amadey | adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3

Analysis

max time kernel
163s
max time network
189s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27-11-2022 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exe
Size

206KB
MD5

cfc9edb14c223cffccc53055e61bdb7e
SHA1

a25fc5e422928044aecca3d967b6e35b58c858ca
SHA256

adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3
SHA512

c42e04b99119a556f8392cbea8c555a2dd32b9f0a4d56df2c456e1f024aa6f79730ae6864929d604a6ec5917d5c36c2e87f9aa65b0df1a1ee3b964b6dffd4905
SSDEEP

3072:2XrMvlWPwLg1B5n81TmgxC8YhrN3z/HkGiIXZKtVYA9EriZ:iHPGglgxC8aJ3zPkIpXA9ErM

Score

10^/10

amadey laplas redline newyear2023 collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

NewYear2023

185.106.92.111:2510

Attributes

auth_value
99e9bde3b38509ea98c3316cc27e6106

Extracted

Family

laplas

clipper.guru

Attributes

api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-299-0x0000000002CD0000-0x0000000002D0E000-memory.dmp	family_redline
behavioral1/memory/3004-306-0x00000000056B0000-0x00000000056EC000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 2580 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

rovwer.exeanon.exegala.exerovwer.exerovwer.exePNcznLwIMl.exe

pid process

3528 rovwer.exe
3004 anon.exe
4164 gala.exe
1936 rovwer.exe
2768 rovwer.exe
1288 PNcznLwIMl.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2580 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
8	2580	rundll32.exe

pid	process
3528	rovwer.exe
3004	anon.exe
4164	gala.exe
1936	rovwer.exe
2768	rovwer.exe
1288	PNcznLwIMl.exe

pid	process
2580	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\anon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000146001\\anon.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\gala.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000147001\\gala.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4376 schtasks.exe
2696 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 12 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exeanon.exe

pid process

2580 rundll32.exe
2580 rundll32.exe
2580 rundll32.exe
2580 rundll32.exe
3004 anon.exe
3004 anon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

anon.exe

description pid process

Token: SeDebugPrivilege 3004 anon.exe

pid	process
4376	schtasks.exe
2696	schtasks.exe

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1

pid	process
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
3004	anon.exe
3004	anon.exe

description	pid	process
Token: SeDebugPrivilege	3004	anon.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exerovwer.exegala.execmd.exe

description	pid	process	target process
PID 4004 wrote to memory of 3528	4004	adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exe	rovwer.exe
PID 4004 wrote to memory of 3528	4004	adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exe	rovwer.exe
PID 4004 wrote to memory of 3528	4004	adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exe	rovwer.exe
PID 3528 wrote to memory of 4376	3528	rovwer.exe	schtasks.exe
PID 3528 wrote to memory of 4376	3528	rovwer.exe	schtasks.exe
PID 3528 wrote to memory of 4376	3528	rovwer.exe	schtasks.exe
PID 3528 wrote to memory of 3004	3528	rovwer.exe	anon.exe
PID 3528 wrote to memory of 3004	3528	rovwer.exe	anon.exe
PID 3528 wrote to memory of 3004	3528	rovwer.exe	anon.exe
PID 3528 wrote to memory of 4164	3528	rovwer.exe	gala.exe
PID 3528 wrote to memory of 4164	3528	rovwer.exe	gala.exe
PID 3528 wrote to memory of 4164	3528	rovwer.exe	gala.exe
PID 3528 wrote to memory of 2580	3528	rovwer.exe	rundll32.exe
PID 3528 wrote to memory of 2580	3528	rovwer.exe	rundll32.exe
PID 3528 wrote to memory of 2580	3528	rovwer.exe	rundll32.exe
PID 4164 wrote to memory of 4188	4164	gala.exe	cmd.exe
PID 4164 wrote to memory of 4188	4164	gala.exe	cmd.exe
PID 4164 wrote to memory of 4188	4164	gala.exe	cmd.exe
PID 4188 wrote to memory of 2696	4188	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 2696	4188	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 2696	4188	cmd.exe	schtasks.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exe
"C:\Users\Admin\AppData\Local\Temp\adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4376

