Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    297s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-06-2024 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe

  • Size

    1.8MB

  • MD5

    b4060d5139db212eb2d4be622f2ca628

  • SHA1

    4921bdeade78226f42a0a9486648a3749e3ac1d5

  • SHA256

    c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652

  • SHA512

    54ef65f1f468c23b3f2e67b08bc7b2842014856b13a94bbf2c97a3c3a9f0a4bc503af160e75938bc040351f43ec5dd3f4441a071fd03c34945ae2e2c104e1a22

  • SSDEEP

    24576:4+0Dpzj/rDQMfqhOtCU/TteE+kvHG+ZLEiqPecN456umQIpZ77epEwh06pRgcXj7:T0DxEe0+wfk/PP6umbdCpzDO+jLgLFJ

Score
10/10
amadeylummaredlinexmrig123e76b71discoveryevasionexecutioninfostealerminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

123

C2

185.215.113.67:40960

Extracted

Family

lumma

C2

https://harmfullyelobardek.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • XMRig Miner payload 9 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 17 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe
    "C:\Users\Admin\AppData\Local\Temp\c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:2348
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 320
            4⤵
            • Program crash
            PID:3548
        • C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
          "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
            "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1420
            • C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
              "C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"
              5⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              PID:192
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 500
                6⤵
                • Program crash
                PID:1760
            • C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
              "C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:2244
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4820
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3868
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  7⤵
                    PID:2492
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop UsoSvc
                  6⤵
                  • Launches sc.exe
                  PID:3420
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop WaaSMedicSvc
                  6⤵
                  • Launches sc.exe
                  PID:2736
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop wuauserv
                  6⤵
                  • Launches sc.exe
                  PID:948
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop bits
                  6⤵
                  • Launches sc.exe
                  PID:3592
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop dosvc
                  6⤵
                  • Launches sc.exe
                  PID:64
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4180
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2532
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2852
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4756
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe delete "WSNKISKT"
                  6⤵
                  • Launches sc.exe
                  PID:2468
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
                  6⤵
                  • Launches sc.exe
                  PID:2472
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop eventlog
                  6⤵
                  • Launches sc.exe
                  PID:3012
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe start "WSNKISKT"
                  6⤵
                  • Launches sc.exe
                  PID:1832
          • C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
            "C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4864
      • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2532
      • C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:2948
      • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2772
      • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1556
      • C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:1308
      • C:\ProgramData\wikombernizc\reakuqnanrkn.exe
        C:\ProgramData\wikombernizc\reakuqnanrkn.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4516
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
              PID:4508
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:2080
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:3716
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:2852
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:2532
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:1068
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:5032
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1356
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:5048
            • C:\Windows\explorer.exe
              explorer.exe
              2⤵
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2836
          • C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
            C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
            1⤵
            • Executes dropped EXE
            PID:3592
          • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
            C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:1260
          • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
            C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:600
          • C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
            C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
            1⤵
            • Executes dropped EXE
            PID:4676

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
            Filesize

            317KB

            MD5

            e1b59d2805b38262b9967bce3e719dbf

            SHA1

            4081416cfaa76941981c34518d45b60e8d4b2013

            SHA256

            d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173

            SHA512

            bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
            Filesize

            2.5MB

            MD5

            ffada57f998ed6a72b6ba2f072d2690a

            SHA1

            6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

            SHA256

            677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

            SHA512

            1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe
            Filesize

            529KB

            MD5

            efb9f7b4e6703ad5d5b179992a6c44f8

            SHA1

            6f51ff5a147570a141ec8ce662501c21ff8b3530

            SHA256

            6ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314

            SHA512

            389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
            Filesize

            415KB

            MD5

            07101cac5b9477ba636cd8ca7b9932cb

            SHA1

            59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

            SHA256

            488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

            SHA512

            02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
            Filesize

            297KB

            MD5

            cd581d68ed550455444ee6e099c44266

            SHA1

            f131d587578336651fd3e325b82b6c185a4b6429

            SHA256

            a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

            SHA512

            33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
            Filesize

            1.8MB

            MD5

            b4060d5139db212eb2d4be622f2ca628

            SHA1

            4921bdeade78226f42a0a9486648a3749e3ac1d5

            SHA256

            c4c809a066ef4ac28682e47c373c604aa6694a92b13ea90286adf75675e6a652

            SHA512

            54ef65f1f468c23b3f2e67b08bc7b2842014856b13a94bbf2c97a3c3a9f0a4bc503af160e75938bc040351f43ec5dd3f4441a071fd03c34945ae2e2c104e1a22

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qc3dbjre.pak.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit
          • memory/192-130-0x0000000000400000-0x000000000236B000-memory.dmp
            Filesize

            31.4MB

            Download
          • memory/600-413-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/600-411-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1260-395-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1260-396-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-106-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-377-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-401-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-133-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-131-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-399-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-54-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-63-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-64-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-18-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-17-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-16-0x0000000000161000-0x000000000018F000-memory.dmp
            Filesize

            184KB

            Download
          • memory/1300-393-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-389-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-385-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-383-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-381-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-22-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-15-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-129-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-93-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-147-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-107-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-397-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-121-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-149-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1300-151-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1556-155-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/1556-157-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/2348-41-0x0000000000400000-0x000000000045A000-memory.dmp
            Filesize

            360KB

            Download
          • memory/2348-40-0x0000000000400000-0x000000000045A000-memory.dmp
            Filesize

            360KB

            Download
          • memory/2532-20-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/2532-21-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/2772-126-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/2772-124-0x0000000000160000-0x0000000000619000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/2836-369-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-387-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-388-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-373-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-374-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-376-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-375-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-372-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-364-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-366-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-367-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-368-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-371-0x0000000000DA0000-0x0000000000DC0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/2836-370-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/2836-365-0x0000000140000000-0x0000000140848000-memory.dmp
            Filesize

            8.3MB

            Download
          • memory/4516-267-0x000001DD39110000-0x000001DD3911A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4516-234-0x000001DD392A0000-0x000001DD39359000-memory.dmp
            Filesize

            740KB

            Download
          • memory/4516-228-0x000001DD390F0000-0x000001DD3910C000-memory.dmp
            Filesize

            112KB

            Download
          • memory/4780-1-0x00000000778C4000-0x00000000778C5000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4780-2-0x00000000011F1000-0x000000000121F000-memory.dmp
            Filesize

            184KB

            Download
          • memory/4780-3-0x00000000011F0000-0x00000000016A9000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/4780-5-0x00000000011F0000-0x00000000016A9000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/4780-14-0x00000000011F0000-0x00000000016A9000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/4780-0-0x00000000011F0000-0x00000000016A9000-memory.dmp
            Filesize

            4.7MB

            Download
          • memory/4820-165-0x00000199BD600000-0x00000199BD676000-memory.dmp
            Filesize

            472KB

            Download
          • memory/4820-162-0x00000199BD450000-0x00000199BD472000-memory.dmp
            Filesize

            136KB

            Download
          • memory/4864-125-0x0000000007C30000-0x0000000007C80000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4864-127-0x00000000073B0000-0x0000000007572000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/4864-92-0x0000000006150000-0x00000000061B6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/4864-77-0x0000000000C60000-0x0000000000CB0000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4864-84-0x0000000005940000-0x000000000597E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/4864-83-0x00000000057A0000-0x00000000057B2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/4864-82-0x0000000006040000-0x000000000614A000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4864-81-0x0000000006650000-0x0000000006C56000-memory.dmp
            Filesize

            6.0MB

            Download
          • memory/4864-128-0x0000000007D80000-0x00000000082AC000-memory.dmp
            Filesize

            5.2MB

            Download
          • memory/4864-85-0x00000000057D0000-0x000000000581B000-memory.dmp
            Filesize

            300KB

            Download
          • memory/4864-80-0x0000000005500000-0x000000000550A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4864-79-0x0000000005510000-0x00000000055A2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4864-78-0x0000000005B40000-0x000000000603E000-memory.dmp
            Filesize

            5.0MB

            Download
          • memory/5048-356-0x0000000140000000-0x000000014000E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5048-360-0x0000000140000000-0x000000014000E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5048-359-0x0000000140000000-0x000000014000E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5048-358-0x0000000140000000-0x000000014000E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5048-357-0x0000000140000000-0x000000014000E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5048-363-0x0000000140000000-0x000000014000E000-memory.dmp
            Filesize

            56KB

            Download