amadey | afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c

Analysis

max time kernel
116s
max time network
138s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
27-11-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exe
Size

209KB
MD5

dc590962ae5479d9120fbd6c6f35e020
SHA1

deb16b492c5fb92cb2407fda236f96a77c352b2b
SHA256

afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c
SHA512

d428e1ce4ba5a1e9be294b550e7788af4e73be266c46627be935511a80e61b35d924193f46f81d0b4c173c677ac7e4920d70fe389dc4e530ee33cd52860c581f
SSDEEP

3072:7Q7AnVHOnEE5nO6NNJxejwOCg/uj4pK0bvtw8Dz+I0t+ikZIagkmT6ipKI6WBab:OcunFriHmIK0bCnI++vZYkPipO

Score

10^/10

amadey laplas redline newyear2023 collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

NewYear2023

185.106.92.111:2510

Attributes

auth_value
99e9bde3b38509ea98c3316cc27e6106

Extracted

Family

laplas

clipper.guru

Attributes

api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4848-298-0x0000000002BF0000-0x0000000002C2E000-memory.dmp	family_redline
behavioral1/memory/4848-305-0x0000000002C70000-0x0000000002CAC000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 1368 rundll32.exe
Executes dropped EXE 6 IoCs

Processes:

rovwer.exeanon.exegala.exerovwer.exerovwer.exePNcznLwIMl.exe

pid process

3456 rovwer.exe
4848 anon.exe
4724 gala.exe
4172 rovwer.exe
2188 rovwer.exe
4924 PNcznLwIMl.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1368 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
9	1368	rundll32.exe

pid	process
3456	rovwer.exe
4848	anon.exe
4724	gala.exe
4172	rovwer.exe
2188	rovwer.exe
4924	PNcznLwIMl.exe

pid	process
1368	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\anon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000146001\\anon.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\gala.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000147001\\gala.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4880 schtasks.exe
3264 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 13 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

anon.exerundll32.exe

pid process

4848 anon.exe
4848 anon.exe
1368 rundll32.exe
1368 rundll32.exe
1368 rundll32.exe
1368 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

anon.exe

description pid process

Token: SeDebugPrivilege 4848 anon.exe

pid	process
4880	schtasks.exe
3264	schtasks.exe

description	flow	ioc
HTTP User-Agent header	13	Go-http-client/1.1

pid	process
4848	anon.exe
4848	anon.exe
1368	rundll32.exe
1368	rundll32.exe
1368	rundll32.exe
1368	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4848	anon.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exerovwer.exegala.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 3456	1768	afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exe	rovwer.exe
PID 1768 wrote to memory of 3456	1768	afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exe	rovwer.exe
PID 1768 wrote to memory of 3456	1768	afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exe	rovwer.exe
PID 3456 wrote to memory of 4880	3456	rovwer.exe	schtasks.exe
PID 3456 wrote to memory of 4880	3456	rovwer.exe	schtasks.exe
PID 3456 wrote to memory of 4880	3456	rovwer.exe	schtasks.exe
PID 3456 wrote to memory of 4848	3456	rovwer.exe	anon.exe
PID 3456 wrote to memory of 4848	3456	rovwer.exe	anon.exe
PID 3456 wrote to memory of 4848	3456	rovwer.exe	anon.exe
PID 3456 wrote to memory of 4724	3456	rovwer.exe	gala.exe
PID 3456 wrote to memory of 4724	3456	rovwer.exe	gala.exe
PID 3456 wrote to memory of 4724	3456	rovwer.exe	gala.exe
PID 4724 wrote to memory of 1804	4724	gala.exe	cmd.exe
PID 4724 wrote to memory of 1804	4724	gala.exe	cmd.exe
PID 4724 wrote to memory of 1804	4724	gala.exe	cmd.exe
PID 1804 wrote to memory of 3264	1804	cmd.exe	schtasks.exe
PID 1804 wrote to memory of 3264	1804	cmd.exe	schtasks.exe
PID 1804 wrote to memory of 3264	1804	cmd.exe	schtasks.exe
PID 3456 wrote to memory of 1368	3456	rovwer.exe	rundll32.exe
PID 3456 wrote to memory of 1368	3456	rovwer.exe	rundll32.exe
PID 3456 wrote to memory of 1368	3456	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exe
"C:\Users\Admin\AppData\Local\Temp\afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4880

C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe
"C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn jicTFBavsm /tr C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:3264

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1368

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
1⤵
- Executes dropped EXE
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe
Filesize
279KB

MD5
086beab153035198516935646eb45867

SHA1
c48a053fb9c8186d90813ba76d77fe6a5e9a0eab

SHA256
21e52fbb37365b82f19e6424ca0a76530528e2aa1d4e2c596de432af994c77dc

SHA512
7a38d377c702bdde23352fb5a8405a2847fddf23347e562c6d3b7899cf5abc23f9584d45a7b312d67a5ddcf3f3bdc9cea09de5b9a64477a3f9b2358a8e38c61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe
Filesize
279KB

MD5
086beab153035198516935646eb45867

SHA1
c48a053fb9c8186d90813ba76d77fe6a5e9a0eab

SHA256
21e52fbb37365b82f19e6424ca0a76530528e2aa1d4e2c596de432af994c77dc

SHA512
7a38d377c702bdde23352fb5a8405a2847fddf23347e562c6d3b7899cf5abc23f9584d45a7b312d67a5ddcf3f3bdc9cea09de5b9a64477a3f9b2358a8e38c61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
Filesize
2.2MB

MD5
08f22a3693c2368a29dff26e7246b74a

SHA1
f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd

SHA256
a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1

SHA512
6b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
Filesize
2.2MB

MD5
08f22a3693c2368a29dff26e7246b74a

SHA1
f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd

SHA256
a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1

SHA512
6b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
209KB

MD5
dc590962ae5479d9120fbd6c6f35e020

SHA1
deb16b492c5fb92cb2407fda236f96a77c352b2b

SHA256
afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c

SHA512
d428e1ce4ba5a1e9be294b550e7788af4e73be266c46627be935511a80e61b35d924193f46f81d0b4c173c677ac7e4920d70fe389dc4e530ee33cd52860c581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
209KB

MD5
dc590962ae5479d9120fbd6c6f35e020

SHA1
deb16b492c5fb92cb2407fda236f96a77c352b2b

SHA256
afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c

SHA512
d428e1ce4ba5a1e9be294b550e7788af4e73be266c46627be935511a80e61b35d924193f46f81d0b4c173c677ac7e4920d70fe389dc4e530ee33cd52860c581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
209KB

MD5
dc590962ae5479d9120fbd6c6f35e020

SHA1
deb16b492c5fb92cb2407fda236f96a77c352b2b

SHA256
afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c

SHA512
d428e1ce4ba5a1e9be294b550e7788af4e73be266c46627be935511a80e61b35d924193f46f81d0b4c173c677ac7e4920d70fe389dc4e530ee33cd52860c581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
209KB

MD5
dc590962ae5479d9120fbd6c6f35e020

SHA1
deb16b492c5fb92cb2407fda236f96a77c352b2b

SHA256
afa3880c77bd7aea62c6474c6ebc9ea54efe957c3f8e737de46a73abaae10c4c

SHA512
d428e1ce4ba5a1e9be294b550e7788af4e73be266c46627be935511a80e61b35d924193f46f81d0b4c173c677ac7e4920d70fe389dc4e530ee33cd52860c581f

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Filesize
194.9MB

MD5
f415efbe5abcbce30c4674c2dfaa0071

SHA1
ad49ea01c5844e7b67ff4cfde3bc6e523a3abc60

SHA256
b1b9bf1d2739811c786ca07c66e64b5c745b301d0247e3ebc70f48ab6abaf1ee

SHA512
286a0f1ff0d0ea0dffbc5e5c7554a633b8cccc8d2b43e5208ec38717e0402465d8710af128bf12e577d441b02e6cc27e27c89a30a4e45929821e4f6d531b6dd4

