a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5

Analysis

max time kernel
148s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
13-01-2022 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e0fc3d593968917c8ed6ea577195296.exe
Size

970KB
MD5

6e0fc3d593968917c8ed6ea577195296
SHA1

b0225393df8ed257ade0d6cb95ca14f0a92f4ea4
SHA256

a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
SHA512

1e92bc275a185c7faa4db5b02aef12f14d30389f0daa4951a1866cf789964eedd30e272016906f8037f27d2cd62bfa3c63ff7433752a7d78187b80d08d8f8503

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

RuntimeBroker.exesafas2f.exewhw.exee3dwefw.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeoobeldr.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
1452	RuntimeBroker.exe
2628	safas2f.exe
396	whw.exe
3184	e3dwefw.exe
4260	RegHost.exe
3216	RegHost.exe
1980	RegHost.exe
2964	RegHost.exe
4696	RegHost.exe
1856	RegHost.exe
5088	oobeldr.exe
1268	RegHost.exe
4256	RegHost.exe
3684	RegHost.exe
2008	RegHost.exe

Drops startup file 1 IoCs

Processes:

RuntimeBroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new driver.lnk RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new driver.lnk	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exesafas2f.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	safas2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs

Processes:

safas2f.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exe

pid	process
2628	safas2f.exe
2628	safas2f.exe
2872	bfsvc.exe
2872	bfsvc.exe
4260	RegHost.exe
4260	RegHost.exe
372	bfsvc.exe
372	bfsvc.exe
3216	RegHost.exe
3216	RegHost.exe
4780	bfsvc.exe
4780	bfsvc.exe
1980	RegHost.exe
1980	RegHost.exe
5020	bfsvc.exe
5020	bfsvc.exe
2964	RegHost.exe
2964	RegHost.exe
4524	bfsvc.exe
4524	bfsvc.exe
4696	RegHost.exe
4696	RegHost.exe
4156	bfsvc.exe
4156	bfsvc.exe
1856	RegHost.exe
1856	RegHost.exe
892	bfsvc.exe
892	bfsvc.exe
1268	RegHost.exe
1268	RegHost.exe
3828	bfsvc.exe
3828	bfsvc.exe
4256	RegHost.exe
4256	RegHost.exe
1336	bfsvc.exe
1336	bfsvc.exe
3684	RegHost.exe
3684	RegHost.exe
3212	bfsvc.exe
3212	bfsvc.exe
2008	RegHost.exe
2008	RegHost.exe
2708	bfsvc.exe
2708	bfsvc.exe

Suspicious use of SetThreadContext 23 IoCs

Processes:

6e0fc3d593968917c8ed6ea577195296.exesafas2f.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 4192 set thread context of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 2628 set thread context of 2260	2628	safas2f.exe	explorer.exe
PID 2628 set thread context of 2872	2628	safas2f.exe	bfsvc.exe
PID 4260 set thread context of 976	4260	RegHost.exe	explorer.exe
PID 4260 set thread context of 372	4260	RegHost.exe	bfsvc.exe
PID 3216 set thread context of 4800	3216	RegHost.exe	explorer.exe
PID 3216 set thread context of 4780	3216	RegHost.exe	bfsvc.exe
PID 1980 set thread context of 3608	1980	RegHost.exe	explorer.exe
PID 1980 set thread context of 5020	1980	RegHost.exe	bfsvc.exe
PID 2964 set thread context of 4532	2964	RegHost.exe	explorer.exe
PID 2964 set thread context of 4524	2964	RegHost.exe	bfsvc.exe
PID 4696 set thread context of 4432	4696	RegHost.exe	explorer.exe
PID 4696 set thread context of 4156	4696	RegHost.exe	bfsvc.exe
PID 1856 set thread context of 796	1856	RegHost.exe	explorer.exe
PID 1856 set thread context of 892	1856	RegHost.exe	bfsvc.exe
PID 1268 set thread context of 3244	1268	RegHost.exe	explorer.exe
PID 1268 set thread context of 3828	1268	RegHost.exe	bfsvc.exe
PID 4256 set thread context of 3456	4256	RegHost.exe	explorer.exe
PID 4256 set thread context of 1336	4256	RegHost.exe	bfsvc.exe
PID 3684 set thread context of 3240	3684	RegHost.exe	explorer.exe
PID 3684 set thread context of 3212	3684	RegHost.exe	bfsvc.exe
PID 2008 set thread context of 2772	2008	RegHost.exe	explorer.exe
PID 2008 set thread context of 2708	2008	RegHost.exe	bfsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2684 schtasks.exe
4816 schtasks.exe

pid	process
2684	schtasks.exe
4816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegAsm.exeexplorer.exewhw.exeexplorer.exeexplorer.exe

pid	process
4508	RegAsm.exe
4508	RegAsm.exe
4508	RegAsm.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
396	whw.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
976	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe
4800	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegAsm.exeRuntimeBroker.exewhw.exe

description pid process

Token: SeDebugPrivilege 4508 RegAsm.exe
Token: 35 1452 RuntimeBroker.exe
Token: SeDebugPrivilege 396 whw.exe

description	pid	process
Token: SeDebugPrivilege	4508	RegAsm.exe
Token: 35	1452	RuntimeBroker.exe
Token: SeDebugPrivilege	396	whw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e0fc3d593968917c8ed6ea577195296.exeRegAsm.exee3dwefw.exesafas2f.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4192 wrote to memory of 4508	4192	6e0fc3d593968917c8ed6ea577195296.exe	RegAsm.exe
PID 4508 wrote to memory of 1452	4508	RegAsm.exe	RuntimeBroker.exe
PID 4508 wrote to memory of 1452	4508	RegAsm.exe	RuntimeBroker.exe
PID 4508 wrote to memory of 2628	4508	RegAsm.exe	safas2f.exe
PID 4508 wrote to memory of 2628	4508	RegAsm.exe	safas2f.exe
PID 4508 wrote to memory of 396	4508	RegAsm.exe	whw.exe
PID 4508 wrote to memory of 396	4508	RegAsm.exe	whw.exe
PID 4508 wrote to memory of 396	4508	RegAsm.exe	whw.exe
PID 4508 wrote to memory of 3184	4508	RegAsm.exe	e3dwefw.exe
PID 4508 wrote to memory of 3184	4508	RegAsm.exe	e3dwefw.exe
PID 4508 wrote to memory of 3184	4508	RegAsm.exe	e3dwefw.exe
PID 3184 wrote to memory of 2684	3184	e3dwefw.exe	schtasks.exe
PID 3184 wrote to memory of 2684	3184	e3dwefw.exe	schtasks.exe
PID 3184 wrote to memory of 2684	3184	e3dwefw.exe	schtasks.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2260	2628	safas2f.exe	explorer.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2628 wrote to memory of 2872	2628	safas2f.exe	bfsvc.exe
PID 2260 wrote to memory of 4260	2260	explorer.exe	RegHost.exe
PID 2260 wrote to memory of 4260	2260	explorer.exe	RegHost.exe
PID 4260 wrote to memory of 976	4260	RegHost.exe	explorer.exe
PID 4260 wrote to memory of 976	4260	RegHost.exe	explorer.exe
PID 4260 wrote to memory of 976	4260	RegHost.exe	explorer.exe
PID 4260 wrote to memory of 976	4260	RegHost.exe	explorer.exe
PID 4260 wrote to memory of 976	4260	RegHost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\6e0fc3d593968917c8ed6ea577195296.exe
"C:\Users\Admin\AppData\Local\Temp\6e0fc3d593968917c8ed6ea577195296.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Roaming\safas2f.exe
"C:\Users\Admin\AppData\Roaming\safas2f.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3216

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1980

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
10⤵
PID:3608

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2964

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
12⤵
PID:4532

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4696

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
14⤵
PID:4432

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1856

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
16⤵
PID:796

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1268

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
18⤵
PID:3244

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4256

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
20⤵
PID:3456

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3684

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
22⤵
PID:3240

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
24⤵
PID:2772

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
24⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2708

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3212

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
20⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1336

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3828

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:892

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4156

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4524

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5020

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4780

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:372

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2872

C:\Users\Admin\AppData\Roaming\whw.exe
"C:\Users\Admin\AppData\Roaming\whw.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Users\Admin\AppData\Roaming\e3dwefw.exe
"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
4⤵
- Creates scheduled task(s)
PID:2684

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
2⤵
- Creates scheduled task(s)
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
MD5
d66ffec81fd167adfb0505744f4df31e

SHA1
7e9fbbf1d04316334ee46cfa923330dc63b3155b

SHA256
5d33fd8f8ccea2910f1c0139e788b01c2fd3418f3956452a6db7a8aefeebc915

SHA512
227a7f30d8e02460c6a5798b26edc60e3fead6059407287fe696f5bcc63a3e4aab43f7b5e58ef6f26c4498cbad50371af3b3e302c8c3cf9dd90d8302072a3a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
MD5
d66ffec81fd167adfb0505744f4df31e

SHA1
7e9fbbf1d04316334ee46cfa923330dc63b3155b

SHA256
5d33fd8f8ccea2910f1c0139e788b01c2fd3418f3956452a6db7a8aefeebc915

SHA512
227a7f30d8e02460c6a5798b26edc60e3fead6059407287fe696f5bcc63a3e4aab43f7b5e58ef6f26c4498cbad50371af3b3e302c8c3cf9dd90d8302072a3a84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\e3dwefw.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\e3dwefw.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
c3b2c5a14962f6255d5dec89df0290ca

SHA1
5d58a9d83155abe4de0d4aacf6e2f3fc506d3cbb

SHA256
dd10774c996d64884b0cc34c42c1c7f3e43565e557183f636e37871ed6749901

SHA512
4ae964f14c427e65cea64591fd348a8d8562df3dd1aac9de563e5776f85d33be41756a61156428bdfa0809cf8ae8229a02893b4ca32f43021231f7b937fd083f

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
c3b2c5a14962f6255d5dec89df0290ca

SHA1
5d58a9d83155abe4de0d4aacf6e2f3fc506d3cbb

SHA256
dd10774c996d64884b0cc34c42c1c7f3e43565e557183f636e37871ed6749901

SHA512
4ae964f14c427e65cea64591fd348a8d8562df3dd1aac9de563e5776f85d33be41756a61156428bdfa0809cf8ae8229a02893b4ca32f43021231f7b937fd083f

Download Submit
memory/372-239-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/372-237-0x00000001403A756C-mapping.dmp

Download
memory/396-160-0x0000000004FA0000-0x0000000004FEB000-memory.dmp

Filesize
300KB

Download
memory/396-197-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/396-242-0x0000000007EF0000-0x000000000841C000-memory.dmp

Filesize
5.2MB

Download
memory/396-166-0x0000000004E50000-0x0000000005456000-memory.dmp

Filesize
6.0MB

Download
memory/396-241-0x00000000077F0000-0x00000000079B2000-memory.dmp

Filesize
1.8MB

Download
memory/396-240-0x0000000006130000-0x0000000006180000-memory.dmp

Filesize
320KB

Download
memory/396-201-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/396-147-0x0000000000000000-mapping.dmp

Download
memory/396-151-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/396-198-0x0000000006370000-0x000000000686E000-memory.dmp

Filesize
5.0MB

Download
memory/396-150-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/396-200-0x0000000005F90000-0x0000000006022000-memory.dmp

Filesize
584KB

Download
memory/396-153-0x0000000005460000-0x0000000005A66000-memory.dmp

Filesize
6.0MB

Download
memory/396-199-0x0000000005E70000-0x0000000005EE6000-memory.dmp

Filesize
472KB

Download
memory/396-158-0x0000000005030000-0x000000000513A000-memory.dmp

Filesize
1.0MB

Download
memory/396-159-0x0000000004F60000-0x0000000004F9E000-memory.dmp

Filesize
248KB

Download
memory/396-156-0x0000000004F00000-0x0000000004F12000-memory.dmp

Filesize
72KB

Download
memory/796-422-0x0000000140001C18-mapping.dmp

Download
memory/796-426-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/892-427-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/892-424-0x00000001403A756C-mapping.dmp

Download
memory/976-238-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/976-235-0x0000000140001C18-mapping.dmp

Download
memory/1268-459-0x00007FF6560B0000-0x00007FF656481000-memory.dmp

Filesize
3.8MB

Download
memory/1268-431-0x0000000000000000-mapping.dmp

Download
memory/1336-501-0x00000001403A756C-mapping.dmp

Download
memory/1452-141-0x0000000000000000-mapping.dmp

Download
memory/1856-391-0x0000000000000000-mapping.dmp

Download
memory/1856-425-0x00007FF6560C0000-0x00007FF656491000-memory.dmp

Filesize
3.8MB

Download
memory/1980-300-0x00007FF656000000-0x00007FF6563D1000-memory.dmp

Filesize
3.8MB

Download
memory/1980-280-0x0000000000000000-mapping.dmp

Download
memory/2008-542-0x0000000000000000-mapping.dmp

Download
memory/2260-195-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2260-191-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2260-192-0x0000000140001C18-mapping.dmp

Download
memory/2628-172-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-175-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-177-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-178-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-176-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-179-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-180-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-181-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-183-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-182-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-185-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-184-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-186-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-187-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-188-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-189-0x00007FF699410000-0x00007FF69AAA9000-memory.dmp

Filesize
22.6MB

Download
memory/2628-190-0x00007FF699410000-0x00007FF69AAA9000-memory.dmp

Filesize
22.6MB

Download
memory/2628-173-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-174-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-164-0x00007FF698E90000-0x00007FF699261000-memory.dmp

Filesize
3.8MB

Download
memory/2628-168-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-171-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-170-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-169-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-167-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-165-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-162-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-163-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-161-0x00007FFE18940000-0x00007FFE18950000-memory.dmp

Filesize
64KB

Download
memory/2628-144-0x0000000000000000-mapping.dmp

Download
memory/2684-157-0x0000000000000000-mapping.dmp

Download
memory/2708-576-0x00000001403A756C-mapping.dmp

Download
memory/2772-574-0x0000000140001C18-mapping.dmp

Download
memory/2872-193-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2872-196-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2872-194-0x00000001403A756C-mapping.dmp

Download
memory/2964-317-0x0000000000000000-mapping.dmp

Download
memory/2964-319-0x00007FF6562C0000-0x00007FF656691000-memory.dmp

Filesize
3.8MB

Download
memory/3184-152-0x0000000000000000-mapping.dmp

Download
memory/3212-539-0x00000001403A756C-mapping.dmp

Download
memory/3216-277-0x00007FF6564E0000-0x00007FF6568B1000-memory.dmp

Filesize
3.8MB

Download
memory/3216-243-0x0000000000000000-mapping.dmp

Download
memory/3240-537-0x0000000140001C18-mapping.dmp

Download
memory/3244-466-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3244-463-0x0000000140001C18-mapping.dmp

Download
memory/3456-499-0x0000000140001C18-mapping.dmp

Download
memory/3608-315-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3608-312-0x0000000140001C18-mapping.dmp

Download
memory/3684-505-0x0000000000000000-mapping.dmp

Download
memory/3828-465-0x00000001403A756C-mapping.dmp

Download
memory/3828-467-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4156-390-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4156-388-0x00000001403A756C-mapping.dmp

Download
memory/4192-120-0x0000000005510000-0x0000000005586000-memory.dmp

Filesize
472KB

Download
memory/4192-121-0x0000000005490000-0x00000000054AE000-memory.dmp

Filesize
120KB

Download
memory/4192-119-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/4192-118-0x0000000005690000-0x0000000005B8E000-memory.dmp

Filesize
5.0MB

Download
memory/4192-117-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4192-122-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/4192-116-0x00000000005F0000-0x00000000006E8000-memory.dmp

Filesize
992KB

Download
memory/4192-115-0x00000000005F0000-0x00000000006E8000-memory.dmp

Filesize
992KB

Download
memory/4256-468-0x0000000000000000-mapping.dmp

Download
memory/4260-203-0x0000000000000000-mapping.dmp

Download
memory/4260-231-0x00007FF657060000-0x00007FF6586F9000-memory.dmp

Filesize
22.6MB

Download
memory/4260-232-0x00007FF657060000-0x00007FF6586F9000-memory.dmp

Filesize
22.6MB

Download
memory/4260-233-0x00007FF656860000-0x00007FF656C31000-memory.dmp

Filesize
3.8MB

Download
memory/4432-386-0x0000000140001C18-mapping.dmp

Download
memory/4432-389-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/4508-124-0x000000000041C70E-mapping.dmp

Download
memory/4508-134-0x0000000006150000-0x00000000061C6000-memory.dmp

Filesize
472KB

Download
memory/4508-136-0x0000000006810000-0x0000000006D0E000-memory.dmp

Filesize
5.0MB

Download
memory/4508-133-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/4508-132-0x00000000058B0000-0x00000000058FB000-memory.dmp

Filesize
300KB

Download
memory/4508-131-0x0000000005800000-0x000000000583E000-memory.dmp

Filesize
248KB

Download
memory/4508-130-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/4508-129-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/4508-128-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4508-127-0x00000000051F0000-0x00000000057F6000-memory.dmp

Filesize
6.0MB

Download
memory/4508-140-0x0000000007CF0000-0x000000000821C000-memory.dmp

Filesize
5.2MB

Download
memory/4508-126-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/4508-125-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/4508-139-0x0000000006FE0000-0x00000000071A2000-memory.dmp

Filesize
1.8MB

Download
memory/4508-138-0x00000000065F0000-0x0000000006640000-memory.dmp

Filesize
320KB

Download
memory/4508-135-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/4508-137-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/4524-351-0x00000001403A756C-mapping.dmp

Download
memory/4524-353-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4532-352-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/4532-349-0x0000000140001C18-mapping.dmp

Download
memory/4696-382-0x00007FF6566D0000-0x00007FF656AA1000-memory.dmp

Filesize
3.8MB

Download
memory/4696-354-0x0000000000000000-mapping.dmp

Download
memory/4780-279-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4780-276-0x00000001403A756C-mapping.dmp

Download
memory/4800-274-0x0000000140001C18-mapping.dmp

Download
memory/4800-278-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/4816-430-0x0000000000000000-mapping.dmp

Download
memory/5020-316-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/5020-314-0x00000001403A756C-mapping.dmp

Download