Analysis
-
max time kernel
299s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-06-2024 23:17
Static task
static1
Behavioral task
behavioral1
Sample
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe
Resource
win7-20240611-en
General
-
Target
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe
-
Size
1.8MB
-
MD5
b4060d5139db212eb2d4be622f2ca628
-
SHA1
4921bdeade78226f42a0a9486648a3749e3ac1d5
-
SHA256
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652
-
SHA512
54ef65f1f468c23b3f2e67b08bc7b2842014856b13a94bbf2c97a3c3a9f0a4bc503af160e75938bc040351f43ec5dd3f4441a071fd03c34945ae2e2c104e1a22
-
SSDEEP
24576:4+0Dpzj/rDQMfqhOtCU/TteE+kvHG+ZLEiqPecN456umQIpZ77epEwh06pRgcXj7:T0DxEe0+wfk/PP6umbdCpzDO+jLgLFJ
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
123
185.215.113.67:40960
Extracted
lumma
https://harmfullyelobardek.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline behavioral2/memory/4864-77-0x0000000000C60000-0x0000000000CB0000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/2836-370-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-369-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-372-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-375-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-376-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-374-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-373-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-387-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2836-388-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4820 powershell.exe 4516 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 17 IoCs
Processes:
axplong.exeaxplong.execrypted.exeNewLatest.exeHkbsse.exe123.exe1.exeHkbsse.exeaxplong.exeFirstZ.exeaxplong.exeHkbsse.exereakuqnanrkn.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exepid process 1300 axplong.exe 2532 axplong.exe 3876 crypted.exe 4332 NewLatest.exe 1420 Hkbsse.exe 4864 123.exe 192 1.exe 2948 Hkbsse.exe 2772 axplong.exe 2244 FirstZ.exe 1556 axplong.exe 1308 Hkbsse.exe 4816 reakuqnanrkn.exe 3592 Hkbsse.exe 1260 axplong.exe 600 axplong.exe 4676 Hkbsse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exec4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2836-365-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-370-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-368-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-367-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-369-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-366-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-364-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-372-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-375-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-376-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-374-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-373-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-387-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2836-388-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 2852 powercfg.exe 2532 powercfg.exe 5032 powercfg.exe 1356 powercfg.exe 2472 powercfg.exe 2456 powercfg.exe 4180 powercfg.exe 4756 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
reakuqnanrkn.exeFirstZ.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 4780 c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe 1300 axplong.exe 2532 axplong.exe 2772 axplong.exe 1556 axplong.exe 1260 axplong.exe 600 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
crypted.exereakuqnanrkn.exedescription pid process target process PID 3876 set thread context of 2348 3876 crypted.exe RegAsm.exe PID 4816 set thread context of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 set thread context of 2836 4816 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeNewLatest.exedescription ioc process File created C:\Windows\Tasks\axplong.job c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2852 sc.exe 948 sc.exe 2472 sc.exe 2468 sc.exe 3716 sc.exe 2532 sc.exe 1068 sc.exe 3012 sc.exe 1832 sc.exe 2080 sc.exe 3420 sc.exe 2736 sc.exe 3592 sc.exe 64 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3548 3876 WerFault.exe crypted.exe 1760 192 WerFault.exe 1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
powershell.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeaxplong.exeaxplong.exeaxplong.exe123.exeaxplong.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exepid process 4780 c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe 4780 c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe 1300 axplong.exe 1300 axplong.exe 2532 axplong.exe 2532 axplong.exe 2772 axplong.exe 2772 axplong.exe 4864 123.exe 4864 123.exe 4864 123.exe 1556 axplong.exe 1556 axplong.exe 2244 FirstZ.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 2244 FirstZ.exe 4816 reakuqnanrkn.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 4816 reakuqnanrkn.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
123.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4864 123.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeIncreaseQuotaPrivilege 4820 powershell.exe Token: SeSecurityPrivilege 4820 powershell.exe Token: SeTakeOwnershipPrivilege 4820 powershell.exe Token: SeLoadDriverPrivilege 4820 powershell.exe Token: SeSystemProfilePrivilege 4820 powershell.exe Token: SeSystemtimePrivilege 4820 powershell.exe Token: SeProfSingleProcessPrivilege 4820 powershell.exe Token: SeIncBasePriorityPrivilege 4820 powershell.exe Token: SeCreatePagefilePrivilege 4820 powershell.exe Token: SeBackupPrivilege 4820 powershell.exe Token: SeRestorePrivilege 4820 powershell.exe Token: SeShutdownPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeSystemEnvironmentPrivilege 4820 powershell.exe Token: SeRemoteShutdownPrivilege 4820 powershell.exe Token: SeUndockPrivilege 4820 powershell.exe Token: SeManageVolumePrivilege 4820 powershell.exe Token: 33 4820 powershell.exe Token: 34 4820 powershell.exe Token: 35 4820 powershell.exe Token: 36 4820 powershell.exe Token: SeShutdownPrivilege 4180 powercfg.exe Token: SeCreatePagefilePrivilege 4180 powercfg.exe Token: SeShutdownPrivilege 2852 powercfg.exe Token: SeCreatePagefilePrivilege 2852 powercfg.exe Token: SeShutdownPrivilege 2532 powercfg.exe Token: SeCreatePagefilePrivilege 2532 powercfg.exe Token: SeShutdownPrivilege 4756 powercfg.exe Token: SeCreatePagefilePrivilege 4756 powercfg.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4516 powershell.exe Token: SeIncreaseQuotaPrivilege 4516 powershell.exe Token: SeSecurityPrivilege 4516 powershell.exe Token: SeTakeOwnershipPrivilege 4516 powershell.exe Token: SeLoadDriverPrivilege 4516 powershell.exe Token: SeSystemtimePrivilege 4516 powershell.exe Token: SeBackupPrivilege 4516 powershell.exe Token: SeRestorePrivilege 4516 powershell.exe Token: SeShutdownPrivilege 4516 powershell.exe Token: SeSystemEnvironmentPrivilege 4516 powershell.exe Token: SeUndockPrivilege 4516 powershell.exe Token: SeManageVolumePrivilege 4516 powershell.exe Token: SeShutdownPrivilege 2456 powercfg.exe Token: SeCreatePagefilePrivilege 2456 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeCreatePagefilePrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 5032 powercfg.exe Token: SeCreatePagefilePrivilege 5032 powercfg.exe Token: SeShutdownPrivilege 2472 powercfg.exe Token: SeCreatePagefilePrivilege 2472 powercfg.exe Token: SeLockMemoryPrivilege 2836 explorer.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exeaxplong.execrypted.exeNewLatest.exeHkbsse.execmd.execmd.exereakuqnanrkn.exedescription pid process target process PID 4780 wrote to memory of 1300 4780 c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe axplong.exe PID 4780 wrote to memory of 1300 4780 c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe axplong.exe PID 4780 wrote to memory of 1300 4780 c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe axplong.exe PID 1300 wrote to memory of 3876 1300 axplong.exe crypted.exe PID 1300 wrote to memory of 3876 1300 axplong.exe crypted.exe PID 1300 wrote to memory of 3876 1300 axplong.exe crypted.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 3876 wrote to memory of 2348 3876 crypted.exe RegAsm.exe PID 1300 wrote to memory of 4332 1300 axplong.exe NewLatest.exe PID 1300 wrote to memory of 4332 1300 axplong.exe NewLatest.exe PID 1300 wrote to memory of 4332 1300 axplong.exe NewLatest.exe PID 4332 wrote to memory of 1420 4332 NewLatest.exe Hkbsse.exe PID 4332 wrote to memory of 1420 4332 NewLatest.exe Hkbsse.exe PID 4332 wrote to memory of 1420 4332 NewLatest.exe Hkbsse.exe PID 1300 wrote to memory of 4864 1300 axplong.exe 123.exe PID 1300 wrote to memory of 4864 1300 axplong.exe 123.exe PID 1300 wrote to memory of 4864 1300 axplong.exe 123.exe PID 1420 wrote to memory of 192 1420 Hkbsse.exe 1.exe PID 1420 wrote to memory of 192 1420 Hkbsse.exe 1.exe PID 1420 wrote to memory of 192 1420 Hkbsse.exe 1.exe PID 1420 wrote to memory of 2244 1420 Hkbsse.exe FirstZ.exe PID 1420 wrote to memory of 2244 1420 Hkbsse.exe FirstZ.exe PID 3868 wrote to memory of 2492 3868 cmd.exe wusa.exe PID 3868 wrote to memory of 2492 3868 cmd.exe wusa.exe PID 4596 wrote to memory of 4508 4596 cmd.exe wusa.exe PID 4596 wrote to memory of 4508 4596 cmd.exe wusa.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 5048 4816 reakuqnanrkn.exe conhost.exe PID 4816 wrote to memory of 2836 4816 reakuqnanrkn.exe explorer.exe PID 4816 wrote to memory of 2836 4816 reakuqnanrkn.exe explorer.exe PID 4816 wrote to memory of 2836 4816 reakuqnanrkn.exe explorer.exe PID 4816 wrote to memory of 2836 4816 reakuqnanrkn.exe explorer.exe PID 4816 wrote to memory of 2836 4816 reakuqnanrkn.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe"C:\Users\Admin\AppData\Local\Temp\c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 3204⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 5006⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exeFilesize
317KB
MD5e1b59d2805b38262b9967bce3e719dbf
SHA14081416cfaa76941981c34518d45b60e8d4b2013
SHA256d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173
SHA512bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exeFilesize
529KB
MD5efb9f7b4e6703ad5d5b179992a6c44f8
SHA16f51ff5a147570a141ec8ce662501c21ff8b3530
SHA2566ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314
SHA512389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5b4060d5139db212eb2d4be622f2ca628
SHA14921bdeade78226f42a0a9486648a3749e3ac1d5
SHA256c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652
SHA51254ef65f1f468c23b3f2e67b08bc7b2842014856b13a94bbf2c97a3c3a9f0a4bc503af160e75938bc040351f43ec5dd3f4441a071fd03c34945ae2e2c104e1a22
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qc3dbjre.pak.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/192-130-0x0000000000400000-0x000000000236B000-memory.dmpFilesize
31.4MB
-
memory/600-413-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/600-411-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1260-395-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1260-396-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-106-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-377-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-401-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-133-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-131-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-399-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-54-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-63-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-64-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-18-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-17-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-16-0x0000000000161000-0x000000000018F000-memory.dmpFilesize
184KB
-
memory/1300-393-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-389-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-385-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-383-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-381-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-22-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-15-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-129-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-93-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-147-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-107-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-397-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-121-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-149-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1300-151-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1556-155-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/1556-157-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/2348-41-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2348-40-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2532-20-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/2532-21-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/2772-126-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/2772-124-0x0000000000160000-0x0000000000619000-memory.dmpFilesize
4.7MB
-
memory/2836-369-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-387-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-388-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-373-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-374-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-376-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-375-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-372-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-364-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-366-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-367-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-368-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-371-0x0000000000DA0000-0x0000000000DC0000-memory.dmpFilesize
128KB
-
memory/2836-370-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2836-365-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4516-267-0x000001DD39110000-0x000001DD3911A000-memory.dmpFilesize
40KB
-
memory/4516-234-0x000001DD392A0000-0x000001DD39359000-memory.dmpFilesize
740KB
-
memory/4516-228-0x000001DD390F0000-0x000001DD3910C000-memory.dmpFilesize
112KB
-
memory/4780-1-0x00000000778C4000-0x00000000778C5000-memory.dmpFilesize
4KB
-
memory/4780-2-0x00000000011F1000-0x000000000121F000-memory.dmpFilesize
184KB
-
memory/4780-3-0x00000000011F0000-0x00000000016A9000-memory.dmpFilesize
4.7MB
-
memory/4780-5-0x00000000011F0000-0x00000000016A9000-memory.dmpFilesize
4.7MB
-
memory/4780-14-0x00000000011F0000-0x00000000016A9000-memory.dmpFilesize
4.7MB
-
memory/4780-0-0x00000000011F0000-0x00000000016A9000-memory.dmpFilesize
4.7MB
-
memory/4820-165-0x00000199BD600000-0x00000199BD676000-memory.dmpFilesize
472KB
-
memory/4820-162-0x00000199BD450000-0x00000199BD472000-memory.dmpFilesize
136KB
-
memory/4864-125-0x0000000007C30000-0x0000000007C80000-memory.dmpFilesize
320KB
-
memory/4864-127-0x00000000073B0000-0x0000000007572000-memory.dmpFilesize
1.8MB
-
memory/4864-92-0x0000000006150000-0x00000000061B6000-memory.dmpFilesize
408KB
-
memory/4864-77-0x0000000000C60000-0x0000000000CB0000-memory.dmpFilesize
320KB
-
memory/4864-84-0x0000000005940000-0x000000000597E000-memory.dmpFilesize
248KB
-
memory/4864-83-0x00000000057A0000-0x00000000057B2000-memory.dmpFilesize
72KB
-
memory/4864-82-0x0000000006040000-0x000000000614A000-memory.dmpFilesize
1.0MB
-
memory/4864-81-0x0000000006650000-0x0000000006C56000-memory.dmpFilesize
6.0MB
-
memory/4864-128-0x0000000007D80000-0x00000000082AC000-memory.dmpFilesize
5.2MB
-
memory/4864-85-0x00000000057D0000-0x000000000581B000-memory.dmpFilesize
300KB
-
memory/4864-80-0x0000000005500000-0x000000000550A000-memory.dmpFilesize
40KB
-
memory/4864-79-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/4864-78-0x0000000005B40000-0x000000000603E000-memory.dmpFilesize
5.0MB
-
memory/5048-356-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5048-360-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5048-359-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5048-358-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5048-357-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5048-363-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB