amadey | 54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64

Analysis

max time kernel
147s
max time network
125s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-11-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exe
Size

247KB
MD5

b656d2dfb1646d77a60799c56814a7d6
SHA1

1364be44ee074ffbec0b0c992a917920c580f948
SHA256

54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64
SHA512

c3d72adbccd49f3dc3c32a2c2dd281acfcf1af68fdcc4f3ed4920d64d6250ea0f001e5ba64f1c776d483b109d20c6ab1ffa8f8ac64ef335433cd03b922ecbdc1
SSDEEP

3072:zg3sOgVS6iOK7LaeaAVHKi5WxSCxkOWMpSmIPkfcl0oS+yzCvSgBX3XQsPR:E3LbLaeaWQxmqp7KkfcLSNCvSU3X9J

Score

10^/10

amadey laplas redline newyear2023 collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

NewYear2023

185.106.92.111:2510

Attributes

auth_value
99e9bde3b38509ea98c3316cc27e6106

Extracted

Family

laplas

clipper.guru

Attributes

api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe	family_redline
behavioral1/memory/4024-286-0x00000000003D0000-0x00000000003F8000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

11 3528 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

rovwer.exenon.exeree.exelinda5.exerovwer.exerovwer.exe

pid process

5044 rovwer.exe
4024 non.exe
4044 ree.exe
412 linda5.exe
1860 rovwer.exe
632 rovwer.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

2932 rundll32.exe
3380 rundll32.exe
3380 rundll32.exe
3528 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
11	3528	rundll32.exe

pid	process
5044	rovwer.exe
4024	non.exe
4044	ree.exe
412	linda5.exe
1860	rovwer.exe
632	rovwer.exe

pid	process
2932	rundll32.exe
3380	rundll32.exe
3380	rundll32.exe
3528	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ree.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000131001\\ree.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000133001\\linda5.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\non.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000130001\\non.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3720 schtasks.exe
Modifies registry class 1 IoCs

Processes:

linda5.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings linda5.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

non.exerundll32.exe

pid process

4024 non.exe
4024 non.exe
3528 rundll32.exe
3528 rundll32.exe
3528 rundll32.exe
3528 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

non.exe

description pid process

Token: SeDebugPrivilege 4024 non.exe

pid	process
3720	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	linda5.exe

pid	process
4024	non.exe
4024	non.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4024	non.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exerovwer.exelinda5.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2676 wrote to memory of 5044	2676	54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exe	rovwer.exe
PID 2676 wrote to memory of 5044	2676	54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exe	rovwer.exe
PID 2676 wrote to memory of 5044	2676	54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exe	rovwer.exe
PID 5044 wrote to memory of 3720	5044	rovwer.exe	schtasks.exe
PID 5044 wrote to memory of 3720	5044	rovwer.exe	schtasks.exe
PID 5044 wrote to memory of 3720	5044	rovwer.exe	schtasks.exe
PID 5044 wrote to memory of 4024	5044	rovwer.exe	non.exe
PID 5044 wrote to memory of 4024	5044	rovwer.exe	non.exe
PID 5044 wrote to memory of 4024	5044	rovwer.exe	non.exe
PID 5044 wrote to memory of 4044	5044	rovwer.exe	ree.exe
PID 5044 wrote to memory of 4044	5044	rovwer.exe	ree.exe
PID 5044 wrote to memory of 4044	5044	rovwer.exe	ree.exe
PID 5044 wrote to memory of 412	5044	rovwer.exe	linda5.exe
PID 5044 wrote to memory of 412	5044	rovwer.exe	linda5.exe
PID 5044 wrote to memory of 412	5044	rovwer.exe	linda5.exe
PID 412 wrote to memory of 160	412	linda5.exe	control.exe
PID 412 wrote to memory of 160	412	linda5.exe	control.exe
PID 412 wrote to memory of 160	412	linda5.exe	control.exe
PID 160 wrote to memory of 2932	160	control.exe	rundll32.exe
PID 160 wrote to memory of 2932	160	control.exe	rundll32.exe
PID 160 wrote to memory of 2932	160	control.exe	rundll32.exe
PID 2932 wrote to memory of 1924	2932	rundll32.exe	RunDll32.exe
PID 2932 wrote to memory of 1924	2932	rundll32.exe	RunDll32.exe
PID 1924 wrote to memory of 3380	1924	RunDll32.exe	rundll32.exe
PID 1924 wrote to memory of 3380	1924	RunDll32.exe	rundll32.exe
PID 1924 wrote to memory of 3380	1924	RunDll32.exe	rundll32.exe
PID 5044 wrote to memory of 3528	5044	rovwer.exe	rundll32.exe
PID 5044 wrote to memory of 3528	5044	rovwer.exe	rundll32.exe
PID 5044 wrote to memory of 3528	5044	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exe
"C:\Users\Admin\AppData\Local\Temp\54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:3720

C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe"
3⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZySGHr.cPL",
4⤵
- Suspicious use of WriteProcessMemory
PID:160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZySGHr.cPL",
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZySGHr.cPL",
6⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ZySGHr.cPL",
7⤵
- Loads dropped DLL
PID:3380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:3528

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
Filesize
137KB

MD5
c8fbf7e62159275b2d13849b26341184

SHA1
a1245f045d07a1edf3690b7a2e09b65036342f9a

SHA256
96062d8acceacfd16b85960764411640718d9bc7b56cabd43cf664d07744368a

SHA512
81b1c74d56900f034b7076091dbe2102b1a3434524b5c7d92e2310166bf6a059079181532db09a007207688a22e563f05d31081c509530ba122d1a385126c216

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
Filesize
137KB

MD5
c8fbf7e62159275b2d13849b26341184

SHA1
a1245f045d07a1edf3690b7a2e09b65036342f9a

SHA256
96062d8acceacfd16b85960764411640718d9bc7b56cabd43cf664d07744368a

SHA512
81b1c74d56900f034b7076091dbe2102b1a3434524b5c7d92e2310166bf6a059079181532db09a007207688a22e563f05d31081c509530ba122d1a385126c216

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
Filesize
4.6MB

MD5
f6829a19455a7b24a79e0b984d2a42d9

SHA1
c71d657301d721b42c52c0252aa5fe0dbfb04f9f

SHA256
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b

SHA512
e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
Filesize
4.6MB

MD5
f6829a19455a7b24a79e0b984d2a42d9

SHA1
c71d657301d721b42c52c0252aa5fe0dbfb04f9f

SHA256
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b

SHA512
e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
Filesize
1.7MB

MD5
bee5d1d7b317b3690063dae8878c80e5

SHA1
11978114247305bc5571cf132bc2f1e8ae1df70c

SHA256
003e93a4f8c134673550fce68f6f12032e8452650f9aedd4ef135dc7825a27f8

SHA512
05b4cf6bb22fbb4e41952545f6058064c6115a824a533e3acc075bca08e26addebb17a85cd6ccaca632fd5b76c99b6116c9c7af61c571ab5268bd15c97ce4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
Filesize
1.7MB

MD5
bee5d1d7b317b3690063dae8878c80e5

SHA1
11978114247305bc5571cf132bc2f1e8ae1df70c

SHA256
003e93a4f8c134673550fce68f6f12032e8452650f9aedd4ef135dc7825a27f8

SHA512
05b4cf6bb22fbb4e41952545f6058064c6115a824a533e3acc075bca08e26addebb17a85cd6ccaca632fd5b76c99b6116c9c7af61c571ab5268bd15c97ce4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
247KB

MD5
b656d2dfb1646d77a60799c56814a7d6

SHA1
1364be44ee074ffbec0b0c992a917920c580f948

SHA256
54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64

SHA512
c3d72adbccd49f3dc3c32a2c2dd281acfcf1af68fdcc4f3ed4920d64d6250ea0f001e5ba64f1c776d483b109d20c6ab1ffa8f8ac64ef335433cd03b922ecbdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
247KB

MD5
b656d2dfb1646d77a60799c56814a7d6

SHA1
1364be44ee074ffbec0b0c992a917920c580f948

SHA256
54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64

SHA512
c3d72adbccd49f3dc3c32a2c2dd281acfcf1af68fdcc4f3ed4920d64d6250ea0f001e5ba64f1c776d483b109d20c6ab1ffa8f8ac64ef335433cd03b922ecbdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
247KB

MD5
b656d2dfb1646d77a60799c56814a7d6

SHA1
1364be44ee074ffbec0b0c992a917920c580f948

SHA256
54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64

SHA512
c3d72adbccd49f3dc3c32a2c2dd281acfcf1af68fdcc4f3ed4920d64d6250ea0f001e5ba64f1c776d483b109d20c6ab1ffa8f8ac64ef335433cd03b922ecbdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
247KB

MD5
b656d2dfb1646d77a60799c56814a7d6

SHA1
1364be44ee074ffbec0b0c992a917920c580f948

SHA256
54eac531f0ca8495f2c3ddbb73e29280200a6635c0b35ca094e65b48a6cffe64

SHA512
c3d72adbccd49f3dc3c32a2c2dd281acfcf1af68fdcc4f3ed4920d64d6250ea0f001e5ba64f1c776d483b109d20c6ab1ffa8f8ac64ef335433cd03b922ecbdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZySGHr.cPL
Filesize
2.0MB

MD5
82a14cffab8f4f8eed4a6a6ded628915

SHA1
f05e38365ef844aa1dd9c05eaf75c6d99f6125b9

SHA256
6702fe991a08c2c0a356b74041d2bd7c1b8f446faf1f9255f882079fd95ebd16

SHA512
9dfc0c7f119cc49ffb62bfa7fdda2064b63611b6bb07e3f238104169bf8e4c2aefcb56089c7fa5e0fd0847ecb9b9507bcc2c07df010bdc9f7521935a49521f7e

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
\Users\Admin\AppData\Local\Temp\ZySGHr.cpl
Filesize
2.0MB

