Analysis
-
max time kernel
300s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-06-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
Resource
win7-20240221-en
General
-
Target
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe
-
Size
1.8MB
-
MD5
7558819d7d8c4a51720952fedd9758fa
-
SHA1
b812b6495c1df9ea4019ac3bb510d535cf2415aa
-
SHA256
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8
-
SHA512
8b8aa1d8d39a09620774c9585ba6fadd233ef1dae6e2533ce15f586af2ddc03b34a88f036070a6be5094f9d5ed8eb02d532895fe307cbf3ff8e335dc8d6248cd
-
SSDEEP
49152:GdtfeaiBlh7ioEbm9khHiTfitx+/7sNIKE0jc:G6Nv7ioEbm9wCj64/xh0j
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
123
185.215.113.67:40960
Extracted
lumma
https://harmfullyelobardek.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline behavioral2/memory/2032-75-0x0000000000620000-0x0000000000670000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
XMRig Miner payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/624-385-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/624-379-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/624-383-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/624-381-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/624-384-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/624-382-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/624-378-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2628 powershell.exe 2064 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 12 IoCs
Processes:
axplong.execrypted.exeNewLatest.exeHkbsse.exe123.exe1.exeHkbsse.exeHkbsse.exeFirstZ.exeHkbsse.exereakuqnanrkn.exeHkbsse.exepid process 380 axplong.exe 4516 crypted.exe 5020 NewLatest.exe 4180 Hkbsse.exe 2032 123.exe 4080 1.exe 208 Hkbsse.exe 2376 Hkbsse.exe 664 FirstZ.exe 4480 Hkbsse.exe 3640 reakuqnanrkn.exe 3388 Hkbsse.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/624-373-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-374-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-385-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-379-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-383-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-381-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-384-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-382-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-378-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-377-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-376-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/624-375-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 93 bitbucket.org 98 pastebin.com 99 pastebin.com 29 bitbucket.org 36 bitbucket.org -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4532 powercfg.exe 4724 powercfg.exe 920 powercfg.exe 600 powercfg.exe 420 powercfg.exe 872 powercfg.exe 564 powercfg.exe 4040 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
FirstZ.exepowershell.exereakuqnanrkn.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exepid process 3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe 380 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
crypted.exereakuqnanrkn.exedescription pid process target process PID 4516 set thread context of 4488 4516 crypted.exe RegAsm.exe PID 3640 set thread context of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 set thread context of 624 3640 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeNewLatest.exedescription ioc process File created C:\Windows\Tasks\axplong.job 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4076 sc.exe 1092 sc.exe 3936 sc.exe 2416 sc.exe 1768 sc.exe 4408 sc.exe 584 sc.exe 200 sc.exe 4492 sc.exe 864 sc.exe 2628 sc.exe 4868 sc.exe 3196 sc.exe 3192 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3580 4516 WerFault.exe crypted.exe 1984 4080 WerFault.exe 1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
powershell.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.exe123.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exepid process 3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe 3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe 380 axplong.exe 380 axplong.exe 2032 123.exe 2032 123.exe 2032 123.exe 664 FirstZ.exe 2628 powershell.exe 2628 powershell.exe 2628 powershell.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 664 FirstZ.exe 3640 reakuqnanrkn.exe 2064 powershell.exe 2064 powershell.exe 2064 powershell.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 3640 reakuqnanrkn.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe 624 explorer.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
