650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b

General
Target

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe

Filesize

578KB

Completed

19-01-2022 15:13

Score
10/10
MD5

dfbf1c3345fa6eecbc7625e48745bb5d

SHA1

4052413e09323f822f5e4dcbd8a82ca376d6e26f

SHA256

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b

Malware Config
Signatures 19

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Modifies Windows Defender Real-time Protection settings

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Downloads MZ/PE file
  • Executes dropped EXE
    fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    Reported IOCs

    pidprocess
    4392fl.exe
    1500RegHost.exe
    2772RegHost.exe
    4756RegHost.exe
    1924RegHost.exe
    4128RegHost.exe
    3552RegHost.exe
    1548RegHost.exe
    3504RegHost.exe
    2388RegHost.exe
    3480RegHost.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/916-145-0x0000000140000000-0x000000014274C000-memory.dmpupx
  • Checks BIOS information in registry
    RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionfl.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionfl.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000500000001ab6d-140.datthemida
    behavioral1/files/0x000500000001ab6d-141.datthemida
    behavioral1/memory/4392-142-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmpthemida
    behavioral1/memory/4392-143-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmpthemida
    behavioral1/memory/4392-144-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-148.datthemida
    behavioral1/files/0x000500000001ab71-149.datthemida
    behavioral1/memory/1500-150-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/1500-151-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/1500-152-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-156.datthemida
    behavioral1/memory/2772-157-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/2772-158-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/2772-159-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-163.datthemida
    behavioral1/memory/4756-164-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/4756-165-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/4756-166-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-170.datthemida
    behavioral1/memory/1924-171-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/1924-172-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/1924-173-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-177.datthemida
    behavioral1/memory/4128-178-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/4128-179-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/4128-180-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-184.datthemida
    behavioral1/memory/3552-185-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/3552-186-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/3552-187-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-191.datthemida
    behavioral1/memory/1548-192-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/1548-193-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/1548-194-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-198.datthemida
    behavioral1/memory/3504-199-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/3504-200-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/3504-201-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-205.datthemida
    behavioral1/memory/2388-206-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/2388-207-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/2388-208-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/files/0x000500000001ab71-212.datthemida
    behavioral1/memory/3480-213-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/3480-214-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
    behavioral1/memory/3480-215-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmpthemida
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"fl.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAfl.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe

    Reported IOCs

    pidprocess
    3996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
  • Suspicious use of SetThreadContext
    fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4392 set thread context of 9164392fl.exebfsvc.exe
    PID 4392 set thread context of 10884392fl.exeexplorer.exe
    PID 1500 set thread context of 18201500RegHost.exebfsvc.exe
    PID 1500 set thread context of 21841500RegHost.exeexplorer.exe
    PID 2772 set thread context of 36002772RegHost.exebfsvc.exe
    PID 2772 set thread context of 45082772RegHost.exeexplorer.exe
    PID 4756 set thread context of 19644756RegHost.exebfsvc.exe
    PID 4756 set thread context of 50884756RegHost.exeexplorer.exe
    PID 1924 set thread context of 49761924RegHost.exebfsvc.exe
    PID 1924 set thread context of 29281924RegHost.exeexplorer.exe
    PID 4128 set thread context of 3924128RegHost.exebfsvc.exe
    PID 4128 set thread context of 32444128RegHost.exeexplorer.exe
    PID 3552 set thread context of 14523552RegHost.exebfsvc.exe
    PID 3552 set thread context of 23963552RegHost.exeexplorer.exe
    PID 1548 set thread context of 18001548RegHost.exebfsvc.exe
    PID 1548 set thread context of 16801548RegHost.exeexplorer.exe
    PID 3504 set thread context of 37643504RegHost.exebfsvc.exe
    PID 3504 set thread context of 12643504RegHost.exeexplorer.exe
    PID 2388 set thread context of 22202388RegHost.exebfsvc.exe
    PID 2388 set thread context of 39642388RegHost.exeexplorer.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    46003480WerFault.exeRegHost.exe
  • Suspicious behavior: EnumeratesProcesses
    650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

    Reported IOCs

    pidprocess
    3996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
    3996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
    3996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    1088explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    2184explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    4508explorer.exe
    5088explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
    Token: SeDebugPrivilege4600WerFault.exe
  • Suspicious use of WriteProcessMemory
    650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exefl.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3996 wrote to memory of 43923996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exefl.exe
    PID 3996 wrote to memory of 43923996650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exefl.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 9164392fl.exebfsvc.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 4392 wrote to memory of 10884392fl.exeexplorer.exe
    PID 1088 wrote to memory of 15001088explorer.exeRegHost.exe
    PID 1088 wrote to memory of 15001088explorer.exeRegHost.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 18201500RegHost.exebfsvc.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 1500 wrote to memory of 21841500RegHost.exeexplorer.exe
    PID 2184 wrote to memory of 27722184explorer.exeRegHost.exe
    PID 2184 wrote to memory of 27722184explorer.exeRegHost.exe
    PID 2772 wrote to memory of 36002772RegHost.exebfsvc.exe
    PID 2772 wrote to memory of 36002772RegHost.exebfsvc.exe
    PID 2772 wrote to memory of 36002772RegHost.exebfsvc.exe
    PID 2772 wrote to memory of 36002772RegHost.exebfsvc.exe
    PID 2772 wrote to memory of 36002772RegHost.exebfsvc.exe
    PID 2772 wrote to memory of 36002772RegHost.exebfsvc.exe
Processes 33
  • C:\Users\Admin\AppData\Local\Temp\650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
    "C:\Users\Admin\AppData\Local\Temp\650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe"
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\fl.exe
      "C:\Users\Admin\AppData\Local\Temp\fl.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\bfsvc.exe
        C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
        PID:916
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
          Executes dropped EXE
          Checks BIOS information in registry
          Adds Run key to start application
          Checks whether UAC is enabled
          Suspicious use of SetThreadContext
          Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Windows\bfsvc.exe
            C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
            PID:1820
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:2184
            • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
              Executes dropped EXE
              Checks BIOS information in registry
              Adds Run key to start application
              Checks whether UAC is enabled
              Suspicious use of SetThreadContext
              Suspicious use of WriteProcessMemory
              PID:2772
              • C:\Windows\bfsvc.exe
                C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                PID:3600
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                Suspicious behavior: EnumeratesProcesses
                PID:4508
                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                  Executes dropped EXE
                  Checks BIOS information in registry
                  Adds Run key to start application
                  Checks whether UAC is enabled
                  Suspicious use of SetThreadContext
                  PID:4756
                  • C:\Windows\bfsvc.exe
                    C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                    PID:1964
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                    Suspicious behavior: EnumeratesProcesses
                    PID:5088
                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                      Executes dropped EXE
                      Checks BIOS information in registry
                      Adds Run key to start application
                      Checks whether UAC is enabled
                      Suspicious use of SetThreadContext
                      PID:1924
                      • C:\Windows\bfsvc.exe
                        C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                        PID:4976
                      • C:\Windows\explorer.exe
                        C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                        PID:2928
                        • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                          Executes dropped EXE
                          Checks BIOS information in registry
                          Adds Run key to start application
                          Checks whether UAC is enabled
                          Suspicious use of SetThreadContext
                          PID:4128
                          • C:\Windows\bfsvc.exe
                            C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                            PID:392
                          • C:\Windows\explorer.exe
                            C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                            PID:3244
                            • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                              Executes dropped EXE
                              Checks BIOS information in registry
                              Adds Run key to start application
                              Checks whether UAC is enabled
                              Suspicious use of SetThreadContext
                              PID:3552
                              • C:\Windows\bfsvc.exe
                                C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                                PID:1452
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                                PID:2396
                                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                  "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                  Executes dropped EXE
                                  Checks BIOS information in registry
                                  Adds Run key to start application
                                  Checks whether UAC is enabled
                                  Suspicious use of SetThreadContext
                                  PID:1548
                                  • C:\Windows\bfsvc.exe
                                    C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                                    PID:1800
                                  • C:\Windows\explorer.exe
                                    C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                                    PID:1680
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                      "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                      Executes dropped EXE
                                      Checks BIOS information in registry
                                      Adds Run key to start application
                                      Checks whether UAC is enabled
                                      Suspicious use of SetThreadContext
                                      PID:3504
                                      • C:\Windows\bfsvc.exe
                                        C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                                        PID:3764
                                      • C:\Windows\explorer.exe
                                        C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                                        PID:1264
                                        • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                          "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                          Executes dropped EXE
                                          Checks BIOS information in registry
                                          Adds Run key to start application
                                          Checks whether UAC is enabled
                                          Suspicious use of SetThreadContext
                                          PID:2388
                                          • C:\Windows\bfsvc.exe
                                            C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
                                            PID:2220
                                          • C:\Windows\explorer.exe
                                            C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
                                            PID:3964
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                              "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                              Executes dropped EXE
                                              Checks BIOS information in registry
                                              Adds Run key to start application
                                              Checks whether UAC is enabled
                                              PID:3480
                                              • C:\Windows\system32\WerFault.exe
                                                C:\Windows\system32\WerFault.exe -u -p 3480 -s 572
                                                Program crash
                                                Suspicious use of AdjustPrivilegeToken
                                                PID:4600
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\fl.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Local\Temp\fl.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                  MD5