MD5
82a14cffab8f4f8eed4a6a6ded628915

SHA1
f05e38365ef844aa1dd9c05eaf75c6d99f6125b9

SHA256
6702fe991a08c2c0a356b74041d2bd7c1b8f446faf1f9255f882079fd95ebd16

SHA512
9dfc0c7f119cc49ffb62bfa7fdda2064b63611b6bb07e3f238104169bf8e4c2aefcb56089c7fa5e0fd0847ecb9b9507bcc2c07df010bdc9f7521935a49521f7e

Download Submit
\Users\Admin\AppData\Local\Temp\ZySGHr.cpl
Filesize
2.0MB

MD5
82a14cffab8f4f8eed4a6a6ded628915

SHA1
f05e38365ef844aa1dd9c05eaf75c6d99f6125b9

SHA256
6702fe991a08c2c0a356b74041d2bd7c1b8f446faf1f9255f882079fd95ebd16

SHA512
9dfc0c7f119cc49ffb62bfa7fdda2064b63611b6bb07e3f238104169bf8e4c2aefcb56089c7fa5e0fd0847ecb9b9507bcc2c07df010bdc9f7521935a49521f7e

Download Submit
\Users\Admin\AppData\Local\Temp\ZySGHr.cpl
Filesize
2.0MB

MD5
82a14cffab8f4f8eed4a6a6ded628915

SHA1
f05e38365ef844aa1dd9c05eaf75c6d99f6125b9

SHA256
6702fe991a08c2c0a356b74041d2bd7c1b8f446faf1f9255f882079fd95ebd16

SHA512
9dfc0c7f119cc49ffb62bfa7fdda2064b63611b6bb07e3f238104169bf8e4c2aefcb56089c7fa5e0fd0847ecb9b9507bcc2c07df010bdc9f7521935a49521f7e

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/160-434-0x0000000000000000-mapping.dmp

Download
memory/412-365-0x0000000000000000-mapping.dmp

Download
memory/632-762-0x000000000093E000-0x000000000095D000-memory.dmp

Filesize
124KB

Download
memory/632-763-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/1860-727-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/1924-543-0x0000000000000000-mapping.dmp

Download
memory/2676-156-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-134-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-140-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-141-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-142-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-143-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-144-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-145-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-146-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-147-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-148-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-149-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-150-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-152-0x00000000007F0000-0x000000000093A000-memory.dmp

Filesize
1.3MB

Download
memory/2676-153-0x0000000002480000-0x00000000024BE000-memory.dmp

Filesize
248KB

Download
memory/2676-154-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2676-151-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-155-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-138-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-157-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-158-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-159-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-160-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-161-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-162-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-163-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-164-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-165-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-170-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2676-136-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-135-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-139-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-133-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-132-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-131-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-116-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-115-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-117-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-130-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-118-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-129-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-128-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-119-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-124-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-127-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-121-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-126-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-120-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-122-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-123-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-125-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2932-479-0x0000000000000000-mapping.dmp

Download
memory/2932-534-0x0000000005120000-0x00000000052B9000-memory.dmp

Filesize
1.6MB

Download
memory/2932-535-0x00000000053F0000-0x000000000551E000-memory.dmp

Filesize
1.2MB

Download
memory/2932-687-0x00000000053F0000-0x000000000551E000-memory.dmp

Filesize
1.2MB

Download
memory/3380-544-0x0000000000000000-mapping.dmp

Download
memory/3380-636-0x0000000004B00000-0x0000000004C99000-memory.dmp

Filesize
1.6MB

Download
memory/3380-637-0x0000000004DD0000-0x0000000004EFE000-memory.dmp

Filesize
1.2MB

Download
memory/3380-685-0x0000000004DD0000-0x0000000004EFE000-memory.dmp

Filesize
1.2MB

Download
memory/3528-593-0x0000000000000000-mapping.dmp

Download
memory/3720-218-0x0000000000000000-mapping.dmp

Download
memory/4024-349-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/4024-314-0x0000000004F30000-0x0000000004F7B000-memory.dmp

Filesize
300KB

Download
memory/4024-312-0x0000000004DC0000-0x0000000004DFE000-memory.dmp

Filesize
248KB

Download
memory/4024-310-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/4024-308-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/4024-357-0x00000000060C0000-0x00000000065BE000-memory.dmp

Filesize
5.0MB

Download
memory/4024-358-0x0000000005CA0000-0x0000000005D32000-memory.dmp

Filesize
584KB

Download
memory/4024-360-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/4024-361-0x0000000006CC0000-0x00000000071EC000-memory.dmp

Filesize
5.2MB

Download
memory/4024-307-0x0000000005290000-0x0000000005896000-memory.dmp

Filesize
6.0MB

Download
memory/4024-286-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/4024-250-0x0000000000000000-mapping.dmp

Download
memory/4044-318-0x0000000000000000-mapping.dmp

Download
memory/5044-186-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-179-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-226-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/5044-221-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/5044-249-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/5044-185-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-184-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-183-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-181-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-182-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-180-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-248-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/5044-177-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-178-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-175-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-174-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-166-0x0000000000000000-mapping.dmp

Download
memory/5044-173-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-171-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-172-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-169-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/5044-168-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download