a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5

Analysis

max time kernel
150s
max time network
122s
platform
windows10_x64
resource
win10-en-20211208
submitted
13-01-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe
Size

970KB
MD5

6e0fc3d593968917c8ed6ea577195296
SHA1

b0225393df8ed257ade0d6cb95ca14f0a92f4ea4
SHA256

a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
SHA512

1e92bc275a185c7faa4db5b02aef12f14d30389f0daa4951a1866cf789964eedd30e272016906f8037f27d2cd62bfa3c63ff7433752a7d78187b80d08d8f8503

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

safas2f.exewhw.exee3dwefw.exeRegHost.exeRegHost.exeoobeldr.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
936	safas2f.exe
2724	whw.exe
1392	e3dwefw.exe
3736	RegHost.exe
508	RegHost.exe
1316	oobeldr.exe
1292	RegHost.exe
2024	RegHost.exe
912	RegHost.exe
2372	RegHost.exe
2208	RegHost.exe
388	RegHost.exe
1164	RegHost.exe
1848	RegHost.exe
3184	RegHost.exe
4080	RegHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exesafas2f.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	safas2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 52 IoCs

Processes:

safas2f.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exeRegHost.exebfsvc.exe

pid	process
936	safas2f.exe
936	safas2f.exe
3140	bfsvc.exe
3140	bfsvc.exe
3736	RegHost.exe
3736	RegHost.exe
3488	bfsvc.exe
3488	bfsvc.exe
508	RegHost.exe
508	RegHost.exe
4036	bfsvc.exe
4036	bfsvc.exe
1292	RegHost.exe
1292	RegHost.exe
2144	bfsvc.exe
2144	bfsvc.exe
2024	RegHost.exe
2024	RegHost.exe
3848	bfsvc.exe
3848	bfsvc.exe
912	RegHost.exe
912	RegHost.exe
2392	bfsvc.exe
2392	bfsvc.exe
2372	RegHost.exe
2372	RegHost.exe
2948	bfsvc.exe
2948	bfsvc.exe
2208	RegHost.exe
2208	RegHost.exe
3732	bfsvc.exe
3732	bfsvc.exe
388	RegHost.exe
388	RegHost.exe
3348	bfsvc.exe
3348	bfsvc.exe
1164	RegHost.exe
1164	RegHost.exe
1708	bfsvc.exe
1708	bfsvc.exe
1848	RegHost.exe
1848	RegHost.exe
368	bfsvc.exe
368	bfsvc.exe
3184	RegHost.exe
3184	RegHost.exe
2920	bfsvc.exe
2920	bfsvc.exe
4080	RegHost.exe
4080	RegHost.exe
2332	bfsvc.exe
2332	bfsvc.exe

Suspicious use of SetThreadContext 27 IoCs

Processes:

a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exesafas2f.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 2720 set thread context of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 936 set thread context of 2876	936	safas2f.exe	explorer.exe
PID 936 set thread context of 3140	936	safas2f.exe	bfsvc.exe
PID 3736 set thread context of 1308	3736	RegHost.exe	explorer.exe
PID 3736 set thread context of 3488	3736	RegHost.exe	bfsvc.exe
PID 508 set thread context of 3292	508	RegHost.exe	explorer.exe
PID 508 set thread context of 4036	508	RegHost.exe	bfsvc.exe
PID 1292 set thread context of 1272	1292	RegHost.exe	explorer.exe
PID 1292 set thread context of 2144	1292	RegHost.exe	bfsvc.exe
PID 2024 set thread context of 2816	2024	RegHost.exe	explorer.exe
PID 2024 set thread context of 3848	2024	RegHost.exe	bfsvc.exe
PID 912 set thread context of 4088	912	RegHost.exe	explorer.exe
PID 912 set thread context of 2392	912	RegHost.exe	bfsvc.exe
PID 2372 set thread context of 904	2372	RegHost.exe	explorer.exe
PID 2372 set thread context of 2948	2372	RegHost.exe	bfsvc.exe
PID 2208 set thread context of 2780	2208	RegHost.exe	explorer.exe
PID 2208 set thread context of 3732	2208	RegHost.exe	bfsvc.exe
PID 388 set thread context of 3168	388	RegHost.exe	explorer.exe
PID 388 set thread context of 3348	388	RegHost.exe	bfsvc.exe
PID 1164 set thread context of 1236	1164	RegHost.exe	explorer.exe
PID 1164 set thread context of 1708	1164	RegHost.exe	bfsvc.exe
PID 1848 set thread context of 4072	1848	RegHost.exe	explorer.exe
PID 1848 set thread context of 368	1848	RegHost.exe	bfsvc.exe
PID 3184 set thread context of 2404	3184	RegHost.exe	explorer.exe
PID 3184 set thread context of 2920	3184	RegHost.exe	bfsvc.exe
PID 4080 set thread context of 4016	4080	RegHost.exe	explorer.exe
PID 4080 set thread context of 2332	4080	RegHost.exe	bfsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3676 schtasks.exe
4072 schtasks.exe

