amadey | 6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a

Analysis

max time kernel
151s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exe
Size

246KB
MD5

8de77aedb1b5a582bad15e21ed2667c6
SHA1

4490756b8b0a6000cc1fc98da321189f71f74557
SHA256

6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a
SHA512

7673456257c9c8beb61c8ea79093a72330ebf098c0c91b9e3c3cae9321ada26201881ca95e39a8abc574de7adbd9ae73045227d96e5393f83f5d709a9c96bd65
SSDEEP

6144:IIex9PLPOjzp6iy7yCGg9U/ovz+uqPZ7f8vyxBHKpBX:IIexhDWzp6iyOU9FVql8vyxe

Score

10^/10

amadey laplas redline newyear2023 slov collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

slov

31.41.244.14:4694

Attributes

auth_value
a4345b536a3d0d0e8e81ef7e5199d6d0

Extracted

Family

laplas

clipper.guru

Attributes

api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Extracted

Family

redline

Botnet

NewYear2023

185.106.92.111:2510

Attributes

auth_value
99e9bde3b38509ea98c3316cc27e6106

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000121001\slov.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000121001\slov.exe	family_redline
behavioral1/memory/512-290-0x0000000000160000-0x0000000000188000-memory.dmp	family_redline
behavioral1/memory/4784-398-0x0000000002520000-0x000000000255E000-memory.dmp	family_redline
behavioral1/memory/4784-407-0x00000000025E0000-0x000000000261C000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

11 1968 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

rovwer.exeslov.exenon.exeree.exelinda5.exerovwer.exerovwer.exe

pid process

5020 rovwer.exe
512 slov.exe
4784 non.exe
4216 ree.exe
4792 linda5.exe
3260 rovwer.exe
1824 rovwer.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2532 regsvr32.exe
1968 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
11	1968	rundll32.exe

pid	process
5020	rovwer.exe
512	slov.exe
4784	non.exe
4216	ree.exe
4792	linda5.exe
3260	rovwer.exe
1824	rovwer.exe

pid	process
2532	regsvr32.exe
1968	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\slov.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000121001\\slov.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\non.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000130001\\non.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\ree.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000131001\\ree.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000133001\\linda5.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3360 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

slov.exenon.exerundll32.exe

pid process

512 slov.exe
4784 non.exe
4784 non.exe
512 slov.exe
1968 rundll32.exe
1968 rundll32.exe
1968 rundll32.exe
1968 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

non.exeslov.exe

description pid process

Token: SeDebugPrivilege 4784 non.exe
Token: SeDebugPrivilege 512 slov.exe

pid	process
3360	schtasks.exe

pid	process
512	slov.exe
4784	non.exe
4784	non.exe
512	slov.exe
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4784	non.exe
Token: SeDebugPrivilege	512	slov.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exerovwer.exelinda5.exe

description	pid	process	target process
PID 2208 wrote to memory of 5020	2208	6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exe	rovwer.exe
PID 2208 wrote to memory of 5020	2208	6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exe	rovwer.exe
PID 2208 wrote to memory of 5020	2208	6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exe	rovwer.exe
PID 5020 wrote to memory of 3360	5020	rovwer.exe	schtasks.exe
PID 5020 wrote to memory of 3360	5020	rovwer.exe	schtasks.exe
PID 5020 wrote to memory of 3360	5020	rovwer.exe	schtasks.exe
PID 5020 wrote to memory of 512	5020	rovwer.exe	slov.exe
PID 5020 wrote to memory of 512	5020	rovwer.exe	slov.exe
PID 5020 wrote to memory of 512	5020	rovwer.exe	slov.exe
PID 5020 wrote to memory of 4784	5020	rovwer.exe	non.exe
PID 5020 wrote to memory of 4784	5020	rovwer.exe	non.exe
PID 5020 wrote to memory of 4784	5020	rovwer.exe	non.exe
PID 5020 wrote to memory of 4216	5020	rovwer.exe	ree.exe
PID 5020 wrote to memory of 4216	5020	rovwer.exe	ree.exe
PID 5020 wrote to memory of 4216	5020	rovwer.exe	ree.exe
PID 5020 wrote to memory of 4792	5020	rovwer.exe	linda5.exe
PID 5020 wrote to memory of 4792	5020	rovwer.exe	linda5.exe
PID 5020 wrote to memory of 4792	5020	rovwer.exe	linda5.exe
PID 4792 wrote to memory of 2532	4792	linda5.exe	regsvr32.exe
PID 4792 wrote to memory of 2532	4792	linda5.exe	regsvr32.exe
PID 4792 wrote to memory of 2532	4792	linda5.exe	regsvr32.exe
PID 5020 wrote to memory of 1968	5020	rovwer.exe	rundll32.exe
PID 5020 wrote to memory of 1968	5020	rovwer.exe	rundll32.exe
PID 5020 wrote to memory of 1968	5020	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exe
"C:\Users\Admin\AppData\Local\Temp\6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:3360

