amadey | 375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4

Analysis

max time kernel
106s
max time network
138s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
23-11-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exe
Size

244KB
MD5

d798d2c741c4d86654a75b09128107f3
SHA1

b3b96e3f35de95a77cbb575b593aebab92f45f4d
SHA256

375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4
SHA512

f1f6b67a784e9f8f16d2c8132eb55900e8cfd931926fd8b765ffc0f8bb4dc7acb223a38490ded588eadbb6bd9e985663fa3cc864755fa6cbf5fb5f385b3fed9f
SSDEEP

3072:FBIEuN9oWC0kPLZJnjPWfZD5S6u5MIRz8a6uUtJU/m5i0tHwcL/SX4M8nqHr:0EY66+LZNz0yMnaSa/m7tHLzSX4XqL

Score

10^/10

amadey redline novr discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

novr

31.41.244.14:4694

Attributes

auth_value
34ddf4eb9326256f20a48cd5f1e9b496

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000192001\lada.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000192001\lada.exe	family_redline
behavioral1/memory/4216-363-0x0000000000DA0000-0x0000000000DC8000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

rovwer.exelada.exe1.exerovwer.exerovwer.exe

pid process

5068 rovwer.exe
4216 lada.exe
4680 1.exe
2636 rovwer.exe
2500 rovwer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5068	rovwer.exe
4216	lada.exe
4680	1.exe
2636	rovwer.exe
2500	rovwer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000192001\\lada.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000197001\\1.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1764 4680 WerFault.exe 1.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3360 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lada.exe

pid process

4216 lada.exe
4216 lada.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1.exelada.exe

description pid process

Token: SeDebugPrivilege 4680 1.exe
Token: SeDebugPrivilege 4216 lada.exe

pid	pid_target	process	target process
1764	4680	WerFault.exe	1.exe

pid	process
3360	schtasks.exe

pid	process
4216	lada.exe
4216	lada.exe

description	pid	process
Token: SeDebugPrivilege	4680	1.exe
Token: SeDebugPrivilege	4216	lada.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exerovwer.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 5068	2204	375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exe	rovwer.exe
PID 2204 wrote to memory of 5068	2204	375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exe	rovwer.exe
PID 2204 wrote to memory of 5068	2204	375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exe	rovwer.exe
PID 5068 wrote to memory of 3360	5068	rovwer.exe	schtasks.exe
PID 5068 wrote to memory of 3360	5068	rovwer.exe	schtasks.exe
PID 5068 wrote to memory of 3360	5068	rovwer.exe	schtasks.exe
PID 5068 wrote to memory of 1508	5068	rovwer.exe	cmd.exe
PID 5068 wrote to memory of 1508	5068	rovwer.exe	cmd.exe
PID 5068 wrote to memory of 1508	5068	rovwer.exe	cmd.exe
PID 1508 wrote to memory of 4732	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 4732	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 4732	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 5096	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 5096	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 5096	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 4520	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 4520	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 4520	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 3260	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 3260	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 3260	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 3680	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 3680	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 3680	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 3968	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 3968	1508	cmd.exe	cacls.exe
PID 1508 wrote to memory of 3968	1508	cmd.exe	cacls.exe
PID 5068 wrote to memory of 4216	5068	rovwer.exe	lada.exe
PID 5068 wrote to memory of 4216	5068	rovwer.exe	lada.exe
PID 5068 wrote to memory of 4216	5068	rovwer.exe	lada.exe
PID 5068 wrote to memory of 4680	5068	rovwer.exe	1.exe
PID 5068 wrote to memory of 4680	5068	rovwer.exe	1.exe
PID 5068 wrote to memory of 4680	5068	rovwer.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exe
"C:\Users\Admin\AppData\Local\Temp\375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:3360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4732

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:5096

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3260

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:3680

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\1000192001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000192001\lada.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1288
4⤵
- Program crash
PID:1764

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000192001\lada.exe
Filesize
137KB

MD5
bae3fb566c191522bab2bde67c482767

SHA1
7da8b30a638ff9f943cf03b32a4f254273990708

SHA256
3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

SHA512
f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000192001\lada.exe
Filesize
137KB

MD5
bae3fb566c191522bab2bde67c482767

SHA1
7da8b30a638ff9f943cf03b32a4f254273990708

SHA256
3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

SHA512
f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe
Filesize
1001KB

MD5
ccd3f85a630d162bfd8dad660cc8997d

SHA1
d42a07f962906538b9d35d5a25aa4b48a23d8e55

SHA256
b54a9566733ad279a9214beaa8cfec9dd62bbf7dd237e37ca3b9cc5786fda5db

SHA512
ad8163467d87ce50a59aeab7b4aba14218962de74fdaa960feaff9e3a6df5ce91279a9a2ea974a3d7d1f16dfbdb6d60abb3a085c497e70c4a1c33fb6d2896ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe
Filesize
1001KB

MD5
ccd3f85a630d162bfd8dad660cc8997d

SHA1
d42a07f962906538b9d35d5a25aa4b48a23d8e55

SHA256
b54a9566733ad279a9214beaa8cfec9dd62bbf7dd237e37ca3b9cc5786fda5db

SHA512
ad8163467d87ce50a59aeab7b4aba14218962de74fdaa960feaff9e3a6df5ce91279a9a2ea974a3d7d1f16dfbdb6d60abb3a085c497e70c4a1c33fb6d2896ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
d798d2c741c4d86654a75b09128107f3

SHA1
b3b96e3f35de95a77cbb575b593aebab92f45f4d

SHA256
375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4

SHA512
f1f6b67a784e9f8f16d2c8132eb55900e8cfd931926fd8b765ffc0f8bb4dc7acb223a38490ded588eadbb6bd9e985663fa3cc864755fa6cbf5fb5f385b3fed9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
d798d2c741c4d86654a75b09128107f3

SHA1
b3b96e3f35de95a77cbb575b593aebab92f45f4d

SHA256
375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4

SHA512
f1f6b67a784e9f8f16d2c8132eb55900e8cfd931926fd8b765ffc0f8bb4dc7acb223a38490ded588eadbb6bd9e985663fa3cc864755fa6cbf5fb5f385b3fed9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
d798d2c741c4d86654a75b09128107f3

SHA1
b3b96e3f35de95a77cbb575b593aebab92f45f4d

SHA256
375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4

SHA512
f1f6b67a784e9f8f16d2c8132eb55900e8cfd931926fd8b765ffc0f8bb4dc7acb223a38490ded588eadbb6bd9e985663fa3cc864755fa6cbf5fb5f385b3fed9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
d798d2c741c4d86654a75b09128107f3

SHA1
b3b96e3f35de95a77cbb575b593aebab92f45f4d

SHA256
375b3f0fce3cfb5354989de52287595b422519d087ffddb0bd5f1b438d4c7dd4

SHA512
f1f6b67a784e9f8f16d2c8132eb55900e8cfd931926fd8b765ffc0f8bb4dc7acb223a38490ded588eadbb6bd9e985663fa3cc864755fa6cbf5fb5f385b3fed9f

Download Submit
memory/1508-230-0x0000000000000000-mapping.dmp

Download
memory/2204-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-151-0x00000000028F0000-0x0000000002A3A000-memory.dmp

Filesize
1.3MB

Download
memory/2204-183-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/2204-152-0x0000000004530000-0x000000000456E000-memory.dmp

Filesize
248KB

Download
memory/2204-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-160-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/2204-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-174-0x0000000004530000-0x000000000456E000-memory.dmp

Filesize
248KB

Download
memory/2204-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-556-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/2636-511-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/3260-286-0x0000000000000000-mapping.dmp

Download
memory/3360-225-0x0000000000000000-mapping.dmp

Download
memory/3680-287-0x0000000000000000-mapping.dmp

Download
memory/3968-313-0x0000000000000000-mapping.dmp

Download
memory/4216-461-0x00000000057C0000-0x000000000580B000-memory.dmp

Filesize
300KB

Download
memory/4216-512-0x0000000006EE0000-0x00000000070A2000-memory.dmp

Filesize
1.8MB

Download
memory/4216-363-0x0000000000DA0000-0x0000000000DC8000-memory.dmp

Filesize
160KB

Download
memory/4216-458-0x0000000005640000-0x000000000567E000-memory.dmp

Filesize
248KB

Download
memory/4216-453-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/4216-449-0x00000000056B0000-0x00000000057BA000-memory.dmp

Filesize
1.0MB

Download
memory/4216-496-0x00000000065E0000-0x0000000006630000-memory.dmp

Filesize
320KB

Download
memory/4216-443-0x0000000005B40000-0x0000000006146000-memory.dmp

Filesize
6.0MB

Download
memory/4216-327-0x0000000000000000-mapping.dmp

Download
memory/4216-513-0x00000000075E0000-0x0000000007B0C000-memory.dmp

Filesize
5.2MB

Download
memory/4216-495-0x0000000006B50000-0x0000000006BC6000-memory.dmp

Filesize
472KB

Download
memory/4520-271-0x0000000000000000-mapping.dmp

Download
memory/4680-424-0x00000000073F0000-0x0000000007482000-memory.dmp

Filesize
584KB

Download
memory/4680-427-0x0000000007490000-0x0000000007496000-memory.dmp

Filesize
24KB

Download
memory/4680-422-0x0000000007810000-0x0000000007D0E000-memory.dmp

Filesize
5.0MB

Download
memory/4680-436-0x0000000007710000-0x0000000007776000-memory.dmp

Filesize
408KB

Download
memory/4680-420-0x0000000004DC0000-0x0000000004E56000-memory.dmp

Filesize
600KB

Download
memory/4680-368-0x0000000000000000-mapping.dmp

Download
memory/4680-410-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4732-248-0x0000000000000000-mapping.dmp

Download
memory/5068-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-217-0x00000000029AA000-0x00000000029C9000-memory.dmp

Filesize
124KB

Download
memory/5068-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-414-0x00000000029AA000-0x00000000029C9000-memory.dmp

Filesize
124KB

Download
memory/5068-416-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/5068-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-171-0x0000000000000000-mapping.dmp

Download
memory/5068-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-224-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/5068-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-192-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-191-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-190-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5096-255-0x0000000000000000-mapping.dmp

Download