C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe
"C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn jicTFBavsm /tr C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:2580

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
1⤵
- Executes dropped EXE
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe
Filesize
279KB

MD5
086beab153035198516935646eb45867

SHA1
c48a053fb9c8186d90813ba76d77fe6a5e9a0eab

SHA256
21e52fbb37365b82f19e6424ca0a76530528e2aa1d4e2c596de432af994c77dc

SHA512
7a38d377c702bdde23352fb5a8405a2847fddf23347e562c6d3b7899cf5abc23f9584d45a7b312d67a5ddcf3f3bdc9cea09de5b9a64477a3f9b2358a8e38c61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe
Filesize
279KB

MD5
086beab153035198516935646eb45867

SHA1
c48a053fb9c8186d90813ba76d77fe6a5e9a0eab

SHA256
21e52fbb37365b82f19e6424ca0a76530528e2aa1d4e2c596de432af994c77dc

SHA512
7a38d377c702bdde23352fb5a8405a2847fddf23347e562c6d3b7899cf5abc23f9584d45a7b312d67a5ddcf3f3bdc9cea09de5b9a64477a3f9b2358a8e38c61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
Filesize
2.2MB

MD5
08f22a3693c2368a29dff26e7246b74a

SHA1
f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd

SHA256
a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1

SHA512
6b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
Filesize
2.2MB

MD5
08f22a3693c2368a29dff26e7246b74a

SHA1
f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd

SHA256
a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1

SHA512
6b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
206KB

MD5
cfc9edb14c223cffccc53055e61bdb7e

SHA1
a25fc5e422928044aecca3d967b6e35b58c858ca

SHA256
adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3

SHA512
c42e04b99119a556f8392cbea8c555a2dd32b9f0a4d56df2c456e1f024aa6f79730ae6864929d604a6ec5917d5c36c2e87f9aa65b0df1a1ee3b964b6dffd4905

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
206KB

MD5
cfc9edb14c223cffccc53055e61bdb7e

SHA1
a25fc5e422928044aecca3d967b6e35b58c858ca

SHA256
adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3

SHA512
c42e04b99119a556f8392cbea8c555a2dd32b9f0a4d56df2c456e1f024aa6f79730ae6864929d604a6ec5917d5c36c2e87f9aa65b0df1a1ee3b964b6dffd4905

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
206KB

MD5
cfc9edb14c223cffccc53055e61bdb7e

SHA1
a25fc5e422928044aecca3d967b6e35b58c858ca

SHA256
adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3

SHA512
c42e04b99119a556f8392cbea8c555a2dd32b9f0a4d56df2c456e1f024aa6f79730ae6864929d604a6ec5917d5c36c2e87f9aa65b0df1a1ee3b964b6dffd4905

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
206KB

MD5
cfc9edb14c223cffccc53055e61bdb7e

SHA1
a25fc5e422928044aecca3d967b6e35b58c858ca

SHA256
adf75b5a022c6d1312e7fa617ff568a33ed6b40e7eeea73789f7da1faad2e6a3

SHA512
c42e04b99119a556f8392cbea8c555a2dd32b9f0a4d56df2c456e1f024aa6f79730ae6864929d604a6ec5917d5c36c2e87f9aa65b0df1a1ee3b964b6dffd4905

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Filesize
301.1MB

MD5
294c87f0a31b4b238d0af4cca2264719

SHA1
49d3cf07b71f5b9a5ca5b8d598c5f9fa888f2a15

SHA256
1005198aa91f40379ace3203ec6ae64919f0496e0d0886541b141987332be1bc

SHA512
151a58eceef9a9a7eba265595fc1420a6d9fd948e2be0b8a7132a6c5c567833b1951290b84b02746e8a082ec71dda7917513e6ff452001ffbcab81fc8e32ed48

Download Submit
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Filesize
303.4MB