pid	process
3676	schtasks.exe
4072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegAsm.exeexplorer.exewhw.exeexplorer.exeexplorer.exe

pid	process
3184	RegAsm.exe
3184	RegAsm.exe
3184	RegAsm.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2876	explorer.exe
2724	whw.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exewhw.exe

description pid process

Token: SeDebugPrivilege 3184 RegAsm.exe
Token: SeDebugPrivilege 2724 whw.exe

description	pid	process
Token: SeDebugPrivilege	3184	RegAsm.exe
Token: SeDebugPrivilege	2724	whw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exeRegAsm.exee3dwefw.exesafas2f.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 2720 wrote to memory of 3184	2720	a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe	RegAsm.exe
PID 3184 wrote to memory of 936	3184	RegAsm.exe	safas2f.exe
PID 3184 wrote to memory of 936	3184	RegAsm.exe	safas2f.exe
PID 3184 wrote to memory of 2724	3184	RegAsm.exe	whw.exe
PID 3184 wrote to memory of 2724	3184	RegAsm.exe	whw.exe
PID 3184 wrote to memory of 2724	3184	RegAsm.exe	whw.exe
PID 3184 wrote to memory of 1392	3184	RegAsm.exe	e3dwefw.exe
PID 3184 wrote to memory of 1392	3184	RegAsm.exe	e3dwefw.exe
PID 3184 wrote to memory of 1392	3184	RegAsm.exe	e3dwefw.exe
PID 1392 wrote to memory of 3676	1392	e3dwefw.exe	schtasks.exe
PID 1392 wrote to memory of 3676	1392	e3dwefw.exe	schtasks.exe
PID 1392 wrote to memory of 3676	1392	e3dwefw.exe	schtasks.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 2876	936	safas2f.exe	explorer.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 936 wrote to memory of 3140	936	safas2f.exe	bfsvc.exe
PID 2876 wrote to memory of 3736	2876	explorer.exe	RegHost.exe
PID 2876 wrote to memory of 3736	2876	explorer.exe	RegHost.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe
PID 3736 wrote to memory of 1308	3736	RegHost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe
"C:\Users\Admin\AppData\Local\Temp\a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Roaming\safas2f.exe
"C:\Users\Admin\AppData\Roaming\safas2f.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:508

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1292

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
10⤵
PID:1272

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2024

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
12⤵
PID:2816

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:912

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
14⤵
PID:4088

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2372

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
16⤵
PID:904

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2208

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
18⤵
PID:2780

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:388

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
20⤵
PID:3168

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1164

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
22⤵
PID:1236

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1848

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
24⤵
PID:4072

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3184

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
26⤵
PID:2404

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
27⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4080

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
28⤵
PID:4016

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
28⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2332

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
26⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2920

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
24⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:368

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1708

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
20⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3348

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3732

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2948

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2392

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3848

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2144

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4036

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3488

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3140

C:\Users\Admin\AppData\Roaming\whw.exe
"C:\Users\Admin\AppData\Roaming\whw.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Roaming\e3dwefw.exe
"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
4⤵
- Creates scheduled task(s)
PID:3676

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
2⤵
- Creates scheduled task(s)
PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\e3dwefw.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\e3dwefw.exe
MD5
67486b272027c5c08c37d2a7dfa3b019

SHA1
660cd3fa71e480e03b392ccfff95b1a651ec1563

SHA256
cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

SHA512
6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
bec308e8e2d80ce6ac72020f906c4e55

SHA1
38a97cc380b17b52adddd1d3e1bc2f3b6d5cc65e

SHA256
886c06036a616334323a6c4d6cdc863942a9944c8b1b07de1aee8f7d04877538

SHA512
ce37026b9c1048f2d5c44fa5c3ca4549eea224e38eeb8127f4c4a1a93a8f8d8bd77fd59b7f04c475b0807d78db6cfd11771b96108a6872d412cc6c9a5c2658b1

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
c3b2c5a14962f6255d5dec89df0290ca

SHA1
5d58a9d83155abe4de0d4aacf6e2f3fc506d3cbb

SHA256
dd10774c996d64884b0cc34c42c1c7f3e43565e557183f636e37871ed6749901

SHA512
4ae964f14c427e65cea64591fd348a8d8562df3dd1aac9de563e5776f85d33be41756a61156428bdfa0809cf8ae8229a02893b4ca32f43021231f7b937fd083f

