Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
27-06-2024 22:55
General
-
Target
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
-
Size
1.8MB
-
MD5
b140d0e0a9bfb0c0be35c9c605d046c1
-
SHA1
f82a8c33fa2dbf8fc327be0dfd764660252d1d74
-
SHA256
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
-
SHA512
f2f25b3fbe54ee18f89e825dd34ce7728873d4847e2882886a7d6f8c6dd0e0c7887263900b954abdd853935b01ecaad94a04dffad61940b402d94d859c96bf1f
-
SSDEEP
49152:6pu/+DBuLQmTEPEpEw+Lyak4YUjd0hmEQY0eBJ:3/+MsmBpEw+k+WmED
Score
10/10
Malware Config
Extracted
Family
amadey
Version
8254624243
Botnet
e76b71
C2
http://77.91.77.81
Attributes
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
rc4.plain
Extracted
Family
redline
Botnet
123
C2
185.215.113.67:40960
Extracted
Family
lumma
C2
https://harmfullyelobardek.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
XMRig Miner payload 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 51 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe"C:\Users\Admin\AppData\Local\Temp\67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 3204⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exeFilesize
272KB
MD5b43a922df4c08334aae60a5ae8871899
SHA1edde93470f4a9ad5a48588d0cfc66a4eb639b5bf
SHA25664ae0a0c689149ab90061d01bdcb641f9ed1a4659bcec9fdd4adf9f06fb343aa
SHA512b934c082e4c0e9a2ce4a79fcc53eee90dbe3a7eac389488ca6b971a38db5865b2b9242480a928ae2022886fc203aac7eb494eed9319b4e75a328e014f34c54ce
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exeFilesize
529KB
MD5efb9f7b4e6703ad5d5b179992a6c44f8
SHA16f51ff5a147570a141ec8ce662501c21ff8b3530
SHA2566ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314
SHA512389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5b140d0e0a9bfb0c0be35c9c605d046c1
SHA1f82a8c33fa2dbf8fc327be0dfd764660252d1d74
SHA25667772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
SHA512f2f25b3fbe54ee18f89e825dd34ce7728873d4847e2882886a7d6f8c6dd0e0c7887263900b954abdd853935b01ecaad94a04dffad61940b402d94d859c96bf1f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obvaj52a.s5h.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/64-367-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-364-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-372-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-375-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-370-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-373-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-374-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-376-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-371-0x0000000001620000-0x0000000001640000-memory.dmpFilesize
128KB
-
memory/64-366-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-368-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-369-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-383-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-382-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/64-365-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/764-356-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-358-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-359-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-360-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-357-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/764-363-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1528-132-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/1528-131-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/1592-80-0x0000000005670000-0x0000000005B6E000-memory.dmpFilesize
5.0MB
-
memory/1592-81-0x0000000005170000-0x0000000005202000-memory.dmpFilesize
584KB
-
memory/1592-87-0x0000000005440000-0x000000000548B000-memory.dmpFilesize
300KB
-
memory/1592-157-0x0000000007C10000-0x000000000813C000-memory.dmpFilesize
5.2MB
-
memory/1592-156-0x0000000006DA0000-0x0000000006F62000-memory.dmpFilesize
1.8MB
-
memory/1592-105-0x0000000005C10000-0x0000000005C76000-memory.dmpFilesize
408KB
-
memory/1592-155-0x0000000006B80000-0x0000000006BD0000-memory.dmpFilesize
320KB
-
memory/1592-84-0x0000000005500000-0x000000000560A000-memory.dmpFilesize
1.0MB
-
memory/1592-82-0x0000000005140000-0x000000000514A000-memory.dmpFilesize
40KB
-
memory/1592-79-0x00000000008A0000-0x00000000008F0000-memory.dmpFilesize
320KB
-
memory/1592-85-0x00000000053A0000-0x00000000053B2000-memory.dmpFilesize
72KB
-
memory/1592-83-0x0000000006180000-0x0000000006786000-memory.dmpFilesize
6.0MB
-
memory/1592-86-0x0000000005400000-0x000000000543E000-memory.dmpFilesize
248KB
-
memory/1852-43-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1852-42-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2272-267-0x0000025AE23B0000-0x0000025AE23BA000-memory.dmpFilesize
40KB
-
memory/2272-234-0x0000025AE2570000-0x0000025AE2629000-memory.dmpFilesize
740KB
-
memory/2272-228-0x0000025AE2390000-0x0000025AE23AC000-memory.dmpFilesize
112KB
-
memory/2520-5-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-0-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-3-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-13-0x0000000000B50000-0x0000000001022000-memory.dmpFilesize
4.8MB
-
memory/2520-2-0x0000000000B51000-0x0000000000B7F000-memory.dmpFilesize
184KB
-
memory/2520-1-0x0000000076F94000-0x0000000076F95000-memory.dmpFilesize
4KB
-
memory/2888-390-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4132-21-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4132-20-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4356-153-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4416-162-0x000001AA4E330000-0x000001AA4E352000-memory.dmpFilesize
136KB
-
memory/4416-165-0x000001AA66AF0000-0x000001AA66B66000-memory.dmpFilesize
472KB
-
memory/4460-112-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-133-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-17-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-150-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-149-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-136-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-135-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-78-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-45-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-44-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-134-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-128-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-29-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-25-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-22-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-127-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-126-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-18-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-154-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-16-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-125-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-14-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-114-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-113-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-379-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-380-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-381-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-106-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-104-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-384-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-386-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-94-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-391-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-392-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-393-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-394-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB
-
memory/4640-395-0x0000000000A20000-0x0000000000EF2000-memory.dmpFilesize
4.8MB