amadey | 5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-11-2022 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
Size

232KB
MD5

f919647759183e07c33e327759c1ea23
SHA1

54b342cab54a66842c75e8061dde646c1ce06247
SHA256

5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136
SHA512

48464c48278b4c5ce00e576c8e5605bbda054ef93f87b6e2c8c4c4ce476e11866624b9b58b1b1a44c444948d781dd87356ccca3c4e6ad0bba251447b193edd97
SSDEEP

3072:LXO2aH7LJU8wQmW/FRL2dfCtQZ85oV0kCt6n/6oPaTJh7vQ1:j7I7LJAQm4R2dDZ8iV0zt6nSMaTP7v

Score

10^/10

amadey redline smokeloader 123 rozena1114 backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

123

78.153.144.3:2510

Attributes

auth_value
cd6abb0af211bce081d7bf127cc26835

Extracted

Family

redline

Botnet

rozena1114

jalocliche.xyz:81

chardhesha.xyz:81

Attributes

auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1744-149-0x0000000000920000-0x0000000000929000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4584-244-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4584-253-0x0000000004B00000-0x0000000004B3C000-memory.dmp	family_redline
behavioral1/memory/1992-674-0x000000000FA70000-0x000000000FBEF000-memory.dmp	family_redline
behavioral1/memory/200-869-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

DE3A.exeE6E6.exeEDAE.exerovwer.exe

pid process

4584 DE3A.exe
1992 E6E6.exe
1504 EDAE.exe
1832 rovwer.exe
Deletes itself 1 IoCs

Processes:

pid process

2480
Loads dropped DLL 2 IoCs

Processes:

E6E6.exe

pid process

1992 E6E6.exe
1992 E6E6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

E6E6.exe

description pid process target process

PID 1992 set thread context of 200 1992 E6E6.exe ngentask.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4584	DE3A.exe
1992	E6E6.exe
1504	EDAE.exe
1832	rovwer.exe

pid	process
2480

pid	process
1992	E6E6.exe
1992	E6E6.exe

description	pid	process	target process
PID 1992 set thread context of 200	1992	E6E6.exe	ngentask.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

364 schtasks.exe

pid	process
364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe

pid	process
1744	5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
1744	5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2480

pid	process
2480

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe

pid	process
1744	5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

DE3A.exengentask.exe

description	pid	process
Token: SeDebugPrivilege	4584	DE3A.exe
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeDebugPrivilege	200	ngentask.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EDAE.exerovwer.exeE6E6.execmd.exe

description	pid	process	target process
PID 2480 wrote to memory of 4584	2480		DE3A.exe
PID 2480 wrote to memory of 4584	2480		DE3A.exe
PID 2480 wrote to memory of 4584	2480		DE3A.exe
PID 2480 wrote to memory of 1992	2480		E6E6.exe
PID 2480 wrote to memory of 1992	2480		E6E6.exe
PID 2480 wrote to memory of 1992	2480		E6E6.exe
PID 2480 wrote to memory of 1504	2480		EDAE.exe
PID 2480 wrote to memory of 1504	2480		EDAE.exe
PID 2480 wrote to memory of 1504	2480		EDAE.exe
PID 2480 wrote to memory of 3748	2480		explorer.exe
PID 2480 wrote to memory of 3748	2480		explorer.exe
PID 2480 wrote to memory of 3748	2480		explorer.exe
PID 2480 wrote to memory of 3748	2480		explorer.exe
PID 2480 wrote to memory of 3860	2480		explorer.exe
PID 2480 wrote to memory of 3860	2480		explorer.exe
PID 2480 wrote to memory of 3860	2480		explorer.exe
PID 2480 wrote to memory of 4852	2480		explorer.exe
PID 2480 wrote to memory of 4852	2480		explorer.exe
PID 2480 wrote to memory of 4852	2480		explorer.exe
PID 2480 wrote to memory of 4852	2480		explorer.exe
PID 2480 wrote to memory of 5032	2480		explorer.exe
PID 2480 wrote to memory of 5032	2480		explorer.exe
PID 2480 wrote to memory of 5032	2480		explorer.exe
PID 2480 wrote to memory of 2296	2480		explorer.exe
PID 2480 wrote to memory of 2296	2480		explorer.exe
PID 2480 wrote to memory of 2296	2480		explorer.exe
PID 2480 wrote to memory of 2296	2480		explorer.exe
PID 1504 wrote to memory of 1832	1504	EDAE.exe	rovwer.exe
PID 1504 wrote to memory of 1832	1504	EDAE.exe	rovwer.exe
PID 1504 wrote to memory of 1832	1504	EDAE.exe	rovwer.exe
PID 2480 wrote to memory of 192	2480		explorer.exe
PID 2480 wrote to memory of 192	2480		explorer.exe
PID 2480 wrote to memory of 192	2480		explorer.exe
PID 2480 wrote to memory of 192	2480		explorer.exe
PID 2480 wrote to memory of 3596	2480		explorer.exe
PID 2480 wrote to memory of 3596	2480		explorer.exe
PID 2480 wrote to memory of 3596	2480		explorer.exe
PID 2480 wrote to memory of 3596	2480		explorer.exe
PID 2480 wrote to memory of 4056	2480		explorer.exe
PID 2480 wrote to memory of 4056	2480		explorer.exe
PID 2480 wrote to memory of 4056	2480		explorer.exe
PID 2480 wrote to memory of 4316	2480		explorer.exe
PID 2480 wrote to memory of 4316	2480		explorer.exe
PID 2480 wrote to memory of 4316	2480		explorer.exe
PID 2480 wrote to memory of 4316	2480		explorer.exe
PID 1832 wrote to memory of 364	1832	rovwer.exe	schtasks.exe
PID 1832 wrote to memory of 364	1832	rovwer.exe	schtasks.exe
PID 1832 wrote to memory of 364	1832	rovwer.exe	schtasks.exe
PID 1832 wrote to memory of 1172	1832	rovwer.exe	cmd.exe
PID 1832 wrote to memory of 1172	1832	rovwer.exe	cmd.exe
PID 1832 wrote to memory of 1172	1832	rovwer.exe	cmd.exe
PID 1992 wrote to memory of 200	1992	E6E6.exe	ngentask.exe
PID 1992 wrote to memory of 200	1992	E6E6.exe	ngentask.exe
PID 1992 wrote to memory of 200	1992	E6E6.exe	ngentask.exe
PID 1992 wrote to memory of 200	1992	E6E6.exe	ngentask.exe
PID 1992 wrote to memory of 200	1992	E6E6.exe	ngentask.exe
PID 1172 wrote to memory of 2144	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 2144	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 2144	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 3888	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 3888	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 3888	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 5012	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 5012	1172	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe
"C:\Users\Admin\AppData\Local\Temp\5dd8b3fb036735240645400bd556f5f85d34e8d863e0c1331b2addd444ec7136.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1744

C:\Users\Admin\AppData\Local\Temp\DE3A.exe
C:\Users\Admin\AppData\Local\Temp\DE3A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Users\Admin\AppData\Local\Temp\E6E6.exe
C:\Users\Admin\AppData\Local\Temp\E6E6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Users\Admin\AppData\Local\Temp\EDAE.exe
C:\Users\Admin\AppData\Local\Temp\EDAE.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2144

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:3888

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4732

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:4716

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:4568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3748

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4852

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5032

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2296

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3596

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
271KB

MD5
5d01aa58c56c43a5564ee4d41ec61351

SHA1
bc6a3570a3f7972b464c8287e361a9de38fa22b9

SHA256
29d32e1b34d003756e9e48d1e66630d1960c3d52d10ca3f73e11cb09e82d38eb

SHA512
3eb39b25aef538d5fa5f15ac52fb9a2f7f2cbf0bc37a064464babe4ee67e7ab9e81a65d23bf7428ad22770d470fff17a664829b87937205273088a7c5f6a47dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
271KB

MD5
5d01aa58c56c43a5564ee4d41ec61351

SHA1
bc6a3570a3f7972b464c8287e361a9de38fa22b9

SHA256
29d32e1b34d003756e9e48d1e66630d1960c3d52d10ca3f73e11cb09e82d38eb

SHA512
3eb39b25aef538d5fa5f15ac52fb9a2f7f2cbf0bc37a064464babe4ee67e7ab9e81a65d23bf7428ad22770d470fff17a664829b87937205273088a7c5f6a47dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE3A.exe
Filesize
320KB

MD5
8597de51afb7d3fa926f26034df21e0d

SHA1
91867a99ed09932e230776e7ea6c62309d0c5212

SHA256
321a9dad3f9a141c69fb3ae1ee6bfda8918e0e8646eeab8f7527294e139e0185

SHA512
d86a485b43159e9680575f17a7322bbc57d5e6dca0b6db76765ba3c4a1759ddd966142b6eb7eb9f0fab4d88eb298420d2281be42961c6fe443e5b6cce47069b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE3A.exe
Filesize
320KB

MD5
8597de51afb7d3fa926f26034df21e0d

SHA1
91867a99ed09932e230776e7ea6c62309d0c5212

SHA256
321a9dad3f9a141c69fb3ae1ee6bfda8918e0e8646eeab8f7527294e139e0185

SHA512
d86a485b43159e9680575f17a7322bbc57d5e6dca0b6db76765ba3c4a1759ddd966142b6eb7eb9f0fab4d88eb298420d2281be42961c6fe443e5b6cce47069b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAE.exe
Filesize
271KB

MD5
5d01aa58c56c43a5564ee4d41ec61351

SHA1
bc6a3570a3f7972b464c8287e361a9de38fa22b9

SHA256
29d32e1b34d003756e9e48d1e66630d1960c3d52d10ca3f73e11cb09e82d38eb

SHA512
3eb39b25aef538d5fa5f15ac52fb9a2f7f2cbf0bc37a064464babe4ee67e7ab9e81a65d23bf7428ad22770d470fff17a664829b87937205273088a7c5f6a47dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAE.exe
Filesize
271KB

MD5
5d01aa58c56c43a5564ee4d41ec61351

SHA1
bc6a3570a3f7972b464c8287e361a9de38fa22b9

SHA256
29d32e1b34d003756e9e48d1e66630d1960c3d52d10ca3f73e11cb09e82d38eb

SHA512
3eb39b25aef538d5fa5f15ac52fb9a2f7f2cbf0bc37a064464babe4ee67e7ab9e81a65d23bf7428ad22770d470fff17a664829b87937205273088a7c5f6a47dd

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
memory/192-775-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/192-735-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/192-428-0x0000000000000000-mapping.dmp

Download
memory/192-983-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/200-869-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/364-780-0x0000000000000000-mapping.dmp

Download
memory/1172-786-0x0000000000000000-mapping.dmp

Download
memory/1504-313-0x0000000000B80000-0x0000000000BBE000-memory.dmp

Filesize
248KB

Download
memory/1504-309-0x0000000000BEA000-0x0000000000C0A000-memory.dmp

Filesize
128KB

Download
memory/1504-362-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/1504-407-0x0000000000BEA000-0x0000000000C0A000-memory.dmp

Filesize
128KB

Download
memory/1504-200-0x0000000000000000-mapping.dmp

Download
memory/1504-421-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/1504-413-0x0000000000B80000-0x0000000000BBE000-memory.dmp

Filesize
248KB

Download
memory/1744-154-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/1744-121-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-142-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-143-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-144-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-145-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-146-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-148-0x0000000000B5A000-0x0000000000B70000-memory.dmp

Filesize
88KB

Download
memory/1744-151-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/1744-150-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-152-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-147-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-149-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/1744-153-0x0000000000B5A000-0x0000000000B70000-memory.dmp

Filesize
88KB

Download
memory/1744-116-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-117-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-140-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-138-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-118-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-119-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-120-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-137-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-122-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-136-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-139-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-123-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-124-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-135-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-141-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-125-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-126-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-127-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-128-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-129-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-130-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-134-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-131-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-132-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1744-133-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1832-396-0x0000000000000000-mapping.dmp

Download
memory/1832-727-0x0000000000970000-0x0000000000ABA000-memory.dmp

Filesize
1.3MB

Download
memory/1832-778-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/1832-982-0x0000000000970000-0x0000000000ABA000-memory.dmp

Filesize
1.3MB

Download
memory/1992-674-0x000000000FA70000-0x000000000FBEF000-memory.dmp

Filesize
1.5MB

Download
memory/1992-669-0x0000000002BF0000-0x0000000003109000-memory.dmp

Filesize
5.1MB

Download
memory/1992-183-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-192-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-177-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-181-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-876-0x0000000003110000-0x000000000321D000-memory.dmp

Filesize
1.1MB

Download
memory/1992-179-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-175-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-173-0x0000000000000000-mapping.dmp

Download
memory/1992-189-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-185-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-366-0x0000000003110000-0x000000000321D000-memory.dmp

Filesize
1.1MB

Download
memory/1992-242-0x0000000002BF0000-0x0000000003109000-memory.dmp

Filesize
5.1MB

Download
memory/2144-863-0x0000000000000000-mapping.dmp

Download
memory/2296-731-0x0000000002F60000-0x0000000002F87000-memory.dmp

Filesize
156KB

Download
memory/2296-722-0x0000000002F90000-0x0000000002FB2000-memory.dmp

Filesize
136KB

Download
memory/2296-990-0x0000000002F90000-0x0000000002FB2000-memory.dmp

Filesize
136KB

Download
memory/2296-392-0x0000000000000000-mapping.dmp

Download
memory/3596-782-0x0000000000740000-0x000000000074B000-memory.dmp

Filesize
44KB

Download
memory/3596-471-0x0000000000000000-mapping.dmp

Download
memory/3596-779-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/3748-456-0x00000000008F0000-0x00000000008F7000-memory.dmp

Filesize
28KB

Download
memory/3748-506-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/3748-256-0x0000000000000000-mapping.dmp

Download
memory/3860-831-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/3860-318-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/3860-322-0x0000000001030000-0x000000000103F000-memory.dmp

Filesize
60KB

Download
memory/3860-281-0x0000000000000000-mapping.dmp

Download
memory/3888-878-0x0000000000000000-mapping.dmp

Download
memory/4056-566-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/4056-572-0x00000000009E0000-0x00000000009ED000-memory.dmp

Filesize
52KB

Download
memory/4056-519-0x0000000000000000-mapping.dmp

Download
memory/4056-972-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/4316-785-0x0000000002F80000-0x0000000002F88000-memory.dmp

Filesize
32KB

Download
memory/4316-835-0x0000000002F70000-0x0000000002F7B000-memory.dmp

Filesize
44KB

Download
memory/4316-564-0x0000000000000000-mapping.dmp

Download
memory/4568-957-0x0000000000000000-mapping.dmp

Download
memory/4584-167-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-162-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-169-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-172-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-170-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-171-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-191-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/4584-253-0x0000000004B00000-0x0000000004B3C000-memory.dmp

Filesize
240KB

Download
memory/4584-176-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-299-0x00000000053C0000-0x00000000059C6000-memory.dmp

Filesize
6.0MB

Download
memory/4584-560-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/4584-989-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4584-573-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4584-302-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/4584-178-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-555-0x00000000008C6000-0x00000000008F7000-memory.dmp

Filesize
196KB

Download
memory/4584-617-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4584-988-0x00000000008C6000-0x00000000008F7000-memory.dmp

Filesize
196KB

Download
memory/4584-155-0x0000000000000000-mapping.dmp

Download
memory/4584-251-0x0000000004B90000-0x000000000508E000-memory.dmp

Filesize
5.0MB

Download
memory/4584-184-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-244-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4584-168-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-166-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-186-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-165-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-163-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-255-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/4584-190-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-203-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4584-161-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-157-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-182-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-326-0x0000000005AD0000-0x0000000005B1B000-memory.dmp

Filesize
300KB

Download
memory/4584-187-0x00000000008C6000-0x00000000008F7000-memory.dmp

Filesize
196KB

Download
memory/4584-160-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-180-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-316-0x0000000005340000-0x000000000537E000-memory.dmp

Filesize
248KB

Download
memory/4584-979-0x00000000066D0000-0x0000000006BFC000-memory.dmp

Filesize
5.2MB

Download
memory/4584-978-0x0000000006500000-0x00000000066C2000-memory.dmp

Filesize
1.8MB

Download
memory/4584-158-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-159-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-307-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/4716-943-0x0000000000000000-mapping.dmp

Download
memory/4732-936-0x0000000000000000-mapping.dmp

Download
memory/4852-317-0x0000000000000000-mapping.dmp

Download
memory/4852-977-0x0000000000570000-0x0000000000575000-memory.dmp

Filesize
20KB

Download
memory/4852-628-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/4852-622-0x0000000000570000-0x0000000000575000-memory.dmp

Filesize
20KB

Download
memory/5012-913-0x0000000000000000-mapping.dmp

Download
memory/5032-899-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/5032-356-0x0000000000000000-mapping.dmp

Download
memory/5032-370-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/5032-411-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download