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
c3b2c5a14962f6255d5dec89df0290ca

SHA1
5d58a9d83155abe4de0d4aacf6e2f3fc506d3cbb

SHA256
dd10774c996d64884b0cc34c42c1c7f3e43565e557183f636e37871ed6749901

SHA512
4ae964f14c427e65cea64591fd348a8d8562df3dd1aac9de563e5776f85d33be41756a61156428bdfa0809cf8ae8229a02893b4ca32f43021231f7b937fd083f

Download Submit
memory/368-572-0x00000001403A756C-mapping.dmp

Download
memory/388-465-0x0000000000000000-mapping.dmp

Download
memory/508-269-0x00007FF6EF420000-0x00007FF6EF7F1000-memory.dmp

Filesize
3.8MB

Download
memory/508-240-0x0000000000000000-mapping.dmp

Download
memory/904-426-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/904-423-0x0000000140001C18-mapping.dmp

Download
memory/912-354-0x0000000000000000-mapping.dmp

Download
memory/912-384-0x00007FF6EF600000-0x00007FF6EF9D1000-memory.dmp

Filesize
3.8MB

Download
memory/936-182-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-175-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-141-0x0000000000000000-mapping.dmp

Download
memory/936-187-0x00007FF6CECC0000-0x00007FF6D0359000-memory.dmp

Filesize
22.6MB

Download
memory/936-186-0x00007FF6CECC0000-0x00007FF6D0359000-memory.dmp

Filesize
22.6MB

Download
memory/936-185-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-184-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-181-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-183-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-180-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-179-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-178-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-177-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-176-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-158-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-159-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-160-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-163-0x00007FF6CDC00000-0x00007FF6CDFD1000-memory.dmp

Filesize
3.8MB

Download
memory/936-162-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-166-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-164-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-161-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-174-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-167-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-168-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-170-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-171-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-169-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-172-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/936-173-0x00007FF832B00000-0x00007FF832B10000-memory.dmp

Filesize
64KB

Download
memory/1164-502-0x0000000000000000-mapping.dmp

Download
memory/1236-533-0x0000000140001C18-mapping.dmp

Download
memory/1272-315-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1272-312-0x0000000140001C18-mapping.dmp

Download
memory/1292-280-0x0000000000000000-mapping.dmp

Download
memory/1292-282-0x00007FF6EFDF0000-0x00007FF6F01C1000-memory.dmp

Filesize
3.8MB

Download
memory/1308-238-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1308-235-0x0000000140001C18-mapping.dmp

Download
memory/1392-150-0x0000000000000000-mapping.dmp

Download
memory/1708-535-0x00000001403A756C-mapping.dmp

Download
memory/1848-538-0x0000000000000000-mapping.dmp

Download
memory/2024-317-0x0000000000000000-mapping.dmp

Download
memory/2024-351-0x00007FF6F0150000-0x00007FF6F0521000-memory.dmp

Filesize
3.8MB

Download
memory/2144-314-0x00000001403A756C-mapping.dmp

Download
memory/2144-316-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2208-428-0x0000000000000000-mapping.dmp

Download
memory/2208-430-0x00007FF6EFE30000-0x00007FF6F0201000-memory.dmp

Filesize
3.8MB

Download
memory/2332-646-0x00000001403A756C-mapping.dmp

Download
memory/2372-391-0x0000000000000000-mapping.dmp

Download
memory/2372-419-0x00007FF6EFEA0000-0x00007FF6F0271000-memory.dmp

Filesize
3.8MB

Download
memory/2392-388-0x00000001403A756C-mapping.dmp

Download
memory/2392-390-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2404-607-0x0000000140001C18-mapping.dmp

Download
memory/2720-121-0x0000000004E50000-0x0000000004E6E000-memory.dmp

Filesize
120KB

Download
memory/2720-122-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/2720-120-0x0000000005300000-0x0000000005376000-memory.dmp

Filesize
472KB

Download
memory/2720-119-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/2720-118-0x0000000005500000-0x00000000059FE000-memory.dmp

Filesize
5.0MB

Download
memory/2720-117-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2720-116-0x00000000004C0000-0x00000000005B8000-memory.dmp

Filesize
992KB

Download
memory/2720-115-0x00000000004C0000-0x00000000005B8000-memory.dmp

Filesize
992KB

Download
memory/2724-195-0x0000000005B80000-0x0000000005BF6000-memory.dmp

Filesize
472KB

Download
memory/2724-148-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

Filesize
128KB

Download
memory/2724-151-0x0000000003250000-0x0000000003262000-memory.dmp

Filesize
72KB

Download
memory/2724-152-0x0000000005930000-0x0000000005A3A000-memory.dmp

Filesize
1.0MB

Download
memory/2724-157-0x0000000005860000-0x00000000058AB000-memory.dmp

Filesize
300KB

Download
memory/2724-204-0x00000000079B0000-0x0000000007EDC000-memory.dmp

Filesize
5.2MB

Download
memory/2724-194-0x0000000006940000-0x0000000006E3E000-memory.dmp

Filesize
5.0MB

Download
memory/2724-203-0x00000000072B0000-0x0000000007472000-memory.dmp

Filesize
1.8MB

Download
memory/2724-156-0x0000000005820000-0x000000000585E000-memory.dmp

Filesize
248KB

Download
memory/2724-199-0x0000000007090000-0x00000000070E0000-memory.dmp

Filesize
320KB

Download
memory/2724-196-0x0000000005CA0000-0x0000000005D32000-memory.dmp

Filesize
584KB

Download
memory/2724-144-0x0000000000000000-mapping.dmp

Download
memory/2724-147-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

Filesize
128KB

Download
memory/2724-165-0x0000000005820000-0x0000000005E26000-memory.dmp

Filesize
6.0MB

Download
memory/2724-198-0x0000000006440000-0x00000000064A6000-memory.dmp

Filesize
408KB

Download
memory/2724-197-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/2724-149-0x0000000005E30000-0x0000000006436000-memory.dmp

Filesize
6.0MB

Download
memory/2780-460-0x0000000140001C18-mapping.dmp

Download
memory/2780-463-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2816-352-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2816-348-0x0000000140001C18-mapping.dmp

Download
memory/2876-190-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2876-189-0x0000000140001C18-mapping.dmp

Download
memory/2876-188-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2920-609-0x00000001403A756C-mapping.dmp

Download
memory/2948-427-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2948-425-0x00000001403A756C-mapping.dmp

Download
memory/3140-191-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3140-192-0x00000001403A756C-mapping.dmp

Download
memory/3140-193-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3168-496-0x0000000140001C18-mapping.dmp

Download
memory/3184-134-0x0000000006AF0000-0x0000000006B66000-memory.dmp

Filesize
472KB

Download
memory/3184-135-0x0000000006C10000-0x0000000006CA2000-memory.dmp

Filesize
584KB

Download
memory/3184-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3184-124-0x000000000041C70E-mapping.dmp

Download
memory/3184-125-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3184-126-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3184-575-0x0000000000000000-mapping.dmp

Download
memory/3184-127-0x0000000005B10000-0x0000000006116000-memory.dmp

Filesize
6.0MB

Download
memory/3184-128-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/3184-129-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/3184-140-0x0000000008A30000-0x0000000008F5C000-memory.dmp

Filesize
5.2MB

Download
memory/3184-130-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3184-139-0x0000000008330000-0x00000000084F2000-memory.dmp

Filesize
1.8MB

Download
memory/3184-131-0x0000000005AB0000-0x0000000005AEE000-memory.dmp

Filesize
248KB

Download
memory/3184-138-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

Filesize
320KB

Download
memory/3184-137-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

Filesize
120KB

Download
memory/3184-136-0x00000000071B0000-0x00000000076AE000-memory.dmp

Filesize
5.0MB

Download
memory/3184-132-0x0000000006270000-0x00000000062BB000-memory.dmp

Filesize
300KB

Download
memory/3184-133-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/3292-272-0x0000000140001C18-mapping.dmp

Download
memory/3292-275-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3348-498-0x00000001403A756C-mapping.dmp

Download
memory/3488-239-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3488-237-0x00000001403A756C-mapping.dmp

Download
memory/3676-155-0x0000000000000000-mapping.dmp

Download
memory/3732-462-0x00000001403A756C-mapping.dmp

Download
memory/3732-464-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3736-201-0x0000000000000000-mapping.dmp

Download
memory/3736-231-0x00007FF6F0900000-0x00007FF6F1F99000-memory.dmp

Filesize
22.6MB

Download
memory/3736-233-0x00007FF6F01C0000-0x00007FF6F0591000-memory.dmp

Filesize
3.8MB

Download
memory/3736-232-0x00007FF6F0900000-0x00007FF6F1F99000-memory.dmp

Filesize
22.6MB

Download
memory/3848-350-0x00000001403A756C-mapping.dmp

Download
memory/3848-353-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4016-644-0x0000000140001C18-mapping.dmp

Download
memory/4036-274-0x00000001403A756C-mapping.dmp

Download
memory/4036-276-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4072-279-0x0000000000000000-mapping.dmp

Download
memory/4072-570-0x0000000140001C18-mapping.dmp

Download
memory/4080-612-0x0000000000000000-mapping.dmp

Download
memory/4088-389-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/4088-386-0x0000000140001C18-mapping.dmp

Download