Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 14:03

General

  • Target

    3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe

  • Size

    1.8MB

  • MD5

    e427f7e972e458acca51c043839c9c04

  • SHA1

    800cb9174a2afeb2a1402d7bd8deee4f97e36a4d

  • SHA256

    3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27

  • SHA512

    a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70

  • SSDEEP

    49152:BKLAvkPPHS++crkFwOnxAvpmcTajVMNqq:qAvkXxrkbneBmcuZeqq

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:40960

Extracted

Family

stealc

Botnet

zzvv

C2

http://23.88.106.134

Attributes
  • url_path

    /c73eed764cc59dcb.php

Extracted

Family

lumma

C2

https://roomabolishsnifftwk.shop/api

https://museumtespaceorsp.shop/api

https://detailbaconroollyws.shop/api

https://buttockdecarderwiso.shop/api

https://horsedwollfedrwos.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://patternapplauderw.shop/api

https://employhabragaomlsp.shop/api

https://understanndtytonyguw.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://considerrycurrentyws.shop/api

https://messtimetabledkolvk.shop/api

https://deprivedrinkyfaiir.shop/api

https://relaxtionflouwerwi.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Windows security modification 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe
    "C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
        "C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:4288
      • C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:2992
        • C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
          "C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3824
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:2720
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
                PID:4768
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 272
                4⤵
                • Program crash
                PID:3532
            • C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
              "C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1664
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                4⤵
                • Checks computer location settings
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:960
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4516
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 5
                    6⤵
                    • Delays execution with timeout.exe
                    PID:4628
            • C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
              "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
              3⤵
              • UAC bypass
              • Windows security bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3232
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:900
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                4⤵
                • Drops startup file
                • Suspicious use of AdjustPrivilegeToken
                PID:4620
                • C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe
                  "C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe" /s
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1588
                • C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe
                  "C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4392
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                4⤵
                  PID:680
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:64
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:4072
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3824 -ip 3824
            1⤵
              PID:1884

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Persistence

            Pre-OS Boot

            1
            T1542

            Bootkit

            1
            T1542.003

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            5
            T1112

            Virtualization/Sandbox Evasion

            2
            T1497

            Pre-OS Boot

            1
            T1542

            Bootkit

            1
            T1542.003

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            6
            T1012

            Virtualization/Sandbox Evasion

            2
            T1497

            System Information Discovery

            5
            T1082

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Web Service

            1
            T1102

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\[email protected]
              Filesize

              656B

              MD5

              184a117024f3789681894c67b36ce990

              SHA1

              c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

              SHA256

              b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

              SHA512

              354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

            • C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
              Filesize

              830B

              MD5

              e6edb41c03bce3f822020878bde4e246

              SHA1

              03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

              SHA256

              9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

              SHA512

              2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

            • C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
              Filesize

              608KB

              MD5

              3f15c7460a1853a849d281ec3ad2ada6

              SHA1

              108eab5f7164c8fde1de9bda2abb23e76e0fed68

              SHA256

              cf1f966f816ac904e42a09facd04b3f9aebd3bfa7cfa667a8b01ed78c9f986f4

              SHA512

              dba985eac586ab1da07e71d3b6c05d44bcb993b3923878bf38184061965a924fbe2bc88620e51c8c8eff62a53e601d4bdca2199c5e607d71833b730eb1756725

            • C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
              Filesize

              304KB

              MD5

              84bf36993bdd61d216e83fe391fcc7fd

              SHA1

              e023212e847a54328aaea05fbe41eb4828855ce6

              SHA256

              8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

              SHA512

              bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

            • C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
              Filesize

              518KB

              MD5

              c4ffab152141150528716daa608d5b92

              SHA1

              a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

              SHA256

              c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

              SHA512

              a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

            • C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
              Filesize

              1.2MB

              MD5

              0b7e08a8268a6d413a322ff62d389bf9

              SHA1

              e04b849cc01779fe256744ad31562aca833a82c1

              SHA256

              d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

              SHA512

              3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

            • C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
              Filesize

              778KB

              MD5

              05b11e7b711b4aaa512029ffcb529b5a

              SHA1

              a8074cf8a13f21617632951e008cdfdace73bb83

              SHA256

              2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

              SHA512

              dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

            • C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
              Filesize

              579KB

              MD5

              a991da123f34074f2ee8ea0d798990f9

              SHA1

              3988195503348626e8f9185747a216c8e7839130

              SHA256

              fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f

              SHA512

              1f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49

            • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
              Filesize

              1.8MB

              MD5

              e427f7e972e458acca51c043839c9c04

              SHA1

              800cb9174a2afeb2a1402d7bd8deee4f97e36a4d

              SHA256

              3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27

              SHA512

              a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70

            • C:\Users\Admin\AppData\Local\Temp\TmpBBD9.tmp
              Filesize

              2KB

              MD5

              1420d30f964eac2c85b2ccfe968eebce

              SHA1

              bdf9a6876578a3e38079c4f8cf5d6c79687ad750

              SHA256

              f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

              SHA512

              6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2n2pxlsb.sdq.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\{0EA9332C-D1CE-4b87-BFAD-718E6BF3C8B5}.tmp\360P2SP.dll
              Filesize

              824KB

              MD5

              fc1796add9491ee757e74e65cedd6ae7

              SHA1

              603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

              SHA256

              bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

              SHA512

              8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

            • C:\Users\Admin\Pictures\RyRId3CKdLYgL2rr2pnoiIHK.exe
              Filesize

              7KB

              MD5

              77f762f953163d7639dff697104e1470

              SHA1

              ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

              SHA256

              d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

              SHA512

              d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

            • C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe
              Filesize

              1.5MB

              MD5

              cd4acedefa9ab5c7dccac667f91cef13

              SHA1

              bff5ce910f75aeae37583a63828a00ae5f02c4e7

              SHA256

              dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

              SHA512

              06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

            • C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe
              Filesize

              405KB

              MD5

              ef65292d26c79999f9cd88fc202e257e

              SHA1

              bb1022e9d3d345f14db1f7e431d4d63259fa3ac2

              SHA256

              4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222

              SHA512

              7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a

            • memory/64-30-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/64-29-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/64-31-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/64-32-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/900-190-0x0000016FBAFD0000-0x0000016FBAFF2000-memory.dmp
              Filesize

              136KB

            • memory/960-158-0x0000000000400000-0x000000000063B000-memory.dmp
              Filesize

              2.2MB

            • memory/960-160-0x0000000000400000-0x000000000063B000-memory.dmp
              Filesize

              2.2MB

            • memory/1664-159-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
              Filesize

              4KB

            • memory/2956-121-0x0000000001250000-0x0000000001251000-memory.dmp
              Filesize

              4KB

            • memory/2956-119-0x0000000001250000-0x0000000001251000-memory.dmp
              Filesize

              4KB

            • memory/2992-122-0x0000000000400000-0x0000000000455000-memory.dmp
              Filesize

              340KB

            • memory/2992-120-0x0000000000400000-0x0000000000455000-memory.dmp
              Filesize

              340KB

            • memory/3232-180-0x0000019D98A70000-0x0000019D98AAC000-memory.dmp
              Filesize

              240KB

            • memory/3232-181-0x0000019D98EC0000-0x0000019D98EC6000-memory.dmp
              Filesize

              24KB

            • memory/3232-182-0x0000019D9A7E0000-0x0000019D9A83C000-memory.dmp
              Filesize

              368KB

            • memory/3824-140-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
              Filesize

              4KB

            • memory/4072-40-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/4072-50-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/4288-77-0x0000000005010000-0x00000000050A2000-memory.dmp
              Filesize

              584KB

            • memory/4288-101-0x0000000006780000-0x0000000006792000-memory.dmp
              Filesize

              72KB

            • memory/4288-75-0x00000000005D0000-0x0000000000622000-memory.dmp
              Filesize

              328KB

            • memory/4288-95-0x0000000005CA0000-0x0000000005D16000-memory.dmp
              Filesize

              472KB

            • memory/4288-96-0x00000000066B0000-0x00000000066CE000-memory.dmp
              Filesize

              120KB

            • memory/4288-99-0x0000000006CF0000-0x0000000007308000-memory.dmp
              Filesize

              6.1MB

            • memory/4288-100-0x0000000006840000-0x000000000694A000-memory.dmp
              Filesize

              1.0MB

            • memory/4288-78-0x00000000051E0000-0x00000000051EA000-memory.dmp
              Filesize

              40KB

            • memory/4288-102-0x00000000067E0000-0x000000000681C000-memory.dmp
              Filesize

              240KB

            • memory/4288-103-0x0000000006950000-0x000000000699C000-memory.dmp
              Filesize

              304KB

            • memory/4288-76-0x0000000005670000-0x0000000005C14000-memory.dmp
              Filesize

              5.6MB

            • memory/4392-269-0x00000000003E0000-0x000000000044A000-memory.dmp
              Filesize

              424KB

            • memory/4392-270-0x0000000005830000-0x00000000058CC000-memory.dmp
              Filesize

              624KB

            • memory/4620-183-0x0000000000400000-0x0000000000408000-memory.dmp
              Filesize

              32KB

            • memory/4768-139-0x0000000000400000-0x0000000000459000-memory.dmp
              Filesize

              356KB

            • memory/4768-141-0x0000000000400000-0x0000000000459000-memory.dmp
              Filesize

              356KB

            • memory/4960-18-0x0000000000340000-0x0000000000800000-memory.dmp
              Filesize

              4.8MB

            • memory/4960-0-0x0000000000340000-0x0000000000800000-memory.dmp
              Filesize

              4.8MB

            • memory/4960-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmp
              Filesize

              8KB

            • memory/4960-2-0x0000000000341000-0x000000000036F000-memory.dmp
              Filesize

              184KB

            • memory/4960-3-0x0000000000340000-0x0000000000800000-memory.dmp
              Filesize

              4.8MB

            • memory/4960-5-0x0000000000340000-0x0000000000800000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-161-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-16-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-21-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-22-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-33-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-34-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-35-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-20-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-19-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-36-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-207-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-26-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-23-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-24-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-25-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-253-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-254-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-255-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-27-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-37-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB

            • memory/5016-38-0x00000000001D0000-0x0000000000690000-memory.dmp
              Filesize

              4.8MB