amadey | 57ceb1a5fb93c7ba90094e70b0f06b2c5f8ed7b9ebb0792eae7d541b538dcd0f

Analysis

max time kernel
117s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe
Size

246KB
MD5

d97676c845137efe4c44586ab8db7bf6
SHA1

d254580d33e716a83f12130cc3adf6efeebf7d13
SHA256

e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900
SHA512

18f774b6615fb4858014009e1dfbeb657d2f24703861ff9db28d70cddaf64c0a926a7153a3077b4f3ee131c2f694af3321abb270c8cf0e314c68d3f8ba2bff61
SSDEEP

3072:ssMHbbVC9QYGE4LvZDjsn2nM5ykfIcU4vaSNb5qjJ8Fe4t2QhpG9tWsWhJ4dLMAn:sHtrLvZDjZPSIcUUqit2Qhw9q4JNn

Score

10^/10

amadey raccoon redline 16465d0e7bfd19684d4e56a43306c91b ritchshit infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

ritchshit

94.103.183.33:80

Attributes

auth_value
98c1a18edcc6e04afa19a0ee3b16a6e2

Extracted

Family

raccoon

Botnet

16465d0e7bfd19684d4e56a43306c91b

http://79.137.196.11/

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4320-155-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

rovwer.exe236.exerovwer.exeokok.exeokok.exerovwer.exe

pid process

2924 rovwer.exe
4884 236.exe
2688 rovwer.exe
2024 okok.exe
4808 okok.exe
2792 rovwer.exe

pid	process
2924	rovwer.exe
4884	236.exe
2688	rovwer.exe
2024	okok.exe
4808	okok.exe
2792	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rovwer.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\236.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000221001\\236.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\okok.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000223001\\okok.exe"	rovwer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

236.exeokok.exe

description pid process target process

PID 4884 set thread context of 4320 4884 236.exe vbc.exe
PID 2024 set thread context of 4808 2024 okok.exe okok.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4884 set thread context of 4320	4884	236.exe	vbc.exe
PID 2024 set thread context of 4808	2024	okok.exe	okok.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4452	2804	WerFault.exe	e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe
456	4884	WerFault.exe	236.exe
5072	2688	WerFault.exe	rovwer.exe
4280	2792	WerFault.exe	rovwer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3980 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

4320 vbc.exe
4320 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

okok.exevbc.exe

description pid process

Token: SeDebugPrivilege 2024 okok.exe
Token: SeDebugPrivilege 4320 vbc.exe

pid	process
3980	schtasks.exe

pid	process
4320	vbc.exe
4320	vbc.exe

description	pid	process
Token: SeDebugPrivilege	2024	okok.exe
Token: SeDebugPrivilege	4320	vbc.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exerovwer.execmd.exe236.exeokok.exe

description	pid	process	target process
PID 2804 wrote to memory of 2924	2804	e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe	rovwer.exe
PID 2804 wrote to memory of 2924	2804	e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe	rovwer.exe
PID 2804 wrote to memory of 2924	2804	e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe	rovwer.exe
PID 2924 wrote to memory of 3980	2924	rovwer.exe	schtasks.exe
PID 2924 wrote to memory of 3980	2924	rovwer.exe	schtasks.exe
PID 2924 wrote to memory of 3980	2924	rovwer.exe	schtasks.exe
PID 2924 wrote to memory of 4704	2924	rovwer.exe	cmd.exe
PID 2924 wrote to memory of 4704	2924	rovwer.exe	cmd.exe
PID 2924 wrote to memory of 4704	2924	rovwer.exe	cmd.exe
PID 4704 wrote to memory of 3504	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 3504	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 3504	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 4484	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 4484	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 4484	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2456	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2456	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2456	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2692	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 2692	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 2692	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 8	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 8	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 8	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 4460	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 4460	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 4460	4704	cmd.exe	cacls.exe
PID 2924 wrote to memory of 4884	2924	rovwer.exe	236.exe
PID 2924 wrote to memory of 4884	2924	rovwer.exe	236.exe
PID 2924 wrote to memory of 4884	2924	rovwer.exe	236.exe
PID 4884 wrote to memory of 4320	4884	236.exe	vbc.exe
PID 4884 wrote to memory of 4320	4884	236.exe	vbc.exe
PID 4884 wrote to memory of 4320	4884	236.exe	vbc.exe
PID 4884 wrote to memory of 4320	4884	236.exe	vbc.exe
PID 4884 wrote to memory of 4320	4884	236.exe	vbc.exe
PID 2924 wrote to memory of 2024	2924	rovwer.exe	okok.exe
PID 2924 wrote to memory of 2024	2924	rovwer.exe	okok.exe
PID 2924 wrote to memory of 2024	2924	rovwer.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe
PID 2024 wrote to memory of 4808	2024	okok.exe	okok.exe

C:\Users\Admin\AppData\Local\Temp\e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe
"C:\Users\Admin\AppData\Local\Temp\e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3504

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:4484

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2692

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:8

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe
"C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 148
4⤵
- Program crash
PID:456

C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe"
4⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1136
2⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2804 -ip 2804
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4884 -ip 4884
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 416
2⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2688 -ip 2688
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 424
2⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2792 -ip 2792
1⤵
PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe

Filesize
929KB

MD5
f159a709fd4cd800d0a1f766089c4318

SHA1
e2335ecebfc16d030d36183a5a1f1f61853dfea8

SHA256
f4dc5eedf8dd119d3b84eae34493e0b09e3bf2ff15d45e5f67266cf146f06d74

SHA512
4abb21862da9d34edb8a1827d5c19f050c6a7bb45a10fa81baa169703c2a914c6123313199292bc684ab098c7cab279680233fbc3446a100874ad68774adc354

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe

Filesize
929KB

MD5
f159a709fd4cd800d0a1f766089c4318

SHA1
e2335ecebfc16d030d36183a5a1f1f61853dfea8

SHA256
f4dc5eedf8dd119d3b84eae34493e0b09e3bf2ff15d45e5f67266cf146f06d74

SHA512
4abb21862da9d34edb8a1827d5c19f050c6a7bb45a10fa81baa169703c2a914c6123313199292bc684ab098c7cab279680233fbc3446a100874ad68774adc354

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe

Filesize
594KB

MD5
811f64ea53b76f4e63f3baa9cbf449af

SHA1
bdbb1cb65db56922bdab468e47a4b4ecfad9bc13

SHA256
199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168

SHA512
3f0f7ba95068b56bb604e564c01ea6bb3b0dcd6a10d437301467a56b823a7e7c040ed16ed989bd444239fee2265248f264a86d1a1a7c9f610666679c3f99caa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe

Filesize
594KB

MD5
811f64ea53b76f4e63f3baa9cbf449af

SHA1
bdbb1cb65db56922bdab468e47a4b4ecfad9bc13

SHA256
199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168

SHA512
3f0f7ba95068b56bb604e564c01ea6bb3b0dcd6a10d437301467a56b823a7e7c040ed16ed989bd444239fee2265248f264a86d1a1a7c9f610666679c3f99caa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe

Filesize
594KB

MD5
811f64ea53b76f4e63f3baa9cbf449af

SHA1
bdbb1cb65db56922bdab468e47a4b4ecfad9bc13

SHA256
199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168

SHA512
3f0f7ba95068b56bb604e564c01ea6bb3b0dcd6a10d437301467a56b823a7e7c040ed16ed989bd444239fee2265248f264a86d1a1a7c9f610666679c3f99caa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
246KB

MD5
d97676c845137efe4c44586ab8db7bf6

SHA1
d254580d33e716a83f12130cc3adf6efeebf7d13

SHA256
e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900

SHA512
18f774b6615fb4858014009e1dfbeb657d2f24703861ff9db28d70cddaf64c0a926a7153a3077b4f3ee131c2f694af3321abb270c8cf0e314c68d3f8ba2bff61

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
246KB

MD5
d97676c845137efe4c44586ab8db7bf6

SHA1
d254580d33e716a83f12130cc3adf6efeebf7d13

SHA256
e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900

SHA512
18f774b6615fb4858014009e1dfbeb657d2f24703861ff9db28d70cddaf64c0a926a7153a3077b4f3ee131c2f694af3321abb270c8cf0e314c68d3f8ba2bff61

