redline | 04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd

Analysis

max time kernel
123s
max time network
146s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
Size

48KB
MD5

6cacd4748ecedd5c5242ef62a941ecbb
SHA1

1abc42914153674634cc58674c8d4314fbe22188
SHA256

04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd
SHA512

a796b796f8b1acb1494e86fda8ac6fcfe6294011cc00b978459e7f3b76006733a4dc6df6b661660413d979d7e72c3f6c0d43e587ec08e718d49a349bc68596ea

Score

10^/10

redline 2142468762 discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

redline

Botnet

2142468762

45.9.20.40:50162

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1300-137-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 668 created 1424 668 WerFault.exe RegHost.exe
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

description	pid	process	target process
PID 668 created 1424	668	WerFault.exe	RegHost.exe

Executes dropped EXE 10 IoCs

Processes:

a.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
1872	a.exe
64	RegHost.exe
1648	RegHost.exe
832	RegHost.exe
644	RegHost.exe
2516	RegHost.exe
1964	RegHost.exe
1884	RegHost.exe
2392	RegHost.exe
1424	RegHost.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 42 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a.exe	themida
C:\Users\Admin\AppData\Local\Temp\a.exe	themida
behavioral1/memory/1872-152-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp	themida
behavioral1/memory/1872-153-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp	themida
behavioral1/memory/1872-154-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/64-161-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/64-162-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/64-163-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1648-169-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1648-170-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1648-171-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/832-177-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/832-178-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/832-179-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/644-185-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/644-186-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/644-187-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2516-193-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/2516-194-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/2516-195-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1964-201-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1964-202-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1964-203-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1884-209-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1884-210-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1884-211-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2392-217-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/2392-218-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/2392-219-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1424-225-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1424-226-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida
behavioral1/memory/1424-227-0x00007FF702120000-0x00007FF702508000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exea.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

Processes:

bfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exe

pid	process
2956	bfsvc.exe
2956	bfsvc.exe
3936	bfsvc.exe
3936	bfsvc.exe
3104	bfsvc.exe
3104	bfsvc.exe
1288	bfsvc.exe
1288	bfsvc.exe
3480	bfsvc.exe
3480	bfsvc.exe
2264	bfsvc.exe
2264	bfsvc.exe
2540	bfsvc.exe
2540	bfsvc.exe
3704	bfsvc.exe
3704	bfsvc.exe
3536	bfsvc.exe
3536	bfsvc.exe

Suspicious use of SetThreadContext 19 IoCs

Processes:

04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exea.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3484 set thread context of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 1872 set thread context of 2956	1872	a.exe	bfsvc.exe
PID 1872 set thread context of 3280	1872	a.exe	explorer.exe
PID 64 set thread context of 3936	64	RegHost.exe	bfsvc.exe
PID 64 set thread context of 3192	64	RegHost.exe	explorer.exe
PID 1648 set thread context of 3104	1648	RegHost.exe	bfsvc.exe
PID 1648 set thread context of 2580	1648	RegHost.exe	explorer.exe
PID 832 set thread context of 1288	832	RegHost.exe	bfsvc.exe
PID 832 set thread context of 1560	832	RegHost.exe	explorer.exe
PID 644 set thread context of 3480	644	RegHost.exe	bfsvc.exe
PID 644 set thread context of 3484	644	RegHost.exe	explorer.exe
PID 2516 set thread context of 2264	2516	RegHost.exe	bfsvc.exe
PID 2516 set thread context of 980	2516	RegHost.exe	explorer.exe
PID 1964 set thread context of 2540	1964	RegHost.exe	bfsvc.exe
PID 1964 set thread context of 3620	1964	RegHost.exe	explorer.exe
PID 1884 set thread context of 3704	1884	RegHost.exe	bfsvc.exe
PID 1884 set thread context of 3136	1884	RegHost.exe	explorer.exe
PID 2392 set thread context of 3536	2392	RegHost.exe	bfsvc.exe
PID 2392 set thread context of 2908	2392	RegHost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

668 1424 WerFault.exe RegHost.exe

pid	pid_target	process	target process
668	1424	WerFault.exe	RegHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exeRegAsm.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
1300	RegAsm.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
3192	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
3484	explorer.exe
3484	explorer.exe
3484	explorer.exe
3484	explorer.exe
3484	explorer.exe
3484	explorer.exe
3484	explorer.exe
3484	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exeRegAsm.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
Token: SeDebugPrivilege	1300	RegAsm.exe
Token: SeDebugPrivilege	668	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exeRegAsm.exea.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 3484 wrote to memory of 2620	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	powershell.exe
PID 3484 wrote to memory of 2620	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	powershell.exe
PID 3484 wrote to memory of 2620	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	powershell.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 3484 wrote to memory of 1300	3484	04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe	RegAsm.exe
PID 1300 wrote to memory of 1872	1300	RegAsm.exe	a.exe
PID 1300 wrote to memory of 1872	1300	RegAsm.exe	a.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 2956	1872	a.exe	bfsvc.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 1872 wrote to memory of 3280	1872	a.exe	explorer.exe
PID 3280 wrote to memory of 64	3280	explorer.exe	RegHost.exe
PID 3280 wrote to memory of 64	3280	explorer.exe	RegHost.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe
PID 64 wrote to memory of 3936	64	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe
"C:\Users\Admin\AppData\Local\Temp\04a8ea3cbcbc20c6e9a5e8df1e3adac62f7731aeace1c0681aa9fa3b53a85cdd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2956

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3936

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1648

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3104

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:832

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1288

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:644

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3480

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
12⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2516

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2264

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
14⤵
PID:980

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1964

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2540

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
16⤵
PID:3620

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1884

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3704

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
18⤵
PID:3136

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2392

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
20⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3536

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
20⤵
PID:2908

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
PID:1424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1424 -s 428
22⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
memory/64-163-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/64-162-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/64-161-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/644-185-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/644-186-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/644-187-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/832-179-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/832-178-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/832-177-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/980-199-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1288-181-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1300-143-0x0000000005290000-0x00000000052DB000-memory.dmp

Filesize
300KB

Download
memory/1300-144-0x0000000006240000-0x00000000062D2000-memory.dmp

Filesize
584KB

Download
memory/1300-145-0x00000000067E0000-0x0000000006CDE000-memory.dmp

Filesize
5.0MB

Download
memory/1300-146-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/1300-147-0x00000000066E0000-0x0000000006730000-memory.dmp

Filesize
320KB

Download
memory/1300-148-0x0000000006FB0000-0x0000000007172000-memory.dmp

Filesize
1.8MB

Download
memory/1300-149-0x0000000007DC0000-0x00000000082EC000-memory.dmp

Filesize
5.2MB

Download
memory/1300-138-0x00000000057E0000-0x0000000005DE6000-memory.dmp

Filesize
6.0MB

Download
memory/1300-142-0x00000000051D0000-0x00000000057D6000-memory.dmp

Filesize
6.0MB

Download
memory/1300-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1300-139-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/1300-140-0x0000000005320000-0x000000000542A000-memory.dmp

Filesize
1.0MB

Download
memory/1300-141-0x0000000005250000-0x000000000528E000-memory.dmp

Filesize
248KB

Download
memory/1424-225-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1424-226-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1424-227-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1560-183-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1648-170-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1648-169-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1648-171-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1872-153-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp

Filesize
3.9MB

Download
memory/1872-152-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp

Filesize
3.9MB

Download
memory/1872-154-0x00007FF7F8630000-0x00007FF7F8A18000-memory.dmp

Filesize
3.9MB

Download
memory/1884-211-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1884-210-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1884-209-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1964-203-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1964-201-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/1964-202-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2264-197-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2392-219-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2392-217-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2392-218-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2516-193-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2516-195-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2516-194-0x00007FF702120000-0x00007FF702508000-memory.dmp

Filesize
3.9MB

Download
memory/2540-205-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2580-176-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2620-130-0x0000000008060000-0x00000000080AB000-memory.dmp

Filesize
300KB

Download
memory/2620-133-0x0000000004844000-0x0000000004846000-memory.dmp

Filesize
8KB

Download
memory/2620-126-0x0000000007B20000-0x0000000007B86000-memory.dmp

Filesize
408KB

Download
memory/2620-122-0x00000000073F0000-0x0000000007A18000-memory.dmp

Filesize
6.2MB

Download
memory/2620-127-0x00000000072F0000-0x0000000007356000-memory.dmp

Filesize
408KB

Download
memory/2620-128-0x0000000007D10000-0x0000000008060000-memory.dmp

Filesize
3.3MB

Download
memory/2620-129-0x0000000007BB0000-0x0000000007BCC000-memory.dmp

Filesize
112KB

Download
memory/2620-131-0x0000000008300000-0x0000000008376000-memory.dmp

Filesize
472KB

Download
memory/2620-125-0x00000000072B0000-0x00000000072D2000-memory.dmp

Filesize
136KB

Download
memory/2620-124-0x0000000004842000-0x0000000004843000-memory.dmp

Filesize
4KB

Download
memory/2620-132-0x0000000004843000-0x0000000004844000-memory.dmp

Filesize
4KB

Download
memory/2620-123-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/2620-121-0x00000000047B0000-0x00000000047E6000-memory.dmp

Filesize
216KB

Download
memory/2908-224-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2956-155-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2956-157-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3104-173-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3136-216-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3192-167-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3280-156-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3280-158-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3480-189-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3484-135-0x0000000005620000-0x0000000005662000-memory.dmp

Filesize
264KB

Download
memory/3484-118-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/3484-136-0x00000000059C0000-0x0000000005A0C000-memory.dmp

Filesize
304KB

Download
memory/3484-134-0x00000000028E0000-0x0000000002900000-memory.dmp

Filesize
128KB

Download
memory/3484-192-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3536-221-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3620-208-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3704-213-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3936-165-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download