C:\Users\Admin\AppData\Local\Temp\1000121001\slov.exe
"C:\Users\Admin\AppData\Local\Temp\1000121001\slov.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe"
3⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s .\gHGMTMNW.FY
4⤵
- Loads dropped DLL
PID:2532

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1968

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000121001\slov.exe
Filesize
137KB

MD5
39c717141fa3575199479d2a7f9cbcdb

SHA1
230e3e780964f9979b2cb47397c1a75cbfffe117

SHA256
3441c745b1c8814451c1ec63e2dea4495cdc772c8592fafbf23ec84793bbfb22

SHA512
177744114c0c41cc0198629da65b2bbb8f600a0a4f4f7b10d7644c21d92fb72a5faf3c0fd92a72f4811d8b7dc6b192a2338d15113ce24ae3e1d162a88b255514

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000121001\slov.exe
Filesize
137KB

MD5
39c717141fa3575199479d2a7f9cbcdb

SHA1
230e3e780964f9979b2cb47397c1a75cbfffe117

SHA256
3441c745b1c8814451c1ec63e2dea4495cdc772c8592fafbf23ec84793bbfb22

SHA512
177744114c0c41cc0198629da65b2bbb8f600a0a4f4f7b10d7644c21d92fb72a5faf3c0fd92a72f4811d8b7dc6b192a2338d15113ce24ae3e1d162a88b255514

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
Filesize
317KB

MD5
c278cfce93da1486e9fa1e66ba7ddbcb

SHA1
b35c919da92548aea8abf26a46fce91e656c1d7a

SHA256
6792bd35a4de116b29f3c10fc30e74f28d3437eb58a98def8c037261b104c94a

SHA512
ba7ac48b1ad0e9b8fe2147818263e467fddd0b44ea376c635d80ab03c311c55a9ef43ef287f84ff828c530328839bf8489798e2aca173c4826048d07f31d9cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
Filesize
317KB

MD5
c278cfce93da1486e9fa1e66ba7ddbcb

SHA1
b35c919da92548aea8abf26a46fce91e656c1d7a

SHA256
6792bd35a4de116b29f3c10fc30e74f28d3437eb58a98def8c037261b104c94a

SHA512
ba7ac48b1ad0e9b8fe2147818263e467fddd0b44ea376c635d80ab03c311c55a9ef43ef287f84ff828c530328839bf8489798e2aca173c4826048d07f31d9cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
Filesize
4.6MB

MD5
17aed6b6e981182a180bc8cf4eef94d3

SHA1
e45528af45d0eca372cafdacceb14fb15177f5a3

SHA256
80991222b1cf2e863e1e8ac51b6fe90cf0b701df1d8af8c3a9ce9ec10e089f77

SHA512
0d1955451f4eb54a7e0b84b4f39d9617bcfe292206f96fe54355ee099db337f1bcfafcddb590cfd5e3de418ea6d333527e6a400936288efec9933c75f73882f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
Filesize
4.6MB

