Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
27-06-2024 23:11
General
-
Target
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
-
Size
1.8MB
-
MD5
b60d82b8244e964110f66e7ad34dc37b
-
SHA1
413eb99c2ab5ea8f43d651b0100e76fc53aeba70
-
SHA256
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
-
SHA512
0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
-
SSDEEP
49152:+cGpBBa72Cb7j7sMC8uB5cOtr9OwGlFN:61ab33y5c0r9OvL
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
123
185.215.113.67:40960
Extracted
stealc
jopa
http://65.21.175.0
-
url_path
/108e010e8f91c38c.php
Extracted
lumma
https://harmfullyelobardek.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 18 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 51 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe"C:\Users\Admin\AppData\Local\Temp\a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 3244⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 5006⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 10485⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exeFilesize
317KB
MD5e1b59d2805b38262b9967bce3e719dbf
SHA14081416cfaa76941981c34518d45b60e8d4b2013
SHA256d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173
SHA512bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exeFilesize
529KB
MD5efb9f7b4e6703ad5d5b179992a6c44f8
SHA16f51ff5a147570a141ec8ce662501c21ff8b3530
SHA2566ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314
SHA512389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exeFilesize
944KB
MD5ef9ac311c67507efa5d617871163c11f
SHA173c8d3aed68c837474d44ee9518ad67becd18b54
SHA25639c3d69f90b21c200535a77a355623a9171a6c2925e7a9d0dd01ec92eabab57a
SHA512e188df4e7c649a183ce15c1d52b982e945c5414e7367c7ea10fd0671b8f91e96f56bcc31b3da0183b6f65a346b567f321a9efb7d4182a64d42c5829ec85525d9
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exeFilesize
1.2MB
MD5242214131486132e33ceda794d66ca1f
SHA14ce34fd91f5c9e35b8694007b286635663ef9bf2
SHA256bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361
SHA512031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29
-
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exeFilesize
1.8MB
MD51139354ff3c99fe83cdd7ef33f93599a
SHA163d4177e4ce0967058208231ab338923eef51b9d
SHA256a37dabf64f29b8ccac3edba64b1aae522e858ffe9856a8db96bc686e2fdb8d77
SHA512276ede80e9cfaa14c97c77db00796ebd249af3711a24e8d1b307431a3d7419da159c50d66b9c256e453862a94d3199470c7ff261bff418c43314e2f1ada4e512
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5b60d82b8244e964110f66e7ad34dc37b
SHA1413eb99c2ab5ea8f43d651b0100e76fc53aeba70
SHA256a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
SHA5120641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbzolxcz.glx.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/196-335-0x000001E09FBA0000-0x000001E09FBAA000-memory.dmpFilesize
40KB
-
memory/196-302-0x000001E0A0080000-0x000001E0A0139000-memory.dmpFilesize
740KB
-
memory/196-296-0x000001E09FB80000-0x000001E09FB9C000-memory.dmpFilesize
112KB
-
memory/528-112-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/528-114-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/716-43-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/716-44-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/796-184-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/796-185-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1320-27-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1320-26-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1424-221-0x000001E7B6180000-0x000001E7B61F6000-memory.dmpFilesize
472KB
-
memory/1424-217-0x000001E7B5FC0000-0x000001E7B5FE2000-memory.dmpFilesize
136KB
-
memory/1736-131-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-15-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-16-0x0000000000EB1000-0x0000000000EDF000-memory.dmpFilesize
184KB
-
memory/1736-209-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-207-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-204-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-17-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-190-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-189-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-187-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-91-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-18-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-96-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-109-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-58-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-45-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-30-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-128-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-19-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-130-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-181-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-133-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-136-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-138-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-179-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-144-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-146-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-29-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-158-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-28-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-176-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1896-174-0x0000000000A30000-0x0000000000ADE000-memory.dmpFilesize
696KB
-
memory/1908-129-0x0000000000400000-0x000000000236B000-memory.dmpFilesize
31.4MB
-
memory/2400-142-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/3636-425-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-431-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-424-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-428-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-426-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-427-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3848-212-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/4168-433-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4168-435-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4168-434-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4168-432-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4384-173-0x0000000000400000-0x000000000063C000-memory.dmpFilesize
2.2MB
-
memory/4724-86-0x0000000004FD0000-0x000000000500E000-memory.dmpFilesize
248KB
-
memory/4724-83-0x0000000005CB0000-0x00000000062B6000-memory.dmpFilesize
6.0MB
-
memory/4724-92-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/4724-87-0x0000000005010000-0x000000000505B000-memory.dmpFilesize
300KB
-
memory/4724-85-0x0000000004F60000-0x0000000004F72000-memory.dmpFilesize
72KB
-
memory/4724-84-0x00000000056A0000-0x00000000057AA000-memory.dmpFilesize
1.0MB
-
memory/4724-79-0x0000000000460000-0x00000000004B0000-memory.dmpFilesize
320KB
-
memory/4724-80-0x00000000051A0000-0x000000000569E000-memory.dmpFilesize
5.0MB
-
memory/4724-81-0x0000000004D40000-0x0000000004DD2000-memory.dmpFilesize
584KB
-
memory/4724-82-0x0000000004D10000-0x0000000004D1A000-memory.dmpFilesize
40KB
-
memory/4892-14-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB
-
memory/4892-1-0x00000000773B4000-0x00000000773B5000-memory.dmpFilesize
4KB
-
memory/4892-2-0x0000000000021000-0x000000000004F000-memory.dmpFilesize
184KB
-
memory/4892-3-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB
-
memory/4892-5-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB
-
memory/4892-0-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB