amadey | 8e2e38bec6f01059884e471550d4fbb7d3fba46c6acd0dd6aa006eea5ceaad86

Analysis

max time kernel
177s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

186KB
MD5

888dc548217a0fd0cc3c618b7fdeda41
SHA1

7af031a4cd00afd5d22722223a175b371c8e506c
SHA256

8e2e38bec6f01059884e471550d4fbb7d3fba46c6acd0dd6aa006eea5ceaad86
SHA512

4bf7f4e9c5edcb1938d5b297ec6c3b016ed422d6ecaacd2ea7ddf907ad303f2fcf8bd987e0122e89e6974980107fac0a545934a9521fc4450ea5b93697aee82b
SSDEEP

3072:rehYPAOPyHxLZUiWmOGs5BiVBqgQGdzI8UOyelVE6Lx45p0y:ChlLZUiZ3VBqB5626O5N

Score

10^/10

amadey smokeloader backdoor trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-133-0x00000000006C0000-0x00000000006C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

B68E.exeB64C.exeC745.exeCC28.exerovwer.exeDD7E.exeE9C4.exe

pid process

3192 B68E.exe
4612 B64C.exe
3880 C745.exe
376 CC28.exe
4624 rovwer.exe
2652 DD7E.exe
4552 E9C4.exe

pid	process
3192	B68E.exe
4612	B64C.exe
3880	C745.exe
376	CC28.exe
4624	rovwer.exe
2652	DD7E.exe
4552	E9C4.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CC28.exerovwer.exeC745.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	CC28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	C745.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4328 3192 WerFault.exe B68E.exe
892 376 WerFault.exe CC28.exe

pid	pid_target	process	target process
4328	3192	WerFault.exe	B68E.exe
892	376	WerFault.exe	CC28.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3856 schtasks.exe

pid	process
3856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4984	file.exe
4984	file.exe
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

760
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

4984 file.exe

pid	process
760

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

C745.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeDebugPrivilege	3880	C745.exe
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeDebugPrivilege	5004	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

CC28.exerovwer.execmd.exeC745.exe

description	pid	process	target process
PID 760 wrote to memory of 3192	760		B68E.exe
PID 760 wrote to memory of 3192	760		B68E.exe
PID 760 wrote to memory of 3192	760		B68E.exe
PID 760 wrote to memory of 4612	760		B64C.exe
PID 760 wrote to memory of 4612	760		B64C.exe
PID 760 wrote to memory of 4612	760		B64C.exe
PID 760 wrote to memory of 3880	760		C745.exe
PID 760 wrote to memory of 3880	760		C745.exe
PID 760 wrote to memory of 3880	760		C745.exe
PID 760 wrote to memory of 376	760		CC28.exe
PID 760 wrote to memory of 376	760		CC28.exe
PID 760 wrote to memory of 376	760		CC28.exe
PID 376 wrote to memory of 4624	376	CC28.exe	rovwer.exe
PID 376 wrote to memory of 4624	376	CC28.exe	rovwer.exe
PID 376 wrote to memory of 4624	376	CC28.exe	rovwer.exe
PID 4624 wrote to memory of 3856	4624	rovwer.exe	schtasks.exe
PID 4624 wrote to memory of 3856	4624	rovwer.exe	schtasks.exe
PID 4624 wrote to memory of 3856	4624	rovwer.exe	schtasks.exe
PID 4624 wrote to memory of 1692	4624	rovwer.exe	cmd.exe
PID 4624 wrote to memory of 1692	4624	rovwer.exe	cmd.exe
PID 4624 wrote to memory of 1692	4624	rovwer.exe	cmd.exe
PID 1692 wrote to memory of 4404	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4404	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4404	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 5108	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 5108	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 5108	1692	cmd.exe	cacls.exe
PID 760 wrote to memory of 2652	760		DD7E.exe
PID 760 wrote to memory of 2652	760		DD7E.exe
PID 760 wrote to memory of 2652	760		DD7E.exe
PID 3880 wrote to memory of 5004	3880	C745.exe	powershell.exe
PID 3880 wrote to memory of 5004	3880	C745.exe	powershell.exe
PID 3880 wrote to memory of 5004	3880	C745.exe	powershell.exe
PID 1692 wrote to memory of 4336	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4336	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4336	1692	cmd.exe	cacls.exe
PID 760 wrote to memory of 4552	760		E9C4.exe
PID 760 wrote to memory of 4552	760		E9C4.exe
PID 760 wrote to memory of 4552	760		E9C4.exe
PID 1692 wrote to memory of 4320	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4320	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4320	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4832	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4832	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4832	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4696	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4696	1692	cmd.exe	cacls.exe
PID 1692 wrote to memory of 4696	1692	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4984

C:\Users\Admin\AppData\Local\Temp\B68E.exe
C:\Users\Admin\AppData\Local\Temp\B68E.exe
1⤵
- Executes dropped EXE
PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 436
  2⤵
  - Program crash
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\B64C.exe
C:\Users\Admin\AppData\Local\Temp\B64C.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Users\Admin\AppData\Local\Temp\C745.exe
C:\Users\Admin\AppData\Local\Temp\C745.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5004

C:\Users\Admin\AppData\Local\Temp\CC28.exe
C:\Users\Admin\AppData\Local\Temp\CC28.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rovwer.exe" /P "Admin:N"
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rovwer.exe" /P "Admin:R" /E
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\99e342142d" /P "Admin:N"
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\99e342142d" /P "Admin:R" /E
      4⤵
      PID:4696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1264
  2⤵
  - Program crash
  PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 376 -ip 376
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\DD7E.exe
C:\Users\Admin\AppData\Local\Temp\DD7E.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\E9C4.exe
C:\Users\Admin\AppData\Local\Temp\E9C4.exe
1⤵
- Executes dropped EXE
PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B64C.exe

Filesize
4.2MB

MD5
7eaf5197588886b7b8938fc9a3ca5703

SHA1
da182342d96bca85114a652c8931deefaf508e9c

SHA256
4c7ce6c5e6d7de09a99ec183989046b84513c6ba9fd05c583b71b44638d16c18

SHA512
260b063d0ddf2df8371e5194847b72363e5b496e0e8387e8a5d5cab9c73ea24f9326269aaa3a4f959ed0be61fbb3d7b4c11600b9a2d5d827be074300d70edf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B64C.exe

Filesize
4.2MB

MD5
7eaf5197588886b7b8938fc9a3ca5703

SHA1
da182342d96bca85114a652c8931deefaf508e9c

SHA256
4c7ce6c5e6d7de09a99ec183989046b84513c6ba9fd05c583b71b44638d16c18

SHA512
260b063d0ddf2df8371e5194847b72363e5b496e0e8387e8a5d5cab9c73ea24f9326269aaa3a4f959ed0be61fbb3d7b4c11600b9a2d5d827be074300d70edf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68E.exe

Filesize
1.0MB

MD5
fc78f5650188734808f725d0934650a1

SHA1
e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000

SHA256
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a

SHA512
d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68E.exe

Filesize
1.0MB

MD5
fc78f5650188734808f725d0934650a1

SHA1
e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000

SHA256
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a

SHA512
d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C745.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\C745.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC28.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC28.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD7E.exe

Filesize
2.2MB

MD5
ef49a68699e4afe250004503ef5504bd

SHA1
13d0dc63f5bbd7ff88c715d95e1b49a9d7783280

SHA256
53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94

SHA512
c0de78ceaafb4377cacefbfbfeb4a70f2eaa151afbcc00d9fcb4dbdb048487a88df6d1732b879602a2273396a7d8cfdb9618aaa3237b2e4b1f4c1f69743fa4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD7E.exe

Filesize
2.2MB

MD5
ef49a68699e4afe250004503ef5504bd

SHA1
13d0dc63f5bbd7ff88c715d95e1b49a9d7783280

SHA256
53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94

SHA512
c0de78ceaafb4377cacefbfbfeb4a70f2eaa151afbcc00d9fcb4dbdb048487a88df6d1732b879602a2273396a7d8cfdb9618aaa3237b2e4b1f4c1f69743fa4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9C4.exe

Filesize
217KB

MD5
b67e4b134ab08107bcf196c7dc287ab7

SHA1
c4869b48c45413565d422c88e7f1eae482498349

SHA256
871546481d1e7ef58ee941366cfd776961d58996665e4e6f108f6b7bd58f188f

SHA512
99cd23a8b2d4eb85c7559b0c8b7dffbf1688867bfeb15dbdc1df4176142a8d2a2b2845490509ef2acf1c7e4ccb3ce9d38747b33b83b060079d2decae0d9357f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9C4.exe

Filesize
217KB

MD5
b67e4b134ab08107bcf196c7dc287ab7

SHA1
c4869b48c45413565d422c88e7f1eae482498349

SHA256
871546481d1e7ef58ee941366cfd776961d58996665e4e6f108f6b7bd58f188f

SHA512
99cd23a8b2d4eb85c7559b0c8b7dffbf1688867bfeb15dbdc1df4176142a8d2a2b2845490509ef2acf1c7e4ccb3ce9d38747b33b83b060079d2decae0d9357f1

Download Submit
memory/376-162-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/376-161-0x00000000007AD000-0x00000000007CC000-memory.dmp

Filesize
124KB

Download
memory/376-146-0x0000000000000000-mapping.dmp

Download
memory/376-149-0x00000000007AD000-0x00000000007CC000-memory.dmp

Filesize
124KB

Download
memory/376-150-0x0000000000720000-0x000000000075E000-memory.dmp

Filesize
248KB

Download
memory/376-151-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/1692-163-0x0000000000000000-mapping.dmp

Download
memory/2652-166-0x0000000000000000-mapping.dmp

Download
memory/2652-189-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2652-174-0x00000000025EE000-0x000000000280D000-memory.dmp

Filesize
2.1MB

Download
memory/2652-175-0x0000000002810000-0x0000000002CA9000-memory.dmp

Filesize
4.6MB

Download
memory/2652-176-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/3192-136-0x0000000000000000-mapping.dmp

Download
memory/3856-158-0x0000000000000000-mapping.dmp

Download
memory/3880-142-0x0000000000000000-mapping.dmp

Download
memory/3880-156-0x00000000063D0000-0x0000000006974000-memory.dmp

Filesize
5.6MB

Download
memory/3880-157-0x0000000005E50000-0x0000000005E72000-memory.dmp

Filesize
136KB

Download
memory/3880-155-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/3880-145-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/4320-178-0x0000000000000000-mapping.dmp

Download
memory/4336-170-0x0000000000000000-mapping.dmp

Download
memory/4404-164-0x0000000000000000-mapping.dmp

Download
memory/4552-171-0x0000000000000000-mapping.dmp

Download
memory/4612-139-0x0000000000000000-mapping.dmp

Download
memory/4624-160-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4624-185-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4624-186-0x000000000090C000-0x000000000092B000-memory.dmp

Filesize
124KB

Download
memory/4624-159-0x000000000090C000-0x000000000092B000-memory.dmp

Filesize
124KB

Download
memory/4624-152-0x0000000000000000-mapping.dmp

Download
memory/4696-180-0x0000000000000000-mapping.dmp

Download
memory/4832-179-0x0000000000000000-mapping.dmp

Download
memory/4984-135-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/4984-133-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/4984-134-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/4984-132-0x000000000072D000-0x000000000073E000-memory.dmp

Filesize
68KB

Download
memory/5004-177-0x00000000046A0000-0x00000000046D6000-memory.dmp

Filesize
216KB

Download
memory/5004-181-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/5004-182-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/5004-183-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/5004-184-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/5004-169-0x0000000000000000-mapping.dmp

Download
memory/5004-187-0x0000000007250000-0x00000000078CA000-memory.dmp

Filesize
6.5MB

Download
memory/5004-188-0x0000000006090000-0x00000000060AA000-memory.dmp

Filesize
104KB

Download
memory/5108-165-0x0000000000000000-mapping.dmp

Download