Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 01:03
Static task
static1
General
-
Target
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
-
Size
1.8MB
-
MD5
d3506cf793362954f36b7e91edf27871
-
SHA1
85d608f63a13adfb53d2a2ebef716940f79b6ec8
-
SHA256
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea
-
SHA512
69571797ccdffac07fbfa58afdb6b3fea6b91284c7a6b4ae15e0b6e64938f9d3f37417fb27cf7a203b135d1fc2355c43c39588402719f772761a477eaeae83bd
-
SSDEEP
49152:uWhmomMAnvVGhvfqzNuUN7e8ZrZhJUELEQEaQMjM+isO61Xl82nY:u+M7nenqMS9XZ2OT11E
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe family_redline behavioral1/memory/2740-37-0x0000000000220000-0x0000000000270000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
UPX dump on OEP (original entry point) 13 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-371-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-370-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-369-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-368-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp UPX -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1700 powershell.exe 1656 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 11 IoCs
Processes:
axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exelegs.exeFirstZ.exetaskweaker.exereakuqnanrkn.exepid process 2516 axplong.exe 2740 ama.exe 2172 gold.exe 936 lummac2.exe 564 NewLatest.exe 2324 Hkbsse.exe 2288 legs.exe 1216 FirstZ.exe 2460 taskweaker.exe 480 2260 reakuqnanrkn.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine axplong.exe -
Loads dropped DLL 19 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exeWerFault.exeNewLatest.exeWerFault.exeHkbsse.exepid process 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe 2516 axplong.exe 2516 axplong.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 2516 axplong.exe 2516 axplong.exe 2516 axplong.exe 564 NewLatest.exe 2516 axplong.exe 2916 WerFault.exe 2916 WerFault.exe 2916 WerFault.exe 2324 Hkbsse.exe 2324 Hkbsse.exe 2516 axplong.exe 2516 axplong.exe 480 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1580-367-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-371-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-370-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-369-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-368-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 1976 powercfg.exe 2072 powercfg.exe 1108 powercfg.exe 2476 powercfg.exe 2700 powercfg.exe 2780 powercfg.exe 2384 powercfg.exe 1524 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exeFirstZ.exepowershell.exereakuqnanrkn.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exepid process 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe 2516 axplong.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
reakuqnanrkn.exedescription pid process target process PID 2260 set thread context of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 set thread context of 1580 2260 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 4 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeNewLatest.exewusa.exewusa.exedescription ioc process File created C:\Windows\Tasks\axplong.job 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2436 sc.exe 1680 sc.exe 2656 sc.exe 332 sc.exe 2748 sc.exe 2808 sc.exe 2976 sc.exe 2248 sc.exe 3032 sc.exe 2220 sc.exe 1064 sc.exe 1508 sc.exe 3012 sc.exe 3068 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1780 2172 WerFault.exe gold.exe 2916 2288 WerFault.exe legs.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
powershell.exeexplorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0c9cb92d2c5da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
Processes:
axplong.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 axplong.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e axplong.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e axplong.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exeama.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exepid process 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe 2516 axplong.exe 2740 ama.exe 1216 FirstZ.exe 1700 powershell.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 1216 FirstZ.exe 2260 reakuqnanrkn.exe 1656 powershell.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 2260 reakuqnanrkn.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
ama.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2740 ama.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeShutdownPrivilege 2700 powercfg.exe Token: SeShutdownPrivilege 2476 powercfg.exe Token: SeShutdownPrivilege 2780 powercfg.exe Token: SeShutdownPrivilege 2384 powercfg.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeShutdownPrivilege 1524 powercfg.exe Token: SeShutdownPrivilege 1108 powercfg.exe Token: SeShutdownPrivilege 1976 powercfg.exe Token: SeShutdownPrivilege 2072 powercfg.exe Token: SeLockMemoryPrivilege 1580 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeNewLatest.exepid process 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe 564 NewLatest.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exegold.exeNewLatest.exelegs.exeHkbsse.execmd.execmd.exereakuqnanrkn.exedescription pid process target process PID 2944 wrote to memory of 2516 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe axplong.exe PID 2944 wrote to memory of 2516 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe axplong.exe PID 2944 wrote to memory of 2516 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe axplong.exe PID 2944 wrote to memory of 2516 2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe axplong.exe PID 2516 wrote to memory of 2740 2516 axplong.exe ama.exe PID 2516 wrote to memory of 2740 2516 axplong.exe ama.exe PID 2516 wrote to memory of 2740 2516 axplong.exe ama.exe PID 2516 wrote to memory of 2740 2516 axplong.exe ama.exe PID 2516 wrote to memory of 2172 2516 axplong.exe gold.exe PID 2516 wrote to memory of 2172 2516 axplong.exe gold.exe PID 2516 wrote to memory of 2172 2516 axplong.exe gold.exe PID 2516 wrote to memory of 2172 2516 axplong.exe gold.exe PID 2172 wrote to memory of 1780 2172 gold.exe WerFault.exe PID 2172 wrote to memory of 1780 2172 gold.exe WerFault.exe PID 2172 wrote to memory of 1780 2172 gold.exe WerFault.exe PID 2172 wrote to memory of 1780 2172 gold.exe WerFault.exe PID 2516 wrote to memory of 936 2516 axplong.exe lummac2.exe PID 2516 wrote to memory of 936 2516 axplong.exe lummac2.exe PID 2516 wrote to memory of 936 2516 axplong.exe lummac2.exe PID 2516 wrote to memory of 936 2516 axplong.exe lummac2.exe PID 2516 wrote to memory of 564 2516 axplong.exe NewLatest.exe PID 2516 wrote to memory of 564 2516 axplong.exe NewLatest.exe PID 2516 wrote to memory of 564 2516 axplong.exe NewLatest.exe PID 2516 wrote to memory of 564 2516 axplong.exe NewLatest.exe PID 564 wrote to memory of 2324 564 NewLatest.exe Hkbsse.exe PID 564 wrote to memory of 2324 564 NewLatest.exe Hkbsse.exe PID 564 wrote to memory of 2324 564 NewLatest.exe Hkbsse.exe PID 564 wrote to memory of 2324 564 NewLatest.exe Hkbsse.exe PID 2516 wrote to memory of 2288 2516 axplong.exe legs.exe PID 2516 wrote to memory of 2288 2516 axplong.exe legs.exe PID 2516 wrote to memory of 2288 2516 axplong.exe legs.exe PID 2516 wrote to memory of 2288 2516 axplong.exe legs.exe PID 2288 wrote to memory of 2916 2288 legs.exe WerFault.exe PID 2288 wrote to memory of 2916 2288 legs.exe WerFault.exe PID 2288 wrote to memory of 2916 2288 legs.exe WerFault.exe PID 2288 wrote to memory of 2916 2288 legs.exe WerFault.exe PID 2324 wrote to memory of 1216 2324 Hkbsse.exe FirstZ.exe PID 2324 wrote to memory of 1216 2324 Hkbsse.exe FirstZ.exe PID 2324 wrote to memory of 1216 2324 Hkbsse.exe FirstZ.exe PID 2324 wrote to memory of 1216 2324 Hkbsse.exe FirstZ.exe PID 2516 wrote to memory of 2460 2516 axplong.exe taskweaker.exe PID 2516 wrote to memory of 2460 2516 axplong.exe taskweaker.exe PID 2516 wrote to memory of 2460 2516 axplong.exe taskweaker.exe PID 2516 wrote to memory of 2460 2516 axplong.exe taskweaker.exe PID 1852 wrote to memory of 1412 1852 cmd.exe wusa.exe PID 1852 wrote to memory of 1412 1852 cmd.exe wusa.exe PID 1852 wrote to memory of 1412 1852 cmd.exe wusa.exe PID 936 wrote to memory of 2044 936 cmd.exe wusa.exe PID 936 wrote to memory of 2044 936 cmd.exe wusa.exe PID 936 wrote to memory of 2044 936 cmd.exe wusa.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 2824 2260 reakuqnanrkn.exe conhost.exe PID 2260 wrote to memory of 1580 2260 reakuqnanrkn.exe explorer.exe PID 2260 wrote to memory of 1580 2260 reakuqnanrkn.exe explorer.exe PID 2260 wrote to memory of 1580 2260 reakuqnanrkn.exe explorer.exe PID 2260 wrote to memory of 1580 2260 reakuqnanrkn.exe explorer.exe PID 2260 wrote to memory of 1580 2260 reakuqnanrkn.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe"C:\Users\Admin\AppData\Local\Temp\219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 844⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 644⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"3⤵
- Executes dropped EXE
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exeFilesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exeFilesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5d3506cf793362954f36b7e91edf27871
SHA185d608f63a13adfb53d2a2ebef716940f79b6ec8
SHA256219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea
SHA51269571797ccdffac07fbfa58afdb6b3fea6b91284c7a6b4ae15e0b6e64938f9d3f37417fb27cf7a203b135d1fc2355c43c39588402719f772761a477eaeae83bd
-
C:\Users\Admin\AppData\Local\Temp\Cab41D3.tmpFilesize
67KB
MD52d3dcf90f6c99f47e7593ea250c9e749
SHA151be82be4a272669983313565b4940d4b1385237
SHA2568714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA5129c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5
-
C:\Users\Admin\AppData\Local\Temp\Tar4459.tmpFilesize
160KB
MD57186ad693b8ad9444401bd9bcd2217c2
SHA15c28ca10a650f6026b0df4737078fa4197f3bac1
SHA2569a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b
-
memory/1580-368-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-367-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-374-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB
-
memory/1580-369-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-370-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-371-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-357-0x0000000000940000-0x0000000000948000-memory.dmpFilesize
32KB
-
memory/1656-356-0x0000000019F40000-0x000000001A222000-memory.dmpFilesize
2.9MB
-
memory/1700-350-0x0000000002280000-0x0000000002288000-memory.dmpFilesize
32KB
-
memory/1700-349-0x000000001B480000-0x000000001B762000-memory.dmpFilesize
2.9MB
-
memory/2172-51-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2460-340-0x000000013F880000-0x000000013FEB6000-memory.dmpFilesize
6.2MB
-
memory/2516-291-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-19-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-342-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-343-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-344-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-388-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-387-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-309-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-300-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-386-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-18-0x0000000000DA1000-0x0000000000DCF000-memory.dmpFilesize
184KB
-
memory/2516-290-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-289-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-288-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-191-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-385-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-384-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-383-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-17-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-341-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-22-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-20-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2516-380-0x0000000000DA0000-0x000000000125E000-memory.dmpFilesize
4.7MB
-
memory/2740-37-0x0000000000220000-0x0000000000270000-memory.dmpFilesize
320KB
-
memory/2824-365-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2824-359-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2824-358-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2824-360-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2824-362-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2824-361-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2944-0-0x00000000012A0000-0x000000000175E000-memory.dmpFilesize
4.7MB
-
memory/2944-16-0x00000000070F0000-0x00000000075AE000-memory.dmpFilesize
4.7MB
-
memory/2944-15-0x00000000012A0000-0x000000000175E000-memory.dmpFilesize
4.7MB
-
memory/2944-5-0x00000000012A0000-0x000000000175E000-memory.dmpFilesize
4.7MB
-
memory/2944-3-0x00000000012A0000-0x000000000175E000-memory.dmpFilesize
4.7MB
-
memory/2944-2-0x00000000012A1000-0x00000000012CF000-memory.dmpFilesize
184KB
-
memory/2944-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmpFilesize
8KB