123.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeexplorer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 2032 123.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeIncreaseQuotaPrivilege 2628 powershell.exe Token: SeSecurityPrivilege 2628 powershell.exe Token: SeTakeOwnershipPrivilege 2628 powershell.exe Token: SeLoadDriverPrivilege 2628 powershell.exe Token: SeSystemProfilePrivilege 2628 powershell.exe Token: SeSystemtimePrivilege 2628 powershell.exe Token: SeProfSingleProcessPrivilege 2628 powershell.exe Token: SeIncBasePriorityPrivilege 2628 powershell.exe Token: SeCreatePagefilePrivilege 2628 powershell.exe Token: SeBackupPrivilege 2628 powershell.exe Token: SeRestorePrivilege 2628 powershell.exe Token: SeShutdownPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeSystemEnvironmentPrivilege 2628 powershell.exe Token: SeRemoteShutdownPrivilege 2628 powershell.exe Token: SeUndockPrivilege 2628 powershell.exe Token: SeManageVolumePrivilege 2628 powershell.exe Token: 33 2628 powershell.exe Token: 34 2628 powershell.exe Token: 35 2628 powershell.exe Token: 36 2628 powershell.exe Token: SeShutdownPrivilege 600 powercfg.exe Token: SeCreatePagefilePrivilege 600 powercfg.exe Token: SeShutdownPrivilege 564 powercfg.exe Token: SeCreatePagefilePrivilege 564 powercfg.exe Token: SeShutdownPrivilege 420 powercfg.exe Token: SeCreatePagefilePrivilege 420 powercfg.exe Token: SeShutdownPrivilege 872 powercfg.exe Token: SeCreatePagefilePrivilege 872 powercfg.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2064 powershell.exe Token: SeIncreaseQuotaPrivilege 2064 powershell.exe Token: SeSecurityPrivilege 2064 powershell.exe Token: SeTakeOwnershipPrivilege 2064 powershell.exe Token: SeLoadDriverPrivilege 2064 powershell.exe Token: SeSystemtimePrivilege 2064 powershell.exe Token: SeBackupPrivilege 2064 powershell.exe Token: SeRestorePrivilege 2064 powershell.exe Token: SeShutdownPrivilege 2064 powershell.exe Token: SeSystemEnvironmentPrivilege 2064 powershell.exe Token: SeUndockPrivilege 2064 powershell.exe Token: SeManageVolumePrivilege 2064 powershell.exe Token: SeLockMemoryPrivilege 624 explorer.exe Token: SeShutdownPrivilege 4724 powercfg.exe Token: SeCreatePagefilePrivilege 4724 powercfg.exe Token: SeShutdownPrivilege 4040 powercfg.exe Token: SeCreatePagefilePrivilege 4040 powercfg.exe Token: SeShutdownPrivilege 920 powercfg.exe Token: SeCreatePagefilePrivilege 920 powercfg.exe Token: SeShutdownPrivilege 4532 powercfg.exe Token: SeCreatePagefilePrivilege 4532 powercfg.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exeaxplong.execrypted.exeNewLatest.exeHkbsse.execmd.execmd.exereakuqnanrkn.exedescription pid process target process PID 3620 wrote to memory of 380 3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe axplong.exe PID 3620 wrote to memory of 380 3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe axplong.exe PID 3620 wrote to memory of 380 3620 791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe axplong.exe PID 380 wrote to memory of 4516 380 axplong.exe crypted.exe PID 380 wrote to memory of 4516 380 axplong.exe crypted.exe PID 380 wrote to memory of 4516 380 axplong.exe crypted.exe PID 4516 wrote to memory of 5100 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 5100 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 5100 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 4516 wrote to memory of 4488 4516 crypted.exe RegAsm.exe PID 380 wrote to memory of 5020 380 axplong.exe NewLatest.exe PID 380 wrote to memory of 5020 380 axplong.exe NewLatest.exe PID 380 wrote to memory of 5020 380 axplong.exe NewLatest.exe PID 5020 wrote to memory of 4180 5020 NewLatest.exe Hkbsse.exe PID 5020 wrote to memory of 4180 5020 NewLatest.exe Hkbsse.exe PID 5020 wrote to memory of 4180 5020 NewLatest.exe Hkbsse.exe PID 380 wrote to memory of 2032 380 axplong.exe 123.exe PID 380 wrote to memory of 2032 380 axplong.exe 123.exe PID 380 wrote to memory of 2032 380 axplong.exe 123.exe PID 4180 wrote to memory of 4080 4180 Hkbsse.exe 1.exe PID 4180 wrote to memory of 4080 4180 Hkbsse.exe 1.exe PID 4180 wrote to memory of 4080 4180 Hkbsse.exe 1.exe PID 4180 wrote to memory of 664 4180 Hkbsse.exe FirstZ.exe PID 4180 wrote to memory of 664 4180 Hkbsse.exe FirstZ.exe PID 4576 wrote to memory of 4308 4576 cmd.exe wusa.exe PID 4576 wrote to memory of 4308 4576 cmd.exe wusa.exe PID 2620 wrote to memory of 224 2620 cmd.exe wusa.exe PID 2620 wrote to memory of 224 2620 cmd.exe wusa.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 4056 3640 reakuqnanrkn.exe conhost.exe PID 3640 wrote to memory of 624 3640 reakuqnanrkn.exe explorer.exe PID 3640 wrote to memory of 624 3640 reakuqnanrkn.exe explorer.exe PID 3640 wrote to memory of 624 3640 reakuqnanrkn.exe explorer.exe PID 3640 wrote to memory of 624 3640 reakuqnanrkn.exe explorer.exe PID 3640 wrote to memory of 624 3640 reakuqnanrkn.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe"C:\Users\Admin\AppData\Local\Temp\791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 3244⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 5006⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exeFilesize
317KB
MD5e1b59d2805b38262b9967bce3e719dbf
SHA14081416cfaa76941981c34518d45b60e8d4b2013
SHA256d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173
SHA512bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exeFilesize
529KB
MD5efb9f7b4e6703ad5d5b179992a6c44f8
SHA16f51ff5a147570a141ec8ce662501c21ff8b3530
SHA2566ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314
SHA512389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD57558819d7d8c4a51720952fedd9758fa
SHA1b812b6495c1df9ea4019ac3bb510d535cf2415aa
SHA256791eaef0785d029d9d27e46ae31a2a21b60ed15078d84d2a85b9b18eb0e315e8
SHA5128b8aa1d8d39a09620774c9585ba6fadd233ef1dae6e2533ce15f586af2ddc03b34a88f036070a6be5094f9d5ed8eb02d532895fe307cbf3ff8e335dc8d6248cd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxrvbh4t.5no.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/380-127-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-123-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-17-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-18-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-24-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-25-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-26-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-27-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-15-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-393-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-391-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-42-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-389-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-144-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-142-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-140-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-138-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-160-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-131-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-16-0x0000000000D71000-0x0000000000D9F000-memory.dmpFilesize
184KB
-
memory/380-129-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-164-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-125-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-84-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-158-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-133-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-96-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-100-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-353-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/380-120-0x0000000000D70000-0x000000000121D000-memory.dmpFilesize
4.7MB
-
memory/624-384-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-374-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-380-0x00000000007D0000-0x00000000007F0000-memory.dmpFilesize
128KB
-
memory/624-385-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-383-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-381-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-373-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-375-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-379-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-382-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-378-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-377-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/624-376-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2032-80-0x0000000005950000-0x0000000005A5A000-memory.dmpFilesize
1.0MB
-
memory/2032-88-0x0000000005AD0000-0x0000000005B36000-memory.dmpFilesize
408KB
-
memory/2032-135-0x00000000077B0000-0x0000000007972000-memory.dmpFilesize
1.8MB
-
memory/2032-75-0x0000000000620000-0x0000000000670000-memory.dmpFilesize
320KB
-
memory/2032-76-0x0000000005450000-0x000000000594E000-memory.dmpFilesize
5.0MB
-
memory/2032-77-0x0000000005000000-0x0000000005092000-memory.dmpFilesize
584KB
-
memory/2032-78-0x0000000005170000-0x000000000517A000-memory.dmpFilesize
40KB
-
memory/2032-79-0x0000000005F60000-0x0000000006566000-memory.dmpFilesize
6.0MB
-
memory/2032-81-0x0000000005260000-0x0000000005272000-memory.dmpFilesize
72KB
-
memory/2032-136-0x0000000007EB0000-0x00000000083DC000-memory.dmpFilesize
5.2MB
-
memory/2032-82-0x00000000052C0000-0x00000000052FE000-memory.dmpFilesize
248KB
-
memory/2032-95-0x00000000069C0000-0x0000000006A10000-memory.dmpFilesize
320KB
-
memory/2032-83-0x0000000005300000-0x000000000534B000-memory.dmpFilesize
300KB
-
memory/2064-275-0x00000204D0C00000-0x00000204D0C0A000-memory.dmpFilesize
40KB
-
memory/2064-242-0x00000204D0DB0000-0x00000204D0E69000-memory.dmpFilesize
740KB
-
memory/2064-236-0x00000204D0BE0000-0x00000204D0BFC000-memory.dmpFilesize
112KB
-
memory/2628-170-0x000001FDF6480000-0x000001FDF64A2000-memory.dmpFilesize
136KB
-
memory/2628-173-0x000001FDF6AC0000-0x000001FDF6B36000-memory.dmpFilesize
472KB
-
memory/3620-2-0x0000000000801000-0x000000000082F000-memory.dmpFilesize
184KB
-
memory/3620-1-0x00000000770B4000-0x00000000770B5000-memory.dmpFilesize
4KB
-
memory/3620-3-0x0000000000800000-0x0000000000CAD000-memory.dmpFilesize
4.7MB
-
memory/3620-14-0x0000000000800000-0x0000000000CAD000-memory.dmpFilesize
4.7MB
-
memory/3620-5-0x0000000000800000-0x0000000000CAD000-memory.dmpFilesize
4.7MB
-
memory/3620-0-0x0000000000800000-0x0000000000CAD000-memory.dmpFilesize
4.7MB
-
memory/4056-365-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4056-367-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4056-369-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4056-366-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4056-368-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4056-372-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4080-122-0x0000000000400000-0x000000000236B000-memory.dmpFilesize
31.4MB
-
memory/4488-41-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4488-40-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB