Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-06-2024 22:55
Static task
static1
Behavioral task
behavioral1
Sample
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
Resource
win7-20240508-en
General
-
Target
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
-
Size
1.8MB
-
MD5
b140d0e0a9bfb0c0be35c9c605d046c1
-
SHA1
f82a8c33fa2dbf8fc327be0dfd764660252d1d74
-
SHA256
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
-
SHA512
f2f25b3fbe54ee18f89e825dd34ce7728873d4847e2882886a7d6f8c6dd0e0c7887263900b954abdd853935b01ecaad94a04dffad61940b402d94d859c96bf1f
-
SSDEEP
49152:6pu/+DBuLQmTEPEpEw+Lyak4YUjd0hmEQY0eBJ:3/+MsmBpEw+k+WmED
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
123
185.215.113.67:40960
Extracted
lumma
https://harmfullyelobardek.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline behavioral2/memory/1592-79-0x00000000008A0000-0x00000000008F0000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/64-376-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-374-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-373-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-370-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-375-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-372-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-369-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-382-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/64-383-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4416 powershell.exe 2272 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 16 IoCs
Processes:
axplong.exeaxplong.execrypted.exeNewLatest.exeHkbsse.exe123.exeHkbsse.exeaxplong.exeHkbsse.exeaxplong.exeFirstZ.exeHkbsse.exeaxplong.exereakuqnanrkn.exeHkbsse.exeaxplong.exepid process 4640 axplong.exe 4132 axplong.exe 2544 crypted.exe 1908 NewLatest.exe 4228 Hkbsse.exe 1592 123.exe 3468 Hkbsse.exe 4460 axplong.exe 664 Hkbsse.exe 1528 axplong.exe 2964 FirstZ.exe 2168 Hkbsse.exe 4356 axplong.exe 4028 reakuqnanrkn.exe 5096 Hkbsse.exe 2888 axplong.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exe67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/64-364-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-368-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-376-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-374-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-373-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-370-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-375-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-372-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-369-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-367-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-366-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-365-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-382-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/64-383-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 36 bitbucket.org 96 pastebin.com 97 pastebin.com 99 bitbucket.org 32 bitbucket.org -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 636 powercfg.exe 1860 powercfg.exe 4824 powercfg.exe 5052 powercfg.exe 788 powercfg.exe 244 powercfg.exe 400 powercfg.exe 640 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
FirstZ.exepowershell.exereakuqnanrkn.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 2520 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe 4640 axplong.exe 4132 axplong.exe 4460 axplong.exe 1528 axplong.exe 4356 axplong.exe 2888 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
crypted.exereakuqnanrkn.exedescription pid process target process PID 2544 set thread context of 1852 2544 crypted.exe RegAsm.exe PID 4028 set thread context of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 set thread context of 64 4028 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeNewLatest.exedescription ioc process File created C:\Windows\Tasks\axplong.job 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4708 sc.exe 308 sc.exe 2992 sc.exe 1960 sc.exe 4460 sc.exe 424 sc.exe 664 sc.exe 1516 sc.exe 2028 sc.exe 3544 sc.exe 4764 sc.exe 4220 sc.exe 1520 sc.exe 4308 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2756 2544 WerFault.exe crypted.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
powershell.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe123.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exepid process 2520 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe 2520 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe 4640 axplong.exe 4640 axplong.exe 4132 axplong.exe 4132 axplong.exe 4460 axplong.exe 4460 axplong.exe 1528 axplong.exe 1528 axplong.exe 4356 axplong.exe 4356 axplong.exe 1592 123.exe 1592 123.exe 1592 123.exe 2964 FirstZ.exe 4416 powershell.exe 4416 powershell.exe 4416 powershell.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 2964 FirstZ.exe 4028 reakuqnanrkn.exe 2272 powershell.exe 2272 powershell.exe 2272 powershell.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 4028 reakuqnanrkn.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
123.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1592 123.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe Token: SeBackupPrivilege 4416 powershell.exe Token: SeRestorePrivilege 4416 powershell.exe Token: SeShutdownPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeSystemEnvironmentPrivilege 4416 powershell.exe Token: SeRemoteShutdownPrivilege 4416 powershell.exe Token: SeUndockPrivilege 4416 powershell.exe Token: SeManageVolumePrivilege 4416 powershell.exe Token: 33 4416 powershell.exe Token: 34 4416 powershell.exe Token: 35 4416 powershell.exe Token: 36 4416 powershell.exe Token: SeShutdownPrivilege 640 powercfg.exe Token: SeCreatePagefilePrivilege 640 powercfg.exe Token: SeShutdownPrivilege 636 powercfg.exe Token: SeCreatePagefilePrivilege 636 powercfg.exe Token: SeShutdownPrivilege 400 powercfg.exe Token: SeCreatePagefilePrivilege 400 powercfg.exe Token: SeShutdownPrivilege 244 powercfg.exe Token: SeCreatePagefilePrivilege 244 powercfg.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2272 powershell.exe Token: SeIncreaseQuotaPrivilege 2272 powershell.exe Token: SeSecurityPrivilege 2272 powershell.exe Token: SeTakeOwnershipPrivilege 2272 powershell.exe Token: SeLoadDriverPrivilege 2272 powershell.exe Token: SeSystemtimePrivilege 2272 powershell.exe Token: SeBackupPrivilege 2272 powershell.exe Token: SeRestorePrivilege 2272 powershell.exe Token: SeShutdownPrivilege 2272 powershell.exe Token: SeSystemEnvironmentPrivilege 2272 powershell.exe Token: SeUndockPrivilege 2272 powershell.exe Token: SeManageVolumePrivilege 2272 powershell.exe Token: SeShutdownPrivilege 1860 powercfg.exe Token: SeCreatePagefilePrivilege 1860 powercfg.exe Token: SeShutdownPrivilege 4824 powercfg.exe Token: SeCreatePagefilePrivilege 4824 powercfg.exe Token: SeShutdownPrivilege 788 powercfg.exe Token: SeCreatePagefilePrivilege 788 powercfg.exe Token: SeLockMemoryPrivilege 64 explorer.exe Token: SeShutdownPrivilege 5052 powercfg.exe Token: SeCreatePagefilePrivilege 5052 powercfg.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.execrypted.exeNewLatest.exeHkbsse.execmd.execmd.exereakuqnanrkn.exedescription pid process target process PID 2520 wrote to memory of 4640 2520 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe axplong.exe PID 2520 wrote to memory of 4640 2520 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe axplong.exe PID 2520 wrote to memory of 4640 2520 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe axplong.exe PID 4640 wrote to memory of 2544 4640 axplong.exe crypted.exe PID 4640 wrote to memory of 2544 4640 axplong.exe crypted.exe PID 4640 wrote to memory of 2544 4640 axplong.exe crypted.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 2544 wrote to memory of 1852 2544 crypted.exe RegAsm.exe PID 4640 wrote to memory of 1908 4640 axplong.exe NewLatest.exe PID 4640 wrote to memory of 1908 4640 axplong.exe NewLatest.exe PID 4640 wrote to memory of 1908 4640 axplong.exe NewLatest.exe PID 1908 wrote to memory of 4228 1908 NewLatest.exe Hkbsse.exe PID 1908 wrote to memory of 4228 1908 NewLatest.exe Hkbsse.exe PID 1908 wrote to memory of 4228 1908 NewLatest.exe Hkbsse.exe PID 4640 wrote to memory of 1592 4640 axplong.exe 123.exe PID 4640 wrote to memory of 1592 4640 axplong.exe 123.exe PID 4640 wrote to memory of 1592 4640 axplong.exe 123.exe PID 4228 wrote to memory of 2964 4228 Hkbsse.exe FirstZ.exe PID 4228 wrote to memory of 2964 4228 Hkbsse.exe FirstZ.exe PID 5052 wrote to memory of 4824 5052 cmd.exe wusa.exe PID 5052 wrote to memory of 4824 5052 cmd.exe wusa.exe PID 520 wrote to memory of 2196 520 cmd.exe wusa.exe PID 520 wrote to memory of 2196 520 cmd.exe wusa.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 764 4028 reakuqnanrkn.exe conhost.exe PID 4028 wrote to memory of 64 4028 reakuqnanrkn.exe explorer.exe PID 4028 wrote to memory of 64 4028 reakuqnanrkn.exe explorer.exe PID 4028 wrote to memory of 64 4028 reakuqnanrkn.exe explorer.exe PID 4028 wrote to memory of 64 4028 reakuqnanrkn.exe explorer.exe PID 4028 wrote to memory of 64 4028 reakuqnanrkn.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe"C:\Users\Admin\AppData\Local\Temp\67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 3204⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exeFilesize
272KB
MD5b43a922df4c08334aae60a5ae8871899
SHA1edde93470f4a9ad5a48588d0cfc66a4eb639b5bf
SHA25664ae0a0c689149ab90061d01bdcb641f9ed1a4659bcec9fdd4adf9f06fb343aa
SHA512b934c082e4c0e9a2ce4a79fcc53eee90dbe3a7eac389488ca6b971a38db5865b2b9242480a928ae2022886fc203aac7eb494eed9319b4e75a328e014f34c54ce
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exeFilesize
529KB
MD5efb9f7b4e6703ad5d5b179992a6c44f8
SHA16f51ff5a147570a141ec8ce662501c21ff8b3530
SHA2566ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314
SHA512389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5b140d0e0a9bfb0c0be35c9c605d046c1
SHA1f82a8c33fa2dbf8fc327be0dfd764660252d1d74
SHA25667772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
SHA512f2f25b3fbe54ee18f89e825dd34ce7728873d4847e2882886a7d6f8c6dd0e0c7887263900b954abdd853935b01ecaad94a04dffad61940b402d94d859c96bf1f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obvaj52a.s5h.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/64-367-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-364-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-372-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-375-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-370-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-373-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-374-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-376-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-371-0x0000000001620000-0x0000000001640000-memory.dmpFilesize
128KB
-
memory/64-366-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-368-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-369-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-383-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-382-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-365-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/764-356-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-358-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-359-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-360-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-357-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-363-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1528-132-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/1528-131-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/1592-80-0x0000000005670000-0x0000000005B6E000-memory.dmpFilesize
5.0MB
-
memory/1592-81-0x0000000005170000-0x0000000005202000-memory.dmpFilesize
584KB
-
memory/1592-87-0x0000000005440000-0x000000000548B000-memory.dmpFilesize
300KB
-
memory/1592-157-0x0000000007C10000-0x000000000813C000-memory.dmpFilesize
5.2MB
-
memory/1592-156-0x0000000006DA0000-0x0000000006F62000-memory.dmpFilesize
1.8MB
-
memory/1592-105-0x0000000005C10000-0x0000000005C76000-memory.dmpFilesize
408KB
-
memory/1592-155-0x0000000006B80000-0x0000000006BD0000-memory.dmpFilesize
320KB
-
memory/1592-84-0x0000000005500000-0x000000000560A000-memory.dmpFilesize
1.0MB
-
memory/1592-82-0x0000000005140000-0x000000000514A000-memory.dmpFilesize
40KB
-
memory/1592-79-0x00000000008A0000-0x00000000008F0000-memory.dmpFilesize
320KB
-
memory/1592-85-0x00000000053A0000-0x00000000053B2000-memory.dmpFilesize
72KB
-
memory/1592-83-0x0000000006180000-0x0000000006786000-memory.dmpFilesize
6.0MB
-
memory/1592-86-0x0000000005400000-0x000000000543E000-memory.dmpFilesize
248KB
-
memory/1852-43-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1852-42-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2272-267-0x0000025AE23B0000-0x0000025AE23BA000-memory.dmpFilesize
40KB
-
memory/2272-234-0x0000025AE2570000-0x0000025AE2629000-memory.dmpFilesize
740KB
-
memory/2272-228-0x0000025AE2390000-0x0000025AE23AC000-memory.dmpFilesize
112KB
-
memory/2520-5-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-0-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-3-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-13-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-2-0x0000000000B51000-0x0000000000B7F000-memory.dmpFilesize
184KB
-
memory/2520-1-0x0000000076F94000-0x0000000076F95000-memory.dmpFilesize
4KB
-
memory/2888-390-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4132-21-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4132-20-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4356-153-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4416-162-0x000001AA4E330000-0x000001AA4E352000-memory.dmpFilesize
136KB
-
memory/4416-165-0x000001AA66AF0000-0x000001AA66B66000-memory.dmpFilesize
472KB
-
memory/4460-112-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-133-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-17-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-150-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-149-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-136-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-135-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-78-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-45-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-44-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-134-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-128-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-29-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-25-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-22-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-127-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-126-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-18-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-154-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-16-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-125-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-14-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-114-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-113-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-379-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-380-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-381-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-106-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-104-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-384-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-386-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-94-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-391-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-392-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-393-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-394-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-395-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB