.dmp

Download
memory/1784-210-0x0000000000000000-mapping.dmp

Download
memory/1792-221-0x0000000000000000-mapping.dmp

Download
memory/1800-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1800-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1800-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1800-150-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1800-142-0x0000000000000000-mapping.dmp

Download
memory/1848-205-0x0000000000000000-mapping.dmp

Download
memory/1860-203-0x00007FFD67B80000-0x00007FFD68641000-memory.dmp

Filesize
10.8MB

Download
memory/1860-197-0x00007FFD67B80000-0x00007FFD68641000-memory.dmp

Filesize
10.8MB

Download
memory/1860-195-0x000001E1C2E30000-0x000001E1C2E52000-memory.dmp

Filesize
136KB

Download
memory/1860-193-0x0000000000000000-mapping.dmp

Download
memory/2124-185-0x0000000000000000-mapping.dmp

Download
memory/2264-160-0x0000000000000000-mapping.dmp

Download
memory/2416-220-0x0000000000000000-mapping.dmp

Download
memory/2560-208-0x0000000000000000-mapping.dmp

Download
memory/2564-223-0x0000000000000000-mapping.dmp

Download
memory/2656-157-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/2656-154-0x0000000000000000-mapping.dmp

Download
memory/2656-165-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/2656-161-0x0000000009F70000-0x000000000A514000-memory.dmp

Filesize
5.6MB

Download
memory/2656-168-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/2904-222-0x0000000000000000-mapping.dmp

Download
memory/3080-132-0x00000000001F0000-0x00000000002CC000-memory.dmp

Filesize
880KB

Download
memory/3164-140-0x0000000007440000-0x0000000007ABA000-memory.dmp

Filesize
6.5MB

Download
memory/3164-138-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3164-139-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

Filesize
120KB

Download
memory/3164-133-0x0000000000000000-mapping.dmp

Download
memory/3164-137-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/3164-141-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/3164-134-0x0000000004820000-0x0000000004856000-memory.dmp

Filesize
216KB

Download
memory/3164-136-0x0000000004E50000-0x0000000004E72000-memory.dmp

Filesize
136KB

Download
memory/3164-135-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/3216-175-0x0000000000000000-mapping.dmp

Download
memory/3396-207-0x0000000000000000-mapping.dmp

Download
memory/3400-228-0x0000000000000000-mapping.dmp

Download
memory/3432-198-0x0000000000000000-mapping.dmp

Download
memory/3432-201-0x0000000000FE0000-0x00000000010D4000-memory.dmp

Filesize
976KB

Download
memory/3456-229-0x0000000000000000-mapping.dmp

Download
memory/3480-162-0x0000000000000000-mapping.dmp

Download
memory/3480-174-0x0000000000C40000-0x0000000001A19000-memory.dmp

Filesize
13.8MB

Download
memory/3480-166-0x0000000000C40000-0x0000000001A19000-memory.dmp

Filesize
13.8MB

Download
memory/3480-187-0x0000000000C40000-0x0000000001A19000-memory.dmp

Filesize
13.8MB

Download
memory/3492-217-0x0000000000000000-mapping.dmp

Download
memory/3648-219-0x0000000000000000-mapping.dmp

Download
memory/4008-209-0x0000000000000000-mapping.dmp

Download
memory/4244-212-0x0000000000000000-mapping.dmp

Download
memory/4252-215-0x0000000000000000-mapping.dmp

Download
memory/4304-186-0x0000000000000000-mapping.dmp

Download
memory/4464-170-0x0000000000000000-mapping.dmp

Download
memory/4464-173-0x00000000003D0000-0x00000000011E2000-memory.dmp

Filesize
14.1MB

Download
memory/4464-206-0x00000000003D0000-0x00000000011E2000-memory.dmp

Filesize
14.1MB

Download
memory/4464-188-0x00000000003D0000-0x00000000011E2000-memory.dmp

Filesize
14.1MB

Download
memory/4476-176-0x0000000000000000-mapping.dmp

Download
memory/4572-211-0x0000000000000000-mapping.dmp

Download
memory/4740-213-0x0000000000000000-mapping.dmp

Download
memory/4924-216-0x0000000000000000-mapping.dmp

Download
memory/4972-214-0x0000000000000000-mapping.dmp

Download
memory/5108-230-0x0000000000000000-mapping.dmp

Download
memory/5108-233-0x000001E475EF0000-0x000001E475F10000-memory.dmp

Filesize
128KB

Download
memory/5108-235-0x000001E4777E0000-0x000001E477820000-memory.dmp

Filesize
256KB

Download