Download Submit
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Filesize
217.8MB

MD5
dd81a7f1222c74413f79610e7cd2952b

SHA1
efae7b45bf7756f4056cee7a5d65106b9acee166

SHA256
e9b4c39e37465f633d5d975b0f107c5f8521331773a91f1f30c89a017836aedd

SHA512
1d2e9c8a25d37ab9774f2d38dbb5ee6e2c9205fc1703fb4a2489034ed092ecd86b547eb63bc4df88ccb41b2287da68d8ba9a439a21b4a03a5d9aea8f04f655d0

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/1368-464-0x0000000000000000-mapping.dmp

Download
memory/1768-155-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/1768-163-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-135-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-136-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-137-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-138-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-139-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-140-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-142-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-143-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-144-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-145-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-146-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-147-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-148-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-149-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-150-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-151-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-152-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-153-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-154-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-133-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-156-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/1768-157-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-158-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-159-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-160-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-161-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-162-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-134-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-164-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-165-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1768-166-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-167-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-168-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-170-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-169-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-171-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-121-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-122-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-175-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1768-132-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-131-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-130-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-129-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-128-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-127-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-126-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-120-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-123-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-125-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-124-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1804-399-0x0000000000000000-mapping.dmp

Download
memory/2188-598-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/2188-600-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/2188-608-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3264-405-0x0000000000000000-mapping.dmp

Download
memory/3456-185-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-361-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/3456-217-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3456-178-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-172-0x0000000000000000-mapping.dmp

Download
memory/3456-180-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-174-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-179-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-184-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-186-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-189-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-188-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-191-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-190-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-214-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/3456-183-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-362-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3456-181-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-187-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-176-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3456-177-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4172-461-0x00000000006EE000-0x000000000070D000-memory.dmp

Filesize
124KB

Download
memory/4172-462-0x0000000002080000-0x00000000020BE000-memory.dmp

Filesize
248KB

Download
memory/4172-463-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4724-332-0x0000000000000000-mapping.dmp

Download
memory/4724-374-0x00000000025E0000-0x000000000280E000-memory.dmp

Filesize
2.2MB

Download
memory/4724-375-0x0000000002810000-0x0000000002CA9000-memory.dmp

Filesize
4.6MB

Download
memory/4724-376-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4724-425-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4724-424-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4848-326-0x0000000005A60000-0x0000000006066000-memory.dmp

Filesize
6.0MB

Download
memory/4848-398-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/4848-390-0x0000000000B00000-0x0000000000BAE000-memory.dmp

Filesize
696KB

Download
memory/4848-387-0x0000000006BA0000-0x00000000070CC000-memory.dmp

Filesize
5.2MB

Download
memory/4848-386-0x00000000069D0000-0x0000000006B92000-memory.dmp

Filesize
1.8MB

Download
memory/4848-378-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/4848-343-0x0000000006170000-0x00000000061BB000-memory.dmp

Filesize
300KB

Download
memory/4848-331-0x00000000059D0000-0x0000000005A0E000-memory.dmp

Filesize
248KB

Download
memory/4848-329-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/4848-327-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/4848-310-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/4848-309-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/4848-307-0x0000000000B00000-0x0000000000BAE000-memory.dmp

Filesize
696KB

Download
memory/4848-308-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/4848-305-0x0000000002C70000-0x0000000002CAC000-memory.dmp

Filesize
240KB

Download
memory/4848-303-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/4848-298-0x0000000002BF0000-0x0000000002C2E000-memory.dmp

Filesize
248KB

Download
memory/4848-254-0x0000000000000000-mapping.dmp

Download
memory/4880-227-0x0000000000000000-mapping.dmp

Download
memory/4924-611-0x0000000002720000-0x0000000002947000-memory.dmp

Filesize
2.2MB

Download
memory/4924-612-0x0000000002950000-0x0000000002DE9000-memory.dmp

Filesize
4.6MB

Download
memory/4924-636-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4924-637-0x0000000002720000-0x0000000002947000-memory.dmp

Filesize
2.2MB

Download
memory/4924-638-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download