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
246KB

MD5
d97676c845137efe4c44586ab8db7bf6

SHA1
d254580d33e716a83f12130cc3adf6efeebf7d13

SHA256
e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900

SHA512
18f774b6615fb4858014009e1dfbeb657d2f24703861ff9db28d70cddaf64c0a926a7153a3077b4f3ee131c2f694af3321abb270c8cf0e314c68d3f8ba2bff61

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
246KB

MD5
d97676c845137efe4c44586ab8db7bf6

SHA1
d254580d33e716a83f12130cc3adf6efeebf7d13

SHA256
e68accfec9356e006e37e652d1f9061d82d1f00670b9d029b32a4ceba67fa900

SHA512
18f774b6615fb4858014009e1dfbeb657d2f24703861ff9db28d70cddaf64c0a926a7153a3077b4f3ee131c2f694af3321abb270c8cf0e314c68d3f8ba2bff61

Download Submit
memory/8-149-0x0000000000000000-mapping.dmp

Download
memory/2024-161-0x0000000000000000-mapping.dmp

Download
memory/2024-168-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/2024-167-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/2024-166-0x00000000008A0000-0x000000000093E000-memory.dmp

Filesize
632KB

Download
memory/2456-147-0x0000000000000000-mapping.dmp

Download
memory/2688-179-0x00000000008B0000-0x00000000008CF000-memory.dmp

Filesize
124KB

Download
memory/2688-180-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2692-148-0x0000000000000000-mapping.dmp

Download
memory/2792-189-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2792-188-0x0000000000760000-0x000000000077F000-memory.dmp

Filesize
124KB

Download
memory/2804-132-0x000000000091D000-0x000000000093C000-memory.dmp

Filesize
124KB

Download
memory/2804-138-0x000000000091D000-0x000000000093C000-memory.dmp

Filesize
124KB

Download
memory/2804-139-0x00000000023A0000-0x00000000023DE000-memory.dmp

Filesize
248KB

Download
memory/2804-140-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2804-134-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2804-133-0x00000000023A0000-0x00000000023DE000-memory.dmp

Filesize
248KB

Download
memory/2924-142-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2924-135-0x0000000000000000-mapping.dmp

Download
memory/2924-164-0x00000000006AC000-0x00000000006CB000-memory.dmp

Filesize
124KB

Download
memory/2924-165-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2924-141-0x00000000006AC000-0x00000000006CB000-memory.dmp

Filesize
124KB

Download
memory/3504-145-0x0000000000000000-mapping.dmp

Download
memory/3980-143-0x0000000000000000-mapping.dmp

Download
memory/4320-177-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/4320-183-0x0000000006A90000-0x0000000006B06000-memory.dmp

Filesize
472KB

Download
memory/4320-186-0x0000000008850000-0x0000000008D7C000-memory.dmp

Filesize
5.2MB

Download
memory/4320-185-0x0000000008150000-0x0000000008312000-memory.dmp

Filesize
1.8MB

Download
memory/4320-174-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/4320-184-0x0000000006B10000-0x0000000006B60000-memory.dmp

Filesize
320KB

Download
memory/4320-176-0x00000000055B0000-0x00000000056BA000-memory.dmp

Filesize
1.0MB

Download
memory/4320-155-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4320-178-0x0000000005540000-0x000000000557C000-memory.dmp

Filesize
240KB

Download
memory/4320-154-0x0000000000000000-mapping.dmp

Download
memory/4320-182-0x0000000006970000-0x0000000006A02000-memory.dmp

Filesize
584KB

Download
memory/4320-181-0x0000000006700000-0x0000000006766000-memory.dmp

Filesize
408KB

Download
memory/4460-150-0x0000000000000000-mapping.dmp

Download
memory/4484-146-0x0000000000000000-mapping.dmp

Download
memory/4704-144-0x0000000000000000-mapping.dmp

Download
memory/4808-170-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4808-175-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4808-173-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4808-169-0x0000000000000000-mapping.dmp

Download
memory/4884-151-0x0000000000000000-mapping.dmp

Download