MD5
58e2cde04ad936a8cbb1b94798c63205

SHA1
efe310b8f7ac043ac02ea6bd1157d2890d851e4e

SHA256
f2ad19bffcbbbcc5ae2918c432d1937af08ff722228ea2e1a0895ef3f5aed3bd

SHA512
56f9d997968ca9070d46f55cec6ca4d0f0f29b2b58bdf8801667f19fc41ddcbded297d08c5cb5c83ef8575e9f733ca050b69fa6adebbc3204f50e0de1df4527d

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/1288-616-0x00000000025A0000-0x00000000027C1000-memory.dmp

Filesize
2.1MB

Download
memory/1288-623-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/1288-632-0x00000000025A0000-0x00000000027C1000-memory.dmp

Filesize
2.1MB

Download
memory/1288-633-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/1936-500-0x00000000005DE000-0x00000000005FD000-memory.dmp

Filesize
124KB

Download
memory/1936-501-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2580-398-0x0000000000000000-mapping.dmp

Download
memory/2696-512-0x0000000000000000-mapping.dmp

Download
memory/2768-605-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3004-308-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/3004-543-0x0000000000EA6000-0x0000000000ED7000-memory.dmp

Filesize
196KB

Download
memory/3004-369-0x0000000005B60000-0x0000000005BAB000-memory.dmp

Filesize
300KB

Download
memory/3004-367-0x00000000059D0000-0x0000000005A0E000-memory.dmp

Filesize
248KB

Download
memory/3004-365-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/3004-362-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/3004-359-0x0000000006070000-0x0000000006676000-memory.dmp

Filesize
6.0MB

Download
memory/3004-374-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/3004-402-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/3004-544-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/3004-306-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/3004-304-0x00000000051B0000-0x00000000056AE000-memory.dmp

Filesize
5.0MB

Download
memory/3004-299-0x0000000002CD0000-0x0000000002D0E000-memory.dmp

Filesize
248KB

Download
memory/3004-286-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/3004-285-0x0000000000E40000-0x0000000000E7E000-memory.dmp

Filesize
248KB

Download
memory/3004-284-0x0000000000EA6000-0x0000000000ED7000-memory.dmp

Filesize
196KB

Download
memory/3004-532-0x0000000006AC0000-0x0000000006C82000-memory.dmp

Filesize
1.8MB

Download
memory/3004-533-0x0000000006C90000-0x00000000071BC000-memory.dmp

Filesize
5.2MB

Download
memory/3004-253-0x0000000000000000-mapping.dmp

Download
memory/3004-373-0x0000000000EA6000-0x0000000000ED7000-memory.dmp

Filesize
196KB

Download
memory/3528-167-0x0000000000000000-mapping.dmp

Download
memory/3528-187-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-251-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3528-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-252-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3528-185-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-186-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-184-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-183-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-182-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-215-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3528-216-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3528-188-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-181-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3528-180-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-173-0x000000000074A000-0x0000000000769000-memory.dmp

Filesize
124KB

Download
memory/4004-171-0x00000000021D0000-0x000000000220E000-memory.dmp

Filesize
248KB

Download
memory/4004-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-163-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-155-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4004-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-153-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-149-0x00000000021D0000-0x000000000220E000-memory.dmp

Filesize
248KB

Download
memory/4004-148-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-143-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-142-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-120-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-138-0x000000000074A000-0x0000000000769000-memory.dmp

Filesize
124KB

Download
memory/4004-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-123-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-175-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4004-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4004-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4164-531-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4164-376-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4164-375-0x0000000002600000-0x000000000282D000-memory.dmp

Filesize
2.2MB

Download
memory/4164-364-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4164-361-0x0000000002830000-0x0000000002CC9000-memory.dmp

Filesize
4.6MB

Download
memory/4164-360-0x0000000002600000-0x000000000282D000-memory.dmp

Filesize
2.2MB

Download
memory/4164-309-0x0000000000000000-mapping.dmp

Download
memory/4188-502-0x0000000000000000-mapping.dmp

Download
memory/4376-224-0x0000000000000000-mapping.dmp

Download