MD5
17aed6b6e981182a180bc8cf4eef94d3

SHA1
e45528af45d0eca372cafdacceb14fb15177f5a3

SHA256
80991222b1cf2e863e1e8ac51b6fe90cf0b701df1d8af8c3a9ce9ec10e089f77

SHA512
0d1955451f4eb54a7e0b84b4f39d9617bcfe292206f96fe54355ee099db337f1bcfafcddb590cfd5e3de418ea6d333527e6a400936288efec9933c75f73882f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
Filesize
1.7MB

MD5
ec7da170902785002e53a17660c69cb9

SHA1
0c8c1d3e3a8c262c27f2d4b96c005351c20be01f

SHA256
9d363d2a1992e9a43d7aaa5eefbfad8d905b3a2bd5621023acc7d1e31f984593

SHA512
35e44a2af3b079194d6339501245d83123e06f59dd3fec63643bddf313b1a28b4a7886106630d357f2287a09d411aad248d2ecd38bd8ea1418da288bf653f83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
Filesize
1.7MB

MD5
ec7da170902785002e53a17660c69cb9

SHA1
0c8c1d3e3a8c262c27f2d4b96c005351c20be01f

SHA256
9d363d2a1992e9a43d7aaa5eefbfad8d905b3a2bd5621023acc7d1e31f984593

SHA512
35e44a2af3b079194d6339501245d83123e06f59dd3fec63643bddf313b1a28b4a7886106630d357f2287a09d411aad248d2ecd38bd8ea1418da288bf653f83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
246KB

MD5
8de77aedb1b5a582bad15e21ed2667c6

SHA1
4490756b8b0a6000cc1fc98da321189f71f74557

SHA256
6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a

SHA512
7673456257c9c8beb61c8ea79093a72330ebf098c0c91b9e3c3cae9321ada26201881ca95e39a8abc574de7adbd9ae73045227d96e5393f83f5d709a9c96bd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
246KB

MD5
8de77aedb1b5a582bad15e21ed2667c6

SHA1
4490756b8b0a6000cc1fc98da321189f71f74557

SHA256
6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a

SHA512
7673456257c9c8beb61c8ea79093a72330ebf098c0c91b9e3c3cae9321ada26201881ca95e39a8abc574de7adbd9ae73045227d96e5393f83f5d709a9c96bd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
246KB

MD5
8de77aedb1b5a582bad15e21ed2667c6

SHA1
4490756b8b0a6000cc1fc98da321189f71f74557

SHA256
6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a

SHA512
7673456257c9c8beb61c8ea79093a72330ebf098c0c91b9e3c3cae9321ada26201881ca95e39a8abc574de7adbd9ae73045227d96e5393f83f5d709a9c96bd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
246KB

MD5
8de77aedb1b5a582bad15e21ed2667c6

SHA1
4490756b8b0a6000cc1fc98da321189f71f74557

SHA256
6e8a70ea8df6fab3a5c8d288f74817bb55dcc5b3cc9cda636ee8f85bedd71c3a

SHA512
7673456257c9c8beb61c8ea79093a72330ebf098c0c91b9e3c3cae9321ada26201881ca95e39a8abc574de7adbd9ae73045227d96e5393f83f5d709a9c96bd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\gHGMTMNW.FY
Filesize
2.1MB

MD5
a597ee63de44b1f250b675ef670f56de

SHA1
acb4154ce8355081f998ea1002da5726f73ba420

SHA256
144ae6c1b50976a4c3709eda8fed33497798880baa5ea5c984be96b295c45b8d

SHA512
705224b338f639879142146c8fb2ce4576f9aeeaa63385b95467c31dd8f91736ac053b47c519eda1a4e0f1e1f8d3a8551887016454c7f6faeb3e4b81083457e3

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
\Users\Admin\AppData\Local\Temp\gHgmTmNW.FY
Filesize
2.1MB

MD5
a597ee63de44b1f250b675ef670f56de

SHA1
acb4154ce8355081f998ea1002da5726f73ba420

SHA256
144ae6c1b50976a4c3709eda8fed33497798880baa5ea5c984be96b295c45b8d

SHA512
705224b338f639879142146c8fb2ce4576f9aeeaa63385b95467c31dd8f91736ac053b47c519eda1a4e0f1e1f8d3a8551887016454c7f6faeb3e4b81083457e3

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/512-577-0x00000000062F0000-0x0000000006340000-memory.dmp

Filesize
320KB

Download
memory/512-341-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/512-339-0x0000000004A80000-0x0000000004B8A000-memory.dmp

Filesize
1.0MB

Download
memory/512-338-0x0000000004F80000-0x0000000005586000-memory.dmp

Filesize
6.0MB

Download
memory/512-343-0x0000000004A00000-0x0000000004A3E000-memory.dmp

Filesize
248KB

Download
memory/512-345-0x0000000004B90000-0x0000000004BDB000-memory.dmp

Filesize
300KB

Download
memory/512-290-0x0000000000160000-0x0000000000188000-memory.dmp

Filesize
160KB

Download
memory/512-484-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/512-254-0x0000000000000000-mapping.dmp

Download
memory/512-576-0x0000000006270000-0x00000000062E6000-memory.dmp

Filesize
472KB

Download
memory/1968-588-0x0000000000000000-mapping.dmp

Download
memory/2208-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-158-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2208-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-176-0x00000000007C0000-0x00000000007FE000-memory.dmp

Filesize
248KB

Download
memory/2208-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-174-0x000000000093A000-0x0000000000959000-memory.dmp

Filesize
124KB

Download
memory/2208-179-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2208-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-144-0x00000000007C0000-0x00000000007FE000-memory.dmp

Filesize
248KB

Download
memory/2208-143-0x000000000093A000-0x0000000000959000-memory.dmp

Filesize
124KB

Download
memory/2208-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2532-517-0x0000000000000000-mapping.dmp

Download
memory/3260-706-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3360-225-0x0000000000000000-mapping.dmp

Download
memory/4216-347-0x0000000000000000-mapping.dmp

Download
memory/4784-570-0x00000000073F0000-0x000000000791C000-memory.dmp

Filesize
5.2MB

Download
memory/4784-583-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/4784-522-0x0000000000A0A000-0x0000000000A3B000-memory.dmp

Filesize
196KB

Download
memory/4784-569-0x0000000007220000-0x00000000073E2000-memory.dmp

Filesize
1.8MB

Download
memory/4784-409-0x0000000004C10000-0x0000000004CA2000-memory.dmp

Filesize
584KB

Download
memory/4784-582-0x0000000000A0A000-0x0000000000A3B000-memory.dmp

Filesize
196KB

Download
memory/4784-407-0x00000000025E0000-0x000000000261C000-memory.dmp

Filesize
240KB

Download
memory/4784-525-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/4784-302-0x0000000000000000-mapping.dmp

Download
memory/4784-368-0x0000000000A0A000-0x0000000000A3B000-memory.dmp

Filesize
196KB

Download
memory/4784-372-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/4784-369-0x00000000009B0000-0x00000000009EE000-memory.dmp

Filesize
248KB

Download
memory/4784-398-0x0000000002520000-0x000000000255E000-memory.dmp

Filesize
248KB

Download
memory/4784-405-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/4792-431-0x0000000000000000-mapping.dmp

Download
memory/5020-170-0x0000000000000000-mapping.dmp

Download
memory/5020-327-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/5020-301-0x00000000006C0000-0x000000000076E000-memory.dmp

Filesize
696KB

Download
memory/5020-230-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/5020-208-0x00000000006C0000-0x000000000076E000-memory.dmp

Filesize
696KB

Download
memory/5020-192-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-191-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-190-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download