                  600c20e18834769dc0ae528c69108a5d

                  SHA1

                  743b942a951d381c0e3efc1fac3e2f09740769c2

                  SHA256

                  b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

                  SHA512

                  36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

                • memory/916-145-0x0000000140000000-0x000000014274C000-memory.dmp

                • memory/1088-147-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/1088-146-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/1264-204-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/1500-150-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1500-151-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1500-152-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1548-193-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1548-194-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1548-192-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1680-197-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/1924-173-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1924-172-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/1924-171-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2184-155-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/2388-206-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2388-207-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2388-208-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2396-190-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/2772-158-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2772-157-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2772-159-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/2928-176-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/3244-183-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/3480-215-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3480-213-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3480-214-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3504-199-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3504-200-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3504-201-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3552-187-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3552-186-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3552-185-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/3964-211-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/3996-126-0x0000000005790000-0x0000000005791000-memory.dmp

                • memory/3996-120-0x0000000001000000-0x0000000001071000-memory.dmp

                • memory/3996-121-0x0000000001000000-0x0000000001071000-memory.dmp

                • memory/3996-122-0x0000000072990000-0x0000000072A10000-memory.dmp

                • memory/3996-139-0x00000000082E0000-0x000000000880C000-memory.dmp

                • memory/3996-138-0x0000000007370000-0x00000000073C0000-memory.dmp

                • memory/3996-137-0x00000000064C0000-0x00000000064DE000-memory.dmp

                • memory/3996-123-0x0000000005DB0000-0x00000000063B6000-memory.dmp

                • memory/3996-124-0x00000000057A0000-0x00000000057B2000-memory.dmp

                • memory/3996-125-0x00000000058D0000-0x00000000059DA000-memory.dmp

                • memory/3996-136-0x0000000006560000-0x00000000065F2000-memory.dmp

                • memory/3996-135-0x0000000006440000-0x00000000064B6000-memory.dmp

                • memory/3996-119-0x0000000076130000-0x0000000076221000-memory.dmp

                • memory/3996-118-0x0000000002D90000-0x0000000002DD4000-memory.dmp

                • memory/3996-117-0x0000000074D70000-0x0000000074F32000-memory.dmp

                • memory/3996-134-0x0000000005B40000-0x0000000005BA6000-memory.dmp

                • memory/3996-133-0x00000000068C0000-0x0000000006DBE000-memory.dmp

                • memory/3996-132-0x0000000070BE0000-0x0000000070C2B000-memory.dmp

                • memory/3996-131-0x0000000005870000-0x00000000058BB000-memory.dmp

                • memory/3996-130-0x00000000768C0000-0x0000000077C08000-memory.dmp

                • memory/3996-129-0x0000000074F40000-0x00000000754C4000-memory.dmp

                • memory/3996-128-0x0000000005BB0000-0x0000000005D72000-memory.dmp

                • memory/3996-127-0x0000000005800000-0x000000000583E000-memory.dmp

                • memory/3996-115-0x0000000001000000-0x0000000001071000-memory.dmp

                • memory/4128-180-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/4128-179-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/4128-178-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/4392-142-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp

                • memory/4392-143-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp

                • memory/4392-144-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp

                • memory/4508-162-0x0000000140000000-0x000000014002A000-memory.dmp

                • memory/4756-166-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/4756-165-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/4756-164-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

                • memory/5088-169-0x0000000140000000-0x000000014002